This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.
Hacking the iPhone is something of a holy grail. Famously, the FBI paid a group of hackers an undisclosed but likely substantial sum to unlock an encrypted iOS9 device used by one of the San Bernardino terrorists.
Cellebrite, an Israeli mobile forensics firm, was rumored to have hacked the phone in this case, although The Washington Post reported that other hackers had been involved. Regardless, Cellebrite does run a dedicated iPhone cracking service, and documents obtained by Motherboard shine a light on this increasingly relevant part of the company's business.
In July 2016, Cellebrite announced it could crack iPhones up to iOS version 9.3.2 and the iPhone 5 (the latest version is 10.2). Instead of including this iPhone functionality with the Universal Forensic Extraction Device, the company's flagship hardware product, Cellebrite performs its iOS unlocking services in-house, via Cellebrite Advanced Investigative Services (CAIS).
"Cellebrite Advanced Investigative Services (CAIS) provides that extra assistance when and where it's needed most," Cellebrite's website reads.
A November 2016 terms and conditions document obtained by Motherboard includes a spreadsheet template related to iOS unlocking services. This and other related documents were included in a 900GB cache of material obtained by Motherboard from a hacker.
Column headers of the spreadsheet include the device's iOS version, its serial number, and any notes on the condition of the device, such as whether it is water-damaged.
Customers cannot just send Cellebrite any random device to have unlocked, however. Investigators must provide Cellebrite with a court order or other form of authorization allowing them to break into the device, another November 2016 terms and conditions document talking about phone unlocking more generally reads. According to the file's metadata, it was written by Francis Felice, vice president of finance at Cellebrite.
"The Customer understands that Cellebrite shall have no obligation to commence providing any Services until such time as Cellebrite has received such authorizations and ensured to Cellebrite's reasonable satisfaction that the court order or other authorization permits Cellebrite to perform the Services," the document reads. Cellebrite charges $250,000 a year for a subscription-style unlocking service of modern phones, or cracks an individual device for around $1,500, The Intercept reported last year.
As for the unlocking methods themselves, they are "experimental" and, as to be expected, do not work on all devices, according to the second document. And even if the method fails, the customer still needs to pay. It's not clear from the document how often Cellebrite's iOS unlocking procedures don't work.
"The Customer understands and agrees that each time Cellebrite attempts to use the Process to decode the passcode of a device, such attempt shall constitute a Use regardless of whether Cellebrite is successful in such decoding," the document reads.
Cellebrite did not respond to Motherboard's request for comment.
Since 2014 with the release of iOS8, iPhones have been designed in such a way that even Apple cannot unlock the device and access user data; only someone who knows the phone's passcode is supposed to be able to access its contents. Meaning that if a thief steals an iPhone, they are going to have little luck actually getting at any of the victim's data.
But law enforcement agencies have not been happy with the move. As well as the San Bernardino case, which erupted into an intense legal battle in early 2016 between the FBI and Apple, in October 2016 an FBI Special Agent said the agency was assessing its technical options for breaking into the phone of another dead terrorist. The DEA has, unsurprisingly, applied for a warrant to access data on an iPhone 6.
For all that fanfare, the FBI can retrieve evidence from the vast majority of phones it handles. From October 2015 to September the following year, the FBI encountered passcodes in 2,095 out of 6,814—or 31 percent—of mobile devices analyzed by its forensics labs, the agency's General Counsel Jim Baker said at a public meeting last November. And out of those, the FBI was still able to break into the device in 1,210 cases.
According to Apple's figures, over 75 percent of iOS devices are using version 10 of the operating system, one that Cellebrite apparently doesn't currently support. Even with companies like Cellebrite constantly looking for new ways to break into the latest phones, it's still going to be a cat and mouse game.