Israel-Based Vendor Cellebrite Can Unlock Every iPhone, including the Current-Gen iPhone X, That's On the Market: Forbes

Cellebrite, an Israel-based company, knows of ways to unlock every iPhone that's on the market, right up to the iPhone X, Forbes reported on Monday, citing sources. From the report: Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11 . That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

The Israeli firm, a subsidiary of Japan's Sun Corporation, hasn't made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren't authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company's literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11." Separately, a source in the police forensics community told Forbes he'd been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple's newest devices worked in much the same way.

It's a bit disturbing to me

Our government works so hard to bypass security protocols for consumer technology. OK, so perhaps I'm naive. But a government what works for it's citizens should not be so focused on breaking into our computers without due process. (thank you Patriot Act).

Re:It's a bit disturbing to me

[alvinrod]

A government that worked for its people would be helping companies like Apple, Google, etc. to harden their security systems instead of trying to pry into them. That may make it more difficult for law enforcement to arrest or convict a few people, but it does significantly more to protect citizens from scammers and other threats.

I'd like to think that if the intelligence agencies devoted their time and effort to helping companies identify security weaknesses and shore them up, we wouldn't be seeing massive data breaches every few months.

Re:It's a bit disturbing to me

[viperidaenz]

Your government isn't working hard to bypass iPhone security.

They just paid a private company to do it for them. Doesn't sound like they have any need to focus on it at all.

Re:It's a bit disturbing to me

[dj245]

Our government works so hard to bypass security protocols for consumer technology. OK, so perhaps I'm naive. But a government what works for it's citizens should not be so focused on breaking into our computers without due process. (thank you Patriot Act).

Israel's approach to cybersecurity is very different than the USA. Firstly, a majority of citizens must serve in the military for around 2-3 years. The cybersecurity division of their armed forces is quite substantial. Then, many if not most of those trained individuals are turned loose in the private sector. The skills learned in the military are very transferable to private practice, even if the exact vulnerabilities that a servicemember found in the military are classified and can not be used. Is it any surprise that Israel has a comparatively high percentage of cybersecurity companies?

The US system appears to work mostly in reverse (to an outside observer). The NSA and other agencies find vulnerabilities and then keep them secret. Turnover to and from the private sector isn't as high as the Israeli system. The US military sector does a comparatively worse job training these skills and distributing them to the market, where they may do more good than spying on Angela Merkel.

Re:It's a bit disturbing to me

In the real world the gov't protects the gov't. Your lost privacy is their gain.

Re:It's a bit disturbing to me

[BronsCon]

Until your friend pranks you and you jokingly text them "I'm gonna kill you for that" in response and they end up dead a day or two later.

Welcome to a murder 1 charge with pretty damning evidence against you, all because you didn't think privacy was important.

In fact, it is those very situations that our guarantee of privacy from government snooping absent due process is intended to prevent.

Re:It's a bit disturbing to me

[gnick]

Until your friend pranks you and you jokingly text them "I'm gonna kill you for that" in response and they end up dead a day or two later.

Make a joke about an FBI "secret society" and there'll be hell to pay.

Re:It's a bit disturbing to me

[jwhyche]

I'd like to think that if the intelligence agencies devoted their time and effort to helping companies identify security weaknesses and shore them up, we wouldn't be seeing massive data breaches every few months.

You would like to think that but lets make no bones about it. The intelligence and LEA agencies are here for one purpose only. Keeping those in power, in power. Doesn't matter if they deserve it or not. They may operate under the guise of "protecting the country" but when it comes right down to it, its the same thing as keep those in power in power.

Re:It's a bit disturbing to me

[MBGMorden]

Meh - this is fine. They still need due process (eg, a warrant) - this just gives them the technical ability to get into a phone that they have the legal right to do so.

I'm not at all for building INTENTIONAL backdoors into the software (and whatever hole in the security this company is using to gain access I'd hope Apple soon finds and closes), but if they have their warrant I have no issue with them hacking into the phone if they can figure it out. IMHO it's the same as cutting the lock off of a door to gain entry to a building they've secured a warrant to.

Re:It's a bit disturbing to me

[StormReaver]

These tools may allow a locked phone to be searched after a search warrant is issued.

