I’m fortunate in that I follow a lot of intelligent security professionals. When it was first announced that the Federal Bureau of Investigations (FBI) had hired a partner to break into Farook’s iPhone 5C the speculation was that the partner was Cellebrite. Note the key word, speculation. Most of the people initially speculating on the topic were careful to couch their terms as hypothetical but that didn’t stop media outlets from reporting speculation as fact. The problem with reporting speculation as fact is that it’s often wrong:
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.
[…]
The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.
When the media reports something as fact do yourself a favor and dig into the story. You may find out that the fact is actually speculation.
I never read the story and just assumed they were lying about being able to hack the phone in order to save face.
I’ve read this story and have a hard time believing it. I’d like them to prove me wrong and disclose the vulnerability. Considering it is the government, it is doubtful they are fans of responsible disclosure.
I have no doubts that the FBI was able to gain access to the phone. What I didn’t buy was their claims that they couldn’t and required Apple’s help to do so.
Since Farook only set a four digit numerical password the only thing preventing the FBI from brute forcing it was software features in iOS. So long as they could gain access to the hardware key that’s mixed with the password to create the encryption key and read the contents from the flash memory brute forcing the password would be a piece of cake.
Such an attack would likely be harder to execute on iPhones with Secure Enclave since the hardware responsible for the crypto operations also enforce the delays between incorrect password.