Leaked Files Reveal Scope of Cellebrite's Smartphone-Cracking Technology

An anonymous reader quotes a report from ZDNet: Earlier this year, we were sent a series of large, encrypted files purportedly belonging to a U.S. police department as a result of a leak at a law firm, which was insecurely synchronizing its backup systems across the internet without a password. Among the files was a series of phone dumps created by the police department with specialist equipment, which was created by Cellebrite, an Israeli firm that provides phone-cracking technology. We obtained a number of these so-called extraction reports. One of the more interesting reports by far was from an iPhone 5 running iOS 8. The phone's owner didn't use a passcode, meaning the phone was entirely unencrypted. The phone was plugged into a Cellebrite UFED device, which in this case was a dedicated computer in the police department. The police officer carried out a logical extraction, which downloads what's in the phone's memory at the time. (Motherboard has more on how Cellebrite's extraction process works.) In some cases, it also contained data the user had recently deleted. To our knowledge, there are a few sample reports out there floating on the web, but it's rare to see a real-world example of how much data can be siphoned off from a fairly modern device. We're publishing some snippets from the report, with sensitive or identifiable information redacted.

Re:painfullpy lacking on details

[Registered+Coward+v2]

the article outlines the general process of how a phone is intercepted and the software is applied, but it obviously does not go into details of how the data is found or transferred. my guess is these portable tablets cellbrite has developed contain ADB and developer tools to pull off what to a seasoned slashdotter is just a parlor trick, but to a police department is nothing short of magical CSI hacking. as hackers ourselves we need to ask more questions. what is the inner machination of this tablet? how do we defeat it? can it defeat password encryption? how about Signals password-based authentication? Is there a means by which contact lists can be hardened and encrypted? All of these questions are crucial in the next 10 years as most law enforcement does not bother with a warrant when theyre halfway through your roadsite fishing expedition.

As I understand it, from what I've read, the software essentially does an unencrypted backup of the phone and then analyzes the data to produce the report. It also appears to only work on older iPhones that do not require a pass code to backup; thus rendering it useless on newer models.

Re:painfullpy lacking on details

[Shoten]

the article outlines the general process of how a phone is intercepted and the software is applied, but it obviously does not go into details of how the data is found or transferred. my guess is these portable tablets cellbrite has developed contain ADB and developer tools to pull off what to a seasoned slashdotter is just a parlor trick, but to a police department is nothing short of magical CSI hacking.

as hackers ourselves we need to ask more questions. what is the inner machination of this tablet? how do we defeat it? can it defeat password encryption? how about Signals password-based authentication? Is there a means by which contact lists can be hardened and encrypted? All of these questions are crucial in the next 10 years as most law enforcement does not bother with a warrant when theyre halfway through your roadsite fishing expedition.

As I understand it, from what I've read, the software essentially does an unencrypted backup of the phone and then analyzes the data to produce the report. It also appears to only work on older iPhones that do not require a pass code to backup; thus rendering it useless on newer models.

You hit the nail on the head.

(Love your account name, by the way...epic!)

For one thing, there was no passcode on the device. That's the reason for no encryption...all iPhones of this generation were encrypted so that you couldn't pull the data directly from memory storage. But since the phone was never locked, it was trivial to simply ask the phone to divulge all of its contents as a backup, which it did. No hacking, no exploitation...just like opening a shoebox to see what's inside.

For another, you're right in that later models (if locked) would be harder to get into. Starting with one model later...the iPhone 5s...iPhones have had a separate trusted module known as "Secure Enclave." Basically, Secure Enclave is the vault that stores all the cryptographic material. The iPhone puts the keys to all of its eggs in that one basket, and then secures the bejezus out of that basket. The 5s has the A7 processor...and the A7 was the first processor to use Secure Enclave. The iPhone 5 has the A6.