Report reveals how little-known ‘Azimuth Security’ cracked the iPhone in the San Bernardino FBI case
An exclusive new report today from the Washington Post claims to have the details about how the FBI was able to crack the iPhone 5C in the San Bernardino case, who the little-known security firm was that it used, and how Apple has ended up suing a company co-founded by one of the hackers that cracked the iPhone.
Fascinating new details have been allegedly uncovered by the
Washington Post about the intense battle between the FBI and Apple over the San
Bernardino case. As a refresher, after the terrorist attack, the FBI asked
Apple to unlock an iPhone 5C that was used by one of the shooters. Apple gave
the FBI the information it had but said it wouldn’t create a backdoor into iOS
to fully unlock the device as it would compromise the security of all iPhone
users.
In the end, the FBI was able to get the iPhone 5C unlocked
by a third party, however, the firm was never known. Cellebrite is one of the
most well-known security firms that regularly works with law enforcement and
governments to crack devices – and it was floated as the one who helped the
FBI. But WP’s anonymous sources helped it uncover that it was actually a
little-known white-hat Australian security firm called Azimuth.
Two Azimuth hackers teamed up to break into the San
Bernardino iPhone, according to the people familiar with the matter, who like
others quoted in this article, spoke on the condition of anonymity to discuss
sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs
marathons and who, one colleague said, “can pretty much look at a computer and
break into it.” One of his researchers was David Wang, who first set hands on a
keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie
Award — an Oscar for hackers — for “jailbreaking” or removing the software
restrictions of an iPhone.
At the time, the challenge of breaking into the iPhone 5C in
the San Bernardino case was getting around the new iOS feature that erased the
device after 10 incorrect passcode attempts. Azimuth ended up discovering an
exploit chain that started with a Mozilla/Lightning port vulnerability.
Azimuth specialized in finding significant vulnerabilities.
Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of
exploit design,” had found one in open-source code from Mozilla that Apple used
to permit accessories to be plugged into an iPhone’s lightning port, according
to the person. He found it even before Farook and his wife opened fire at the
Inland Regional Center, and thought it might be useful at some point to develop
into a hacking tool. But Azimuth was busy at the time with other projects.
The remaining parts of the exploit chain were uncovered
after the FBI reached out to Azimuth.
Two months after the attack, Comey testified to Congress
that investigators were still unable to unlock the terrorist’s iPhone. Seeing
the media reports, Dowd realized he might have a way to help. Around that time,
the FBI contacted him in Sydney. He turned to 30-year-old Wang, who specialized
in exploits on iOS, the people said.
David Wang was able to find and use two more exploits to
work with the original one that Dowd had found “giving him full control over
the phone’s core processor.”
From there, he wrote software that rapidly tried all
combinations of the passcode, bypassing other features, such as the one that
erased data after 10 incorrect tries.
Wang and Dowd tested the solution on about a dozen iPhone
5Cs, including some bought on eBay, the people said. It worked. Wang dubbed the
exploit chain “Condor.”
In March 2016, the FBI tested Dowd and Wang’s “Condor” hack.
It was successful and was purchased from Azimuth for $900,000. The report notes
that while the FBI was relieved, they were also disappointed at losing the
chance to press Apple to create a backdoor into iOS.
They knew they were losing an opportunity to have a judge
bring legal clarity to a long-running debate over whether the government may
compel a company to break its own encryption for law enforcement purposes.
Very interestingly though, that’s not the end of the story.
David Wang of Azimuth ended up going on to be the co-founder of a new research
company, Correlium that offers researchers software to virtualize iOS.
Apple filed a lawsuit back in 2019 against Corellium over a
claim of selling “perfect replicas” of iOS and profiting “off its blatant
infringement.” For its part, Corellium said Apple was attempting to “eliminate
public jailbreaks” and that all security researchers, developers, and
jailbreakers should be concerned.
In December 2020, Apple lost that lawsuit against Corellium
with the judge ruling that the iOS virtualization was within fair use.
Interestingly, Apple pushed in the Corellium lawsuit to get
more information about Azimuth.
In 2019, Apple sued Corellium for copyright violation. As
part of the lawsuit, Apple pressed Corellium and Wang to divulge information
about hacking techniques that may have aided governments and agencies like the
FBI.
Apple subpoenaed Azimuth, Corellium’s first customer,
according to court documents. Apple wanted client lists from Azimuth, which is
now owned by L3 Harris, a major U.S. government contractor, that might show
malign entities. L3 and Azimuth said they were “highly-sensitive and a matter
of national security,” according to court documents.
Then in April 2020, Apple also requested:
[a]ll documents concerning, evidencing, referring to, or
relating to any bugs, exploits, vulnerabilities, or other software flaws in iOS
of which Corellium or its employees currently are, or have ever been, aware.
That request was denied but very notably would have revealed
project Condor.
During a deposition, Apple questioned Wang about the
morality of selling exploits to governments, according to court records. A
lawyer pressed him during the deposition on whether he was aware of any bugs
that were not reported to Apple but were later found by malicious hackers.
Apple “is trying to use a trick door to get [classified
information] out of him,” Corellium attorney Justin Levine said, according to a
transcript. Corellium declined to comment for this story.
Notably, while Apple lost the first lawsuit it brought
against Corellium, it may appeal that ruling and has already filed another
claim about the research firm illegally bypassing Apple’s security.
Comments
Post a Comment