Small Australian Company Cracked The San Bernardino Shooter's IPhone For The FBI

from the well...-better-luck-next-time,-Cellebrite dept

Five years ago, the DOJ and Apple engaged in a courtroom fight over device encryption. The DOJ wanted Apple to craft a backdoor so the FBI could search a phone belonging to one of the San Bernardino shooters. It was a work phone owned by Syed Farook, who was killed during a shootout with law enforcement. That it was a work-issued phone suggested it wouldn't contain much useful evidence or information. But the government insisted it would and attempted to secure an order forcing Apple to do what the DOJ wanted.

While everything still remained unsettled, the DOJ dropped the case after finding someone who could break into the phone. This small victory against device encryption was treated as a loss by many inside the FBI, who really would rather have had court precedent mandating compelled decryption. Ultimately, the millions of dollars spent trying to achieve this -- including the $900,000-1.3 million spent on the exploit itself -- meant nothing. There was no useful evidence recovered from Farook's work phone.

Since then, there has been a lot of speculation about which phone cracking tech company provided the exploit to the FBI. It turns out to have been none of the usual suspects. Instead, as Ellen Nakashima and Reed Albergotti report for the Washington Post, it was a small Australian company that has flown under the radar until this point: Azimuth Security.

Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs marathons and who, one colleague said, “can pretty much look at a computer and break into it.” One of his researchers was David Wang, who first set hands on a keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie Award — an Oscar for hackers — for “jailbreaking” or removing the software restrictions of an iPhone.

Now that it's on the radar, Azimuth appears to have memory-holed its site. Azimuth is owned by L3 Harris, a US government contractor. But before it became a subsidiary of Harris, Azimuth was selling exploits to a very select number of government agencies. That its involvement in this very public fight over device encryption hasn't been revealed until now suggests it works with a very small group of very trustworthy customers.

The exploit itself involved Apple's Lightning port and code that allowed hackers to bypass internal security features that wipe the device after ten failed password attempts.

Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person.

[...]

Using the flaw Dowd found, Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device.

This is also the first we're hearing about the exploit used to crack the phone. Azimuth reached out to the FBI and demonstrated the hack for it. Once it was determined it could be run safely, the FBI paid for the assistance with the understanding Azimuth would remain in possession of the code and details of the exploit.

But Apple was only a few court motions away from discovering what the public didn't know and the DOJ has refused to divulge. In 2019, Apple sued David Wang's company, Corellium -- which sells virtual devices (including virtual iPhones) to developers and security researchers. According to Apple, the creation of virtual devices violated its copyright. Corellium's first customer, Azimuth Security, was subpoenaed. It refused to answer questions citing national security concerns.

Apple also demanded information directly from Corellium, which might have turned up information on the iPhone exploit used in the San Bernardino case.

Last April, Apple also made a document request in the lawsuit for “all documents concerning, evidencing, referring to, or relating to any bugs, exploits, vulnerabilities, or other software flaws in iOS of which Corellium or its employees currently are, or have ever been, aware.”

Those employees included Wang. The request would have turned up Condor [the hack used to crack Farook's iPhone].

This motion was denied and Apple's copyright case tossed out by the judge, who found it "puzzling, if not disingenuous" Apple would claim virtual phones used to find security vulnerabilities somehow harmed iPhone sales (though the anti-circumvention part of the case lives on).

Speaking of "puzzling, if not disingenuous," the FBI and DOJ continue their anti-encryption clamoring to this day, despite there being a number of options available to help investigators circumvent device encryption. In this case, Azimuth reached out to the FBI with a potential solution, showing there are plenty of smart people working for tech companies who want to help address the challenges raised by encryption. Just because Apple won't make its devices less secure for every one of its users doesn't mean the company doesn't care and doesn't want to help law enforcement. The FBI continues to insist the only solution is something that can be applied in every case. And, by doing that, the FBI shows it cares far less for the public's safety and security than the handful of tech companies it continues to portray as its enemies.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: all writs act, doj, encryption, fbi, going dark, hacking, iphones
Companies: apple, azimuth security, corellium, harris


Reader Comments

Subscribe: RSS

View by: Thread


  • icon
    Koby (profile), 15 Apr 2021 @ 11:50am

    This motion was denied and Apple's copyright case tossed out by the judge, who found it "puzzling, if not disingenuous" Apple would claim virtual phones used to find security vulnerabilities somehow harmed iPhone sales (though the anti-circumvention part of the case lives on).

