Shadowy hacking industry may be helping FBI crack an iPhone
Turns out there’s a shadowy global industry devoted to breaking into smartphones and extracting their information. But you’ve probably never heard of it unless you’re a worried parent, a betrayed spouse — or a federal law enforcement agency.
Now one of those hacking businesses may well be helping the FBI try to break into the iPhone of one of the San Bernardino killers.
Late Monday, the FBI abruptly put its legal fight with Apple on hold, announcing that an “outside party” had come forward with a possible way to unlock the phone. In an update for reporters Thursday, FBI Director James Comey said the method “may work.” If so, it could render Apple’s forced cooperation unnecessary.
The announcement has thrown a spotlight on a group of digital forensics companies, contractors and freelance consultants that make a living cracking security protections on phones and computers. Comey said the publicity around the Apple case encouraged such people to come forward with new ideas.
Most such companies keep a very low profile. Since the bulk of their business is with governments and law enforcement, there’s no reason to for them to advertise their services. In addition, it’s in their interest to keep exactly what they do under wraps, said Christopher Soghoian, principal technology expert for the ACLU.
“The companies won’t share their secrets. It’s their special sauce,” Soghoian said. “And they certainly won’t tell Apple how they’re doing what they’re doing.”
For the moment, no one outside the Justice Department appears to know who the FBI’s white knight is. A great deal of speculation centers on Cellebrite — an Israel-based forensics firm that says it does business with thousands of law enforcement and intelligence agencies, militaries and governments in more than 90 countries — though it remains one of several possible candidates. A company spokesman declined to comment.
Many security researchers think that might work, though no one has announced success or demonstrated it on an iPhone running iOS 9 or higher. Rook, however, suspended its efforts when it couldn’t find a way to take the phone apart without damaging it.
Cellebrite, founded in 1999, has contracts with the FBI dating back to at least 2013. The firm makes devices that allow law enforcement to extract and decode data such as contacts, pictures and text messages from more than 15,000 kinds of smartphones and other mobile devices.
In the cybersecurity arms race, Apple has managed to stay ahead of these forensics companies. Cellebrite’s website says its commercial tools work with iPhones running older operating systems, including iOS 8, but not the latest version, iOS 9, which is on the San Bernardino phone.
Of course, it’s possible that one of these companies has made a breakthrough.
“Anything is crackable — it’s just how much time do you have and how much money do you have to spend,” said Jeremy Kirby, sales director at Susteen, a Cellebrite competitor in Irvine, California, that says it’s not the FBI’s outside party.