Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite

In January, Motherboard reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite. The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia.

Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools.

"The debate around backdoors is not going to go away, rather, its is almost certainly going to get more intense as we lurch toward a more authoritarian society," the hacker told Motherboard in an online chat.

"It's important to demonstrate that when you create these tools, they will make it out. History should make that clear," they continued.

Cellebrite is an Israeli firm which specializes in extracting data from mobile phones for law enforcement agencies. The company's flagship product, the Universal Forensic Extraction Device (UFED), typically comes as a small, laptop-sized device, and can pull SMS messages, emails, and more from thousands of different mobile phone models. The investigator needs to have physical access to the phone to analyze it.

A Motherboard investigation found that US state police and highway patrol agencies have collectively spent millions of dollars on Cellebrite technology.

The hacker claimed to have taken the newly released data from a remote Cellebrite server, and said they had extracted them from UFED images. They told Motherboard that the files were encrypted, likely in an attempt to protect Cellebrite's intellectual property, but that they managed to bypass the protections.

The hacker's ASCII art, which reads "backdoorz."

"The ripped, decrypted and fully functioning Python script set to utilize the exploits is also included within," the hacker wrote in a README file accompanying the data dump. The hacker posted links to the data on Pastebin.

It's not clear when any of this code was used in the UFED. Many of the directory names start with "ufed" followed by a different type of phone, such as BlackBerry or Samsung.

In their README, the hacker notes much of the iOS-related code is very similar to that used in the jailbreaking scene—a community of iPhone hackers that typically breaks into iOS devices and release its code publicly for free.

Jonathan Zdziarski, a forensic scientist, agreed that some of the iOS files were nearly identical to tools created and used by the jailbreaking community, including patched versions of Apple's firmware designed to break security mechanisms on older iPhones. A number of the configuration files also reference "limera1n," the name of a piece of jailbreaking software created by infamous iPhone hacker Geohot. He said he wouldn't call the released files "exploits" however.

Zdziarski also said that other parts of the code were similar to a jailbreaking project called QuickPwn, but that the code had seemingly been adapted for forensic purposes. For example, some of the code in the dump was designed to brute force PIN numbers, which may be unusual for a normal jailbreaking piece of software.

"If, and it's a big if, they used this in UFED or other products, it would indicate they ripped off software verbatim from the jailbreak community and used forensically unsound and experimental software in their supposedly scientific and forensically validated products," Zdziarski continued.

A spokesperson for Cellebrite told Motherboard in an email: "The files referenced here are part of the distribution package of our application and are available to our customers. They do not include any source code."

He added that the company monitors new research from academia and the information security community, including "newly published forensic methods, research tools and publicly documented issues, including "jailbreaks," which enable platform research."

Cellebrite develops methods for gaining access to phones that do not change or alter data on the device, the spokesperson continued. He wrote that Cellebrite's technology is used to combat child trafficking and exploitation, sexual assault, murder, and drug and gang crime.

In its statement released in response to the initial data breach, Cellebrite only mentioned that "basic contact information" of its customers had been stolen. But as Motherboard reported at the time, the cache of data included much more.

In early 2016, the Department of Justice and Apple entered a fierce legal battle, in which the department tried to legally compel Apple to build a custom operating system that would allow investigators to bypass security protections on an iPhone. A concern at the time was that, if such an operating system was created, it could leak and become public.

Although these dumped tools may not be the most sensitive—Cellebrite keeps its techniques for cracking more recent iPhones inhouse—they do demonstrate that those worries were justified.

Researchers will likely now dig through the content for any interesting attacks or findings.

"@FBI Be careful in what you wish for," the hacker's message reads, before signing off with a piece of ASCII art, which says "Backdoorz."

Not part of Apple. This is what happens when you let *OTHER* people provide the software to hack your system. Would have been different had Apple maintained control, but they would rather start a propaganda war to advance left wing politics.

The FBI was demanding that Apple hand over any new unlocked version of iOS they would have developed under the court order. It was in fact part of the Court Order that what ever Apple developed HAD to be handed over to the authorities for their use. The higher courts agreed with Apple that the Magistrate Judge did not have jurisdiction to order such work to be done and had no power to order it. It was not in any way similar to a search warrant and was equivalent to impermissible forced labor.

