Chip Somodevilla / Getty Images
SAN FRANCISCO — The Justice Department’s announcement that it had found an “outside party” to help the FBI unlock a phone used by one of the gunman in the San Bernardino attacks may have averted a fierce clash between the government and one of the world’s most valuable tech companies — but among cybersecurity experts a more intriguing question loomed: who was the mysterious outsider who had managed to crack the Apple iPhone’s much-vaunted security?
In a briefing with reporters Monday, a law enforcement official said that an outside party came to the FBI on Sunday, adding that the publicity surrounding the case had prompted many to contact the FBI and present avenues by which they could hack into the phone. The official confirmed that the party came from outside the U.S. government, quieting speculation that the NSA might use one the methods in its toolbox to hack into the phone for the FBI. The official would not say whether the party was domestic or foreign.
Apple told BuzzFeed News on Monday that they had no information on the government’s claims of being able to unlock the phone.
Cybersecurity and encryption experts immediately began speculating over who the outside party might be. At least one Israeli mobile forensic company, Cellebrite, ranked high on the list of likely suspects. In 2013, Cellebrite signed a sole-service contract with the FBI to provide assistance through its data extraction tools. According to the Cellebrite site, and brochure materials they have handed out at conferences, the company can extract data from Apple phones that use up to the most recent version of the iPhone operating system.
A company spokeswoman based at their headquarters in central Israel referred BuzzFeed News to their New Jersey offices, who said the company could not comment on the recent Apple vs. FBI case, and whether they had any involvement in providing a solution to the FBI.
A Cellebrite employee, who asked to remain nameless as he had not been authorized to speak to press, confirmed that Cellebrite’s contract with the FBI was still in effect and that there was “regular cooperation and dialogue” over how they could assist U.S. law enforcement teams.
“There is a solid relationship, built on years of working together. They know our methods work,” the Cellebrite employee said. He would not comment on whether his company was the unnamed “outsider” who showed the FBI how to hack the San Bernardino shooter’s phone.
At least half a dozen other companies, and independent cybersecurity experts, also claim to have a method by which they could hack into an iPhone of the make and model as the one used by one of the San Bernardino attackers
Independent cybersecurity researchers believed that the method presented to the FBI and most likely in use is the NAND mirroring technique, which involves making numerous copies of the storage chip that would allow law enforcement officials to use programs that try and retry passwords until finding the correct one, a process known as a brute force attempt to unlock a phone. Law enforcement officials say they currently cannot try and brute force the phone to unlock, as they don’t know whether the phone is programmed to erase itself after a certain number of attempts.
Jonathan Zdziarski, a prominent iPhone forensics expert, described the process on his blog as follows: “the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations. It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”
There are other methods being floated, but the NAND method appears to be the most popular among cybersecurity experts who have studied Apple’s technology. The question, however, is how it took the government this long to discover a method that has been widely discussed by cybersecurity experts since the Apple vs. FBI case first gained publicity over a month ago.
A Department of Justice (DOJ) spokeswoman told Ars Tehnica that the government only learned of the technique by which it could unlock the phone on Sunday, and told the site, “We must first test this method to ensure that it doesn’t destroy the data on the phone, but we remain cautiously optimistic.” A DOJ spokesperson did not respond to a request for comment from BuzzFeed News.
Cybersecurity experts who spoke to BuzzFeed News said they found it highly suspicious that the FBI would announce finding an alternative means into the phone one day before they were set to hold a high-profile hearing with Apple, terrorism experts, cryptographers, and others in Riverside, California.
“I think they balked, they thought they had their perfect test case but then saw this wasn’t the one to win,” said one former FBI officer, who spoke off-record as he is currently involved in a contract with a separate government agencies which prevents him from speaking to press. “They have other test cases coming up, so this isn’t the end of it.”
With more than a dozen cases currently winding their way through the courts which could see law enforcement officials request assistance in unlocking phones, and with Apple promising to double-down on efforts to make its phone impossible to breach, cryptographers say the inevitable privacy vs. security battle will only continue to make headlines.