Cellebrite’s iPhone jailbreak kit allows the company’s customers to access virtually all of the personal data stored on the phone – in some cases, even when the phone is locked.
But the exact capabilities depend on both the iPhone model and the version of iOS it’s running on. We were able to access the user documentation for the latest version of the kit to see what it can do…
Background
Cellebrite makes a range of hardware and software kits designed to unlock and extract the most data from iPhones and Android smartphones.
Some versions are sold to commercial companies, while Cellebrite Premium is theoretically only sold to law enforcement. However, the exact position is unclear. For example, the company recently revealed that it has more than 2,800 US government clients, many of whom are not in what is commonly referred to as “law enforcement.”
US Fish and Wildlife Service investigators often work to prevent a variety of environmental offenses, from illegal logging to hunting without a license. While these are real crimes, they usually do not involve invasive phone hacking tools. But fish and wildlife agents are among a growing pool of government employees who can now hack into encrypted phones and siphon mountains of data with technology bought from surveillance company Cellebrite. […]
The list includes many who are seemingly far from intelligence gathering or law enforcement, such as the Departments of Agriculture, Education, Veterans Affairs and Housing and Urban Development; Social Security Administration; US Agency for International Development; and the Centers for Disease Control and Prevention.
Cellebrite’s other clients include large companies looking to conduct internal investigations and cybersecurity companies.
Cellebrite Premium Kit
The company’s flagship phone hacking kit is known as Cellebrite Premium. This is a hardware-software complex consisting of:
Cellebrite Premium laptop with preinstalled software. Android adapter. iOS adapter.
The software allows users to extract either specific target data (such as messages or photos) or a complete file system that contains almost all user data, including Keychain passwords, which then gives the user the ability to access most of the services you use. Here’s what the company says about it:
By performing a full file system extraction and a physical extraction, you can retrieve much more data than is possible with a logical extraction and gain access to highly secure areas such as iOS Keychain or Secure Folder.
Access to third-party app data, saved passwords and tokens, chat conversations, location data, email attachments, system logs, and deleted content increases your chances of finding incriminating evidence.
Cellebrite’s iPhone Jail Capabilities
Back in February, the company retained its most advanced capabilities internally, but the web page referring to this has since disappeared, and from the documentation we reviewed, it appears that Cellebrite Premium can now do everything that CAS used to do.
It should be noted that the documentation we received predates the launch of the iPhone 13, and at the time, the company apparently didn’t have access to the iPhone 12 either.
Full access even when blocked with any supported version of iOS
Cellebrite Premium can unlock and access the entire file system of the following phone models, even if they are protected by a passcode, with the unlock time depending on the complexity of the passcode. It doesn’t matter what version of iOS the phone supports – the company can unlock the device and get access to everything.
iPhone 4S* iPhone 5* iPhone 5S* iPhone 6 iPhone 6S iPhone SE iPhone 7 iPhone 8 iPhone X
*Interestingly, these three models require an internal unlock if they are running iOS 5 or iOS 6, while Cellebrite Premium allows customers to unlock devices directly if they are running iOS 7 or later.
The reason why these models can be hacked regardless of iOS version is due to uncorrectable vulnerabilities in these models. One of these was discovered using the checkm8 exploit, and another vulnerability was discovered in the Secure Enclave later that year. This also cannot be fixed.
Full access, even when locked, with older versions of iOS
There are three iPhone models that can be unlocked as long as they are running any version of iOS prior to iOS 13.7.
iPhone XR iPhone XS iPhone 11
see also
Full access with password only
The company cannot unlock the same three models running iOS 14 or iOS 15 either through Cellebrite Premium or through the company’s own resources. However, if customers have a phone passcode, full access to the file system is available.
iPhone XR (iOS 14 or 15) iPhone XS (iOS 14 or 15) iPhone 11 (iOS 14 or 15)
Law enforcement may or may not have the authority necessary to force a suspect to reveal their password, depending on the country and jurisdiction.
Brute force unlock takes a very long time
A brute force set is required to unlock devices. It depends on the ability to turn off the lock that Apple applies to password retries, but even then it’s a slow process due to the delays that occur before a full lock.
The company warns that this process can take a very long time: in one example, the user manual lists just over 100 attempts per day.
However, the kit allows users to enter any personal details they have for the owner of the phone, such as a date of birth and other important dates such as a loved one’s birthday. These will be used to create initial attempts before resorting to brute force. This information serves to highlight the importance of protecting even relatively trivial personal data.
Offline mode
Previously, brute force unlocking Cellebrite required the phone to remain connected to the kit until it succeeded. However, Cellebrite Premium provides an offline mode where the phone can be disabled during an attack. This is because the kit allows you to install the software that launches the attack directly on the iPhone, even if the phone is locked.
Cellebrite’s standalone brute-force feature launches an automated dictionary attack directly on the device itself. Once the process is initiated, the target device can be disconnected from Cellebrite Premium, allowing offline brute force to run on multiple devices simultaneously.
It is worth emphasizing that all Cellebrite attacks require physical access to the phone, unlike NSO Pegasus spyware, which can be deployed remotely, including without a click.
Reading now
The post unlocking and accessing data by model appeared first on Gamingsym.