Or, more likely, allow the FBI/NSA to bypass the warrant entirely by saying, "We didn't do it. A private company, not subject to the constraints of warrants, did it. We just happened to stumble upon the results." They're quite fond of Parallel Construction and its bastard children.

Re:It's a bit disturbing to me

[Trogre]

And now they've conned gullible liberals into taking away your guns so you can't fix it like you were supposed to.

On The Bright Side...

[TechyImmigrant]

At least there are plenty of us who are working on unbreakable hardware primitives in silicon that will keep these bastards at bay. It's about as nontrivial as it gets and we and many other have been at it for several years. The endpoint is pretty clear though. We will prevail.

Forbes is a total rag these days

[kalpol]

No source checking and very little editing of their crowd-sourced articles. I have not seen this claim reported by any legitimate sources.

Re:Forbes is a total rag these days

[msmash]

I agree with your general assessment of Forbes. They do have a contributor program which many people have been abusing for years by writing misleading articles. However, this particular story is written by a full-time staff reporter there. It's his scoop, and many reputed security journalists have shared it on social media, lending it more credibility. (Also, in general, we avoid linking back to Forbes because of its annoying daily quote thingy and stand on adblockers.) Opinion on Forbes is mine and it does not reflect the views of other people on Slashdot's staff.

Re:Forbes is a total rag these days

Normally I'd agree with you over msmash, but not after having gone through Israeli security at one of the smaller regional airports (SDV). I've seen/had them use the tools on me. I had an Indonesian visa in my passport among others, and a very old photo with long hair. I guess I set off some red flags.

At security they confiscated my iPhone 6, which had the boarding pass pulled up in my email app. When I got it back it was the last email I sent to my father. For whatever reason they couldn't also use the tools to get in to my iPad 2 (with the old connector, in a short amount of time), and made me unlock it as well as prove the camera and microphone both worked.

I made the flight. Actually a much earlier flight because no one noticed or pointed out I accidentally booked for 7:30 PM instead of AM (they are on 24 hour time though). All around kind of unsettling and just another odd, one off travel story. The whole thing happened in under a half an hour and I was on my way despite panicking over missing the flight. It's anecdotal and I'm not presenting it as anything other than my personal experience, but it left quite the impression on me.

They're really not that good. Private company

[raymorris]

>. I'd like to think that if the intelligence agencies devoted their time and effort to helping companies identify security weaknesses and shore them up, we wouldn't be seeing massive data breaches every few months.

That sounds nice, but it really wouldn't matter. Note "the intelligence agencies" can't hack iPhones, it's a private company that can. The people a the intelligence agencies really aren't that smart. It's nothing AT ALL like the movies. It's people who got a certificate in cyber security but couldn't get a job in the private sector, which pays better (but expects you to know wtf you're doing). You think Google wastes a lot of time talking about PC bullshit? You should see government! Government doesn't hire the best people. They hire the "disadvantaged" people.

Many, many private companies are in the business of "helping companies identify security weaknesses and shore them up". Heck you can get services from companies like Alert Logic for tens of dollars per month; does your company have static analysis and daily scans?

Re:They're really not that good. Private company

[easyTree]

Paradox alert!

Re:They're really not that good. Private company

[alvinrod]

I think it really depends upon which intelligence agency we're talking about. There's probably your rank and file bottom feeders that couldn't find their ass with a map and a flashlight, but that's true of any organization and I'm pretty sure that anyone working in the private sector can point to several pristine examples of such individuals. However, there are also some government types that create things like Stuxnet and do some other nasty bits of work that the public will never hear about, so there are clearly a few competent individuals working for the government.

I don't think government intelligence agencies would be a complete replacement for private sector companies, but there are clearly cases where the government is contracting with some private company or has legislated that citizens are required to use some service provided by a third party. The government should certainly work to ensure that those organizations don't have any glaring security holes.

Re:BDS

[PopeRatzo]

There is a reason they have been expelled over three hundred times.

Don't confuse the Jewish people with the corrupt government and intelligence apparatus of Israel. There is a reason Netanyahu has been referred for criminal prosecution.

Re:Multi million dollar stolen phone market

[Bill+Hayden]

This company has ways to get at the data stored on the phone, not to remove the iCloud lock and reactivate. Activating an iPhone goes through Apple, so there's really no way around this.