An Israeli company is now reportedly able to unlock any phone, making it easier for law enforcement agencies to gain access to files and prompting Apple to issue a security update.
Petah Tivka-based Cellebrite markets itself as a, “global leader in the digital intelligence market,” offering its services for law enforcement, military, and corporate investigations.
Forbes reported Monday that an iPhone X was, “successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.”
Cellebrite, a subsidiary of Japan’s Sun Corporation, has not made an official statement about its capabilities, but a source told Forbes that, in recent months, the company developed tools to break into iOS 11.
This appears to be backed up by descriptions on the company’s website that states that its “Advanced Unlocking Service is available to law enforcement agencies globally for lawfully authorized examinations,” and is able to retrieve date from “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro, and iPod touch, running iOS 5 to iOS 11.”
The company’s technology was reportedly used to unlock the cellphone of San Bernardino shooter Syed Rizwan Farouk in 2016, after the FBI suddenly asked the court to call off a hearing to force Apple to unlock the phone.
Cellebrite’s latest literature claims that its technology can “determine or disable the PIN, pattern, password screen locks, or passcodes on the latest Apple iOS and Google Android devices.”
Forbes reported that the company charges as little as $1,500 for a single unlocking.
In response to the reports, Apple encouraged its users to upgrade to the latest iOS, but did not deny that its phones could be hacked, Threatpost cyber security website reported.
“I’d be zero-percent surprised if Cellebrite had a zero-day that allowed them to unlock iPhones with physical access,” Patrick Wardle a chief research officer at Digita Security told Threatpost. “These guys clearly have the skills, and there is also a huge financial motivation to find such bugs.”
A zero-day vulnerability refers to one that the developers are unaware of, and therefore cannot be fixed with a security patch or an upgrade.