    A number of acquaintances of mine were Apple enthusiasts, and I remember at the time of this incident that they were rather hopeful that Apple products were nearly impenetrable. Then, we got news that the phone got cracked, and the enthusiasts were no longer so enthusiastic. Rather, they seemed resigned to the concept that the contents of their phone couldn't be cracked by some off-the-street thief, but the 3-letttered U.S. agencies could do whatever they wanted.

    Their constant purchases and upgrades to the latest model have dwindled since then.

    reply to this | link to this | view in chronology ]

  • icon
    Vidiot (profile), 15 Apr 2021 @ 12:44pm

    Attention, L3 Harris customers... buy a new Stingray setup, and get 10 free iPhone cracks! Of course they were bought by Harris; hope Mark Dowd is relaxing every day on Bondi Beach with an oilcan of Foster's.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 15 Apr 2021 @ 1:03pm

    "There was no useful evidence recovered from Farook's work phone."

    The tigers did not attack this time, but unless we purchase more tiger repelling rocks they MIGHT attack next time.

    From the braintrust that has created more 'home grown' terrorists than actual terrorist groups, perhaps we need to stop treating them like they know what the hell they are doing.

    Everyone ooohs and awwws when they roll up some poor sucker with an IQ of 75 they turned into a wanna be terrorist, but managed to be completely blindsided by every white nationalist terrorism incident that was openly planned & promoted and well lets be honest a bunch of their colleagues attended those events.

    Perhaps if they started stopping actual terrorists planning in the open, we might consider their requests to break encryption a bit more before telling them to fsck off.
    But they can;t tell us how many locked phones they have, how many people walked because phones remained locked, how their entire agency failed to investigate all possibilities b/c oh here is a phone it'll answer everything.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Apr 2021 @ 10:38am

      Re:

      When the GOP was arguing that they had to fill the Supreme Seat, because the Dem's would even if they couldn't at the time, I made the point that it's not a defense when one is standing over a dead body to say, "if he had a gun, he'd have shot me, so I had to shoot him first, even if he doesn't own a gun".

      Sometimes I feel like our entire intelligence apparatus operates under this modality.

      reply to this | link to this | view in chronology ]

      • icon
        That Anonymous Coward (profile), 17 Apr 2021 @ 6:47pm

        Re: Re:

        Its performative theatrics to impress Congress.
        (DHS head replicating the bridge of the STTNG Enterprise as his office comes to mind).

        They reward results, not attempts.
        This explains why the FBI has a steady stream of 'terrorist' busts that fall apart when you look at how they groomed the person to become a terrorist so they could bust them.

        The IRS audits little people, because the rich have money & can fight back. They are rewarded for wins not tries.
        (plus them leaving & getting cushy jobs with those they should have jailed)

        The hired insurance execs to run the programs to help citizens after disasters. No one told them they were supposed to run the main fund out of money helping people. Now they look for every little thing they can because (shakes his head) not actually helping people in desperate need & save us money!

        They care about awesome blinky lights & that any spying on citizens exempts them.

        I mean I listened to the Congress person who's district covered the Hamptons cheering for Trump running MS13 out of his district.
        O_O How do you run out what was never there?
        It was a performance piece to be accepted uncritically.

        Notice they spent way more time on "going dark" than answering questions how the fsck they missed Jan 6th being planned IN THE OPEN.

        Soundbites & Headlines rule the nation instead of reason & rational thought.

        Abstinence Only doesn't work but we still have it.

        We demand people in 3rd world countries having survival sex not be informed about condom use or we cut off aid to them.

        We donate prom dresses to disaster relief.

        We need to stop giving everyone a ribbon for participating & start demanding basic common sense rule the day. Dumping a shitload of old clothes you were going to throw out to victims of a disaster doesn't make you a good person, it makes you someone to lazy to deal with their own trash & then claim they helped those poor people.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2021 @ 1:10pm

    Doesn't surprise me that Australia had a hand in this.

    They vehemently despise encryption after all.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Apr 2021 @ 2:03pm

    This is concerning, especially when you consider "assisted access" in the background.

    reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 15 Apr 2021 @ 3:18pm

    Of course it happened ɹǝpu∩ uʍop

    "Scientists. PI is EXACTLY equal to 3", https://www.youtube.com/watch?v=L1eegVTwDS0

    Must be the coriolis effect, https://www.zdnet.com/article/the-laws-of-australia-will-trump-the-laws-of-mathematics-turnbull/

    By forcing PI to be exactly 3, this leaves an almost 5% gap in the maths, allowing the government to get in through the back door, https://www.techdirt.com/articles/20181208/14440541184/australian-government-passes-law-forcing-tech -companies-to-break-encryption.shtml

    Coming up next, all passwords must be variations of the last 20 digits of PI.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.