Cellebrite claims it can unlock any iPhone, many new Android phones for police

It is much more likely imo, that they have zero day exploits for something that does not require the phone to be unlocked, eg wireless, 3g&#x2F;4g, bluetooth, or via the lightning connector.<p>If they are not doing that one of the only other options i can see is if they can clone the phone and perform a offline brute force against the pin code but my understanding is that the secure enclave is meant to prevent attacks like that.

In the past a USB or WIFI&#x2F;Bluetooth attack would have got kernel mode execution then used the secure enclave to brute force credentials.<p>I think what makes this statement interesting is that Apple recently introduced anti-replay counters into their A12 SOC to defeat replay attacks that just reset the memory after each attempt.<p>I think this might represent a new generation of attacks that either have found a bug in the secure enclave OS itself or some kind of local timing&#x2F;side channel attack.<p>The secure enclave has been getting more complex (things like neural net for FaceID) and I have no idea if it has modern mitigations like ASLR so there is reasonable chance people can get execution there. Really just another local privilege escalation.<p>The side-channel idea is also really interesting because a lot of the row-hammer and SPECTRE style attacks seem far-fetched in real scenarios but attacking a different ring of your own chip with full kernel access makes any kind of hardware attack seem much more reasonable.

That is terrifying given how the phone is the single key to many people&#x27;s digital identity and their finances.<p>And that&#x27;s what scared me into changing my relationship with my phone. I try to treat it as an ephemeral, disposable data terminal in which I have minimal trust.<p>Every few weeks I back it up to the LAN and purge it. If I lose it I revoke its login certificates so that it can&#x27;t access the mail and chat servers, and block the PAYG SIM.<p>Yet more and more services want me to regard it as a secure token endowd with ultimate trust. The latest is one of my banks ( Halifax ) which demands that I install their app to authorise any online payment.

Most users have 4-digit or 6-digit numeric passwords, which can be trivially brute-forced. The only reason they can&#x27;t generally is that SEP rate-limits decryption attempts. They probably have a way around the rate-limit. Meaning: if you use an alphanumeric password, you&#x27;re fine.

Interesting that this company is able to do this without threat of being sued into a smoking crater by Apple. They&#x27;d have to use Apple&#x27;s software to build their product, and to do that they&#x27;d be bound by the license agreement. Apple could forbid the research in the license.<p>Oracle created the DeWitt Clause that forbids researchers from publishinging <i>benchmarks</i> for their products, and this apparently stands up in court. I have to imagine Apple could forbid researching and building exploit tools just as easily.

Wouldn&#x27;t such an ability, by virtue of having been tested at least once, run afoul of the DMCA? Of course, it is an Israeli company and not an American one, and we have no proof that they have the ability or have ever exercised it, and IANAL, but I am curious.

If such a device were used in the course of an investigation, wouldn&#x27;t the defense have the right to examine the device and cross-examine the responsible engineers to ascertain how it works and to ensure that the recovered information has not been tampered-with?

It would be interesting to know what kind of bugs they are exploiting for this. Are they attacks over USB, bugs in the lock screen, or in the radio hardware.

First of all, to give words to the obvious question here: what leads a group of people to flaunt their insanely unethical desire to profit from &lt;insert antonym of freedom&gt;? They are literally trumpeting the ability for their clients to forcibly copy data without the permission of the owner of the device in question. Is it just money? Is it that simple?<p>Annnyway, more importantly: are there any details about how their claims are even possible? I guess that somehow, in every case of both iOS and Android, the symmetric key with which the data directory is encrypted is somehow gleanable?<p>It&#x27;s a bit puzzling, because it seems that something as simple as 15-year old LUKS (eg, using dm-crypt) is sufficient for this purpose... right?<p>I mean, this company isn&#x27;t claiming it can perform the same attack on an off-the-shelf laptop that has FDE with dm-crypt, right?<p>What&#x27;s the difference? Why are phones such a security nightmare? At least in terms of encryption at rest on a cold device, isn&#x27;t this a solved problem?

This is almost certainly a way to brute-force passwords without the rate limit which is enforced by default. The only reason passwords can be brute-forced is that they&#x27;re numeric and have few digits. If you use an alphanumeric passcode with at least 8-10 digits, you&#x27;re fine.

I&#x27;m quite interested to hear if these attacks involve exploiting side channel leaks against the Secure Enclave, as Apple has supposedly hardened the Secure Enclave against side channel leaks.<p>I&#x27;m sure a technical deep dive on these vulnerabilities would be an exciting read.

This is also a great advertisement to tell everyone we buy zero-days and information about backdoors!

Can apple just add to their Terms of Service that private firms like Cellebrite are required to disclose any security flaws they find?

Still bums me out there&#x27;s not an active market like this but for jailbreaking iPhones.