Apple has not "let *OTHER* people provide the software to hack" their system. They have zero control over what other people do.

Apple argued that once such a tool was available it would find its way into the public domain and this is proof that such things DO happen, regardless of what safeguards are put in place to prevent such things from being released. Just the knowledge that a backdoor exists is enough to start people looking for it.

No it wasn't. That was the propaganda spread by the Apple cult. I've read the court order. It left Apple with the ability to control everything.

"Extracted word-for-word from the Magistrate Judge's Court Order to Apple re: what to do:

". . . providing the FBI with a signed iPhone Software file, recovery bundle or other Software image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory ("RAM") and will not modify the I/os on the actual phone, the user data partition or system partition on the devices's flash memory. . . The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode or other applicable mode available to the FBI."

Nothing there says that Apple retains control. It says ". . . providing the FBI with a signed iPhone Software file, recovery bundle, or other Software image File (SIF). . . available to the FBI." That is plain English language.

You went on in that argument to absurdly claim that the court order would allow Apple to KEEP the iPhone 5C in question, breaking the chain of evidence. There is NOTHING in the court order making such a claim supportable at all. . . nowhere could anyone find such an order giving Apple the right to retain the terrorists' iPhone 5C, but YOU said Apple would be allowed to keep it!

To: Swordmaker; Ray76

YOU CANNOT READ WORTH A DAMN!
You mean I can't read between the lines and see all your fantasy bogeymen, and no, I can't.
The order clearly says Apple may retain possession of the phone. The clarification posted by Ray76 made it even more clear that the phone can remain in Apple custody, and no software need be given to the FBI.

101 posted on 02/24/2016 4:25:54 PM PST by DiogenesLamp ("of parents owing allegiance to no other sovereignty.")

To your claim that the words WERE in the court order, I replied thusly, when you refused to provide the actual words in the Court Order allowing Apple to retain the evidence, breaking the chain of evidence:

To: DiogenesLamp; palmer; SteveH; itsahoot; IncPen; Protect the Bill of Rights; JimSEA; Mark17; ...

If you didn't read them the first time, why should I bother? You don't want it to be true, so you are simply going to dismiss any quote I provide. I have better things to do.
Look ID10T, I've read the entire COURT ORDER. There is nothing in it that says APPLE MAY KEEP THE said iPhone 5C after recovery of the data on SUBJECT DEVICE as a souvenir, it just is NOT THERE.
No, what it says is on page 3, lines 13 and 14:

"All evidence preservation shall remain the responsibility of law enforcement agents."

WHERE, oh WHERE, DiogenesLamp, does that say "Apple may retain the iPhone 5c or SUBJECT DEVICE for safe keeping"? Is Apple going to allow an FBI or "law enforcement agent(s)" to stand guard 24/7 for the rest of eternity over that iPhone 5C?
YOU ARE reading invisible words between the lines that NO ONE ELSE CAN FIND!
So again, we challenge you to please find these non-existent words in this Court Order, signed by Sheri Pym, which incidentally was SIGNED BY A RUBBER STAMP!!!! What's with that??? Can't she write? Or was this issued by HER clerk?

136 posted on 02/25/2016 11:03:14 AM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users contIinue....)

You did not post those words from the Court Order because they simply were not there.

They demanded the phone be cracked? Yes they did. So what is your point? They didn't turn to the courts until Apple made it clear that they wouldn't help the FBI get the information off of the dead terrorist's phone.

Apple complied with the Search Warrant for everything that had been backed up from that iPhone 5C to the iCloud. Everything that Apple had in its possession. Apple even assisted with advice on how to unlock the iPhone 5C. . . but the FBI decided to try CHANGING the Apple ID against Apple's advice and succeeded in completely locking it. . . a condition in which the data cannot be retrieved from the iPhone.

The iPhone 5C belonged to San Bernardino County, not the terrorists, and when it was finally successfully opened, the FBI found NOTHING on it except work related data, which is exactly what I predicted they would find. That was what Verizon had reported from the data they provided under a Search Warrant and what Apple had provided under the Search Warrant they had received. The only thing NOT work related were a few phone calls received from Farouk's terrorist wife while he was working. No data about what those calls were about was on the phone.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public.