Apple and the FBI were engaged in a massive fight over encryption in the early part of 2016, following the December 2015 mass shooting in San Bernardino. A husband and wife shot and killed more than a dozen people, and then they died in the ensuing fight with the police. They left behind an iPhone 5C running iOS 9, the latest operating system available for iPhone and iPad at the time. The government wanted to gain access to the phone to see if it could determine any links between the two shooters and the Islamic State, but they could not break the encryption. The FBI attempted to have a court force Apple to create a backdoor in iOS that would allow them to retrieve whatever data sat behind the screen’s password. Apple fiercely opposed that order, explaining that it doesn’t have a backdoor into iOS, and creating one would be a massive security risk for all iPhone users.
In the months that followed, the FBI admitted to finding a solution to hack the iPhone 5C’s encryption and backed away from the case. Apple won the argument over encryption back then, but governments worldwide have been trying to push backdoor legislation ever since. The FBI later confirmed it paid $900,000 for the exploit that allowed it to get into the iPhone, but didn’t disclose how the exploit worked. The FBI did not find any helpful information on the iPhone 5C belonging to the shooters after unlocking it. Experts in the field believed Israeli firm Cellebrite came up with the hack, but that was never confirmed. It seemed we’d never learn the truth, but a new report might finally reveal the true story of how the FBI broke the iPhone’s encryption.
An investigation from The Washington Post says that white-hat security research company Azimuth was responsible for developing a chain of iOS vulnerabilities that could be used to bypass the lock screen of an iPhone.
The report reminds us that iOS 9 deployed a security feature that would block attempts to brute-force a password. That’s a procedure that involves guessing the four-digit PIN of an iPhone using a program that tries every possible combination. This could be accomplished in about 25 minutes before iOS 9.
The FBI only had 10 tries with the iPhone 5C they wanted to hack before the software would erase the device’s contents. That’s where Azimuth came into play:
Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs marathons and who, one colleague said, ‘can pretty much look at a computer and break into it.’ One of his researchers was David Wang, who first set hands on a keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie Award — an Oscar for hackers — for ‘jailbreaking’ or removing the software restrictions of an iPhone.
Dowd had found a bug in open-source code from Mozilla even before the San Bernardino events. Apple relied on Mozilla’s software to allow accessories to be plugged into the iPhone’s Lightning port.
Wang used the Mozilla bug to create an exploit that allowed access to the phone. A different bug was then used for “greater maneuverability.” A final exploit gave them complete control over the phone’s processor. A piece of brute force software was then used to try all possible password combinations, bypassing the security feature that would erase the device’s storage after 10 failed attempts. The exploit was named Condor.
The researchers tested the tool on a dozen iPhone 5C devices, including phones that were bought on eBay. They then showed Condor to the FBI, and agency experts tested Condor on other devices to ensure it would work. Every test was successful, and that’s how Condor netted Azimuth a $900,000 payout.
The report notes that FBI officials were relieved but disappointed that they could not advance the encryption backdoor fight. Separately, Apple might be unhappy with security experts building tools that could be used to break into its devices. But the Post explains Azimuth’s success helped Apple, as the company never had to face a court order to build a backdoor into that particular iPhone 5C, which would have set a dangerous precedent.
Mozilla never knew a security bug in its software was used to advance the iPhone 5C hack. The company patched the problem about a month after the FBI unlocked the iPhone 5C, rendering the flaw useless. Without that bug, the whole chain of exploits would not have worked.
Apple never knew who was responsible for the hack either, but came close while suing a different security research firm that allowed security researchers to create virtual iPhones on desktops. Wang co-founded that firm, Corellium, in 2017. The full report is worth a read, as it provides more background details on the San Bernardino events, as well as the Apple vs. Corellium legal battles that are unrelated to the 2016 iPhone 5C hack.