How The FBI Might Be Getting Into The San Bernardino Shooter’s iPhone

Experts agree: It's the thing they've been saying for weeks

(Photo Illustration: Tara Jacoby)
Mar 24, 2016 at 10:04 AM ET

Less than 48 hours after the FBI made the stunning claim that actually, maybe it didn’t need Apple’s help breaking into deceased terrorist Syed Farook’s iPhone 5c, experts have pieced together what likely happened.

In a motion to delay the trial while the FBI tried a new method to access the iPhone’s data, U.S. Attorney Eileen Decker wrote that on Sunday, “an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone,” and that if it worked, it would quit trying to force Apple to help. That’s a major development, as a government demand that Apple hack its own phones for law enforcement—CEO Tim Cook called the method “the software equivalent of cancer”—would likely set a precedent for countless similar cases.

According to a joint report from Reuters and the Israeli news site Ynet, that outside party is reportedly Cellebrite, an Israeli company that specializes in doing phone recovery work for law enforcement agencies. That’s not much of a stretch, as the company gets regular contracts from the FBI—at least $2 million worth since 2012. On Twitter, Cellebrite’s own employees are winking at being called out as the firm in question.

And what about what Cellebrite can do? There are a number of theories floating around the internet, but most experts agree that either there’s a remarkable, previously unknown security flaw that lets an attacker in, or a known, fairly specific other means called “NAND mirroring.”

Recall that Apple wasn’t ever ordered to actually break into Farook’s phone itself. Instead, the FBI tends to hack suspects’ phones protected with a four-digit passcode by brute forcing them, meaning it will simply guess every single number, from 0000 to 9999, until it hits the right one. Farook’s phone, however, had enabled a feature that would permanently erase the key to decrypt the phone’s contents if someone entered the wrong code 10 times in a row. So what the FBI wanted Apple to do was find away around that failsafe, by, for example, creating a fake software update that would undo that security setting. It’s worth noting that Apple’s later phones—anything with an A7 chip or later—come with coprocessor called Secure Enclave that protects against this hack.

This wouldn’t be an issue, however, if someone could take Farook’s phone’s NAND flash memory, which holds the unique key to decrypt a phone’s contents, host a copy somewhere else, and then start guessing. If it guesses incorrectly too many times and has to start over, well, then you just back the flash memory from that phone up again and try again. Once you’ve guessed the code on the backup, you can use it on the real thing without fear of erasing the device’s data. As Jonathan Zdziarski, a security researcher who specializes in iOS forensics, wrote on his blog“This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations.”

Dan Gilmore, a technologist at the ACLU, has made the same argument. Even Congressman Darrell Issa (R-Calif.) said in a hearing with FBI Director James Comey that “you can make 10,000 copies of this chip, this non-volatile memory hard drive, then you can perform the attacks as you want on it.”

Neither Cellebrite nor the FBI has responded to request for comment. If it’s true, however, it’s embarrassing for the Department of Justice, which claimed 19 times that Apple was the only entity that could help with Farook’s phone.