You are here

You are here

Your iPhone is not secure: Cellebrite UFED Premium is here

Richi Jennings Your humble blogwatcher, d/b/a RJA
Locked iphone

Think your iPhone or iPad is secure from prying eyes? Think again.

Companies such as Cellebrite, with its Universal Forensic Extraction Device (UFED), operate lucrative businesses helping people around the world to unlock your devices. Of course, Cellebrite promises to only sell to legit law enforcement, but then what?

Once that genie is out of the bottle, how can they contain it? In this week’s Security Blogwatch, we wish for more wishes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mr. Postman.


What’s the craic? Andy Greenberg—Cellebrite Says It Can Unlock Any iPhone for Cops:

Not so long ago, companies that cracked personal devices on behalf of governments did so in secret. … Now, it seems, they proudly tweet about [it] like a videogame firm offering an expansion pack.

Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as … UFED Premium. … It says that the tool can now unlock any iOS device [and] many recent Android phones.

The announcement follows a move from Apple last fall to add new security measures that crippled another iPhone-unlocking tool, the GrayKey devices, sold by the Atlanta-based company Grayshift. … More surprising … observers of the iOS arms race say, is how publicly Cellebrite is trumpeting its new tool.

Neither Cellebrite nor Grayshift responded to [my] request for comment. … Neither Apple nor Google immediately responded to a request for comment.

And the Apple fans go wild. Mike Wuerthele says Cellebrite says it can pull data from any iOS device ever made:

Cellebrite now says that it can "perform a full file system extraction on any iOS device." … The company claims that it can determine passcodes and perform unlocks for … Apple devices.

Cellebrite is thought to be the firm that the FBI turned to crack the iPhone 5c of San Bernardino killer Syed Rizwan Farook [despite] active opposition by [Apple]. CEO Tim Cook … argued that the company would have to fundamentally compromise the security of iOS — precisely because backdoors could be leaked.

Cellebrite Chief Marketing Officer Jeremy Nazarian said … "There's nothing inherent in the technology that means it's open to misuse." [But] Cellebrite penetration tools were discovered for sale on the open market in February 2019, belying the assumption that any kind of back door could be kept safe.

Firmly on message, it’s @F1Cyberman:

Sounds awesome. … UFEDs are used strictly by police and military to extract data from a criminal’s phone, to see where they’ve been, to view the messages and calls an attacker has made.

Thousands of cases which would have collapsed have been resolved due to UFEDs.

But could the devices leak and be misused? Foone Turing tests the idea: [You’re fired—Ed.]

So I saw something at the thrift store that's weird so I had to get it. It's a "Cellebrite Touch". It's Wii-U tablet sized (but a bit thicker), but has a bunch of odd things about it, and it turns out it's Very Interesting.

This thing has a lot of rubber around it, because this is a tablet designed to be very rugged. … It turns out this is a Cellebrite UFED … a portable device for collecting data from phones and tablets, intended for intelligence-gathering agencies and law enforcement.

The license is expired [but] the software is still letting me use it. … This thing had the clock reset, so … it thinks the date is 2012 (and therefore my license is still OK).

Weird! Fun! Probably wasn't supposed to end up at … an EcoThrift!

Note to self: Do not fly anywhere with this thing.

As did Kim Bradley—@grufwub:

Cellebrite are a company well-known for supplying law enforcement with mobile phone ‘hacking’ solutions. … I was made aware that … the Cellebrite UFED Touch, had reached ‘end of life’ status. And as a result of this, the devices were appearing in bulk on eBay.

[It] looks like a badly designed Nintendo Switch from 2005. [It] has the internals of a woefully underpowered netbook circa 2007.

But how does it unlock iPhones? Acheron2018 assumes an assumption:

As I understand it they attack the secure element through the USB port. One assumes Apple has not found the exploit. It is possible, likely even, that it is in hardware such that by sending signals across the USB wires that violate the USB protocol the hackers are able to induce a hardware malfunction that can then be further exploited.

This assumption is backed up by the change in iOS 12.3 that physically powers off the USB port after the phone has been locked for a time (30 minutes?). … I believe this puts an enormous crimp in their attack vectors.

The most interesting part of this story is that we get to see first hand the cat and mouse game that is just another day at the office for state sponsored cyber warfare.

Or what about this theory, from _kbh_:

It is much more likely IMO, that they have zero day exploits for something that does not require the phone to be unlocked, eg wireless, 3g/4g, bluetooth. … The radio interfaces do not have total access to the device but they have enough that it is feasible to compromise a device via a compromise of a radio component.

I imagine it has enough access … to pivot to the OS running on the main CPU via a bug in the interface that is exposed for the radio to communicate with the main CPU. From there they would likely have to exploit a number of other bugs to get into the position that they want to be in.

But back to the legal angle: Rajesh Rao—@raorajesh—celebrates due process and reasonable doubt:

Whatever data Cellebrite extracts is unlikely to be admissible in any court. They will never tell exactly how they "unlock and extract" and therefore will never be able to prove they didn't [plant] any "evidence" themselves.

Meanwhile, with a more pragmatic approach, here’s JBMcB:

Think of it this way:

Defense: "What did you do to get into the phone."
Cellebrite: "We have a proprietary procedure."
Defense: "Did you put any code on the phone?"
Cellebrite: "That's proprietary"
Defense: "Did you put data on the phone?"
Cellebrite: "That's proprietary"
Defense: "How do we know you didn't put any evidence on the phone, then?"
Cellebrite: "That's not part of our procedure..."
Defense: "What is your procedure?"
Cellebrite: "We won't tell you."

At that point, the judge will probably toss the evidence, as they have done with cell phone snooping evidence, red light camera evidence, etc.

The moral of the story?

Nothing is secure from physical access: Where there’s a will, there’s an exploit.

And finally

This is Marvel-ous

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Nick Amoscato (cc:by)

Keep learning

Read more articles about: SecurityInformation Security