Cellebrite iPhone cracking: Here’s which models the kit can unlock and access, and how to protect your data

By: Anry Sergeev | 29.04.2022, 18:00

Cellebrite iPhone cracking tool allows clients of the company to view virtually every private data on their phones – sometimes even locked.

But the precise capabilities of an iPhone depend on the model and version of iOS that it runs. To see the capabilities of the latest version, we were able to access the documentation.

Background

Cellebrite makes a range of hardware and software kits designed to unlock both iPhones and Android smartphones, and extract most of the data on them.

Some versions are sold to commercial companies, while Cellebrite Premium is – in theory – sold only to law enforcement agencies. However, the exact position is unclear. For example, the company recently revealed that it has over 2,800 US government customers, many of which would not fall within what one would normally think of as ‘law enforcement.’

Investigators with the US Fish and Wildlife Service frequently work to thwart a variety of environmental offenses, from illegal deforestation to hunting without a license. These are serious crimes but they don’t usually involve hacking phones. But Fish and Wildlife agents are among the increasingly broad set of government employees who can now break into encrypted phones and siphon off mounds of data with technology purchased from the surveillance company Cellebrite […]

The list includes many that would seem far removed from intelligence collection or law enforcement, like the departments of Agriculture, Education, Veterans Affairs, and Housing and Urban Development; the Social Security Administration; the U.S. Agency for International Development; and the Centers for Disease Control and Prevention.

Other Cellebrite clients are bluechip firms that want to carry out internal investigations and cybersecurity businesses.

Cellebrite Premium kit

The flagship phone cracking kit offered by the company is known as Cellebrite Premium. This is a hardware and software package comprising:

  • Cellebrite Premium laptop, with pre-installed software
  • Android Adapter
  • iOS Adapter
  • iOS Adapter (AFU version, for use after the phone has been powered off)
  • A complete set of cables and carrying bag
  • A hardware license dongle, without which the software won’t run

The software allows users to extract either specific target data (for example, Messages or photos) or the complete filesystem, which contains almost all user data – including Keychain passwords, which then gives the user the ability to access most services you use. Here’s what the company says about it:

By performing full-file system and physical extractions, you can get much more data than what is possible through a logical extraction, and access highly protected areas such as the iOS Keychain or the Secure Folder.

Accessing 3rd party application data, stored passwords and tokens, chat conversations, location data, email attachments, system logs, as well as deleted content, increases your chances of finding the incriminating evidence.

Cellebrite iPhone cracking capabilities

Back in February, the company kept its most advanced capabilities in-house, but the webpage relating to this has since disappeared, and it seems from the documentation we’ve reviewed that Cellebrite Premium can now do everything that CAS used to do.

We should note that the documentation we have obtained pre-dates the launch of the iPhone 13, and at that time the company apparently had no ability to access the iPhone 12 either.

Full access even when locked, with any supported iOS version

Cellebrite Premium can unlock and gain access to the full filesystem of the following models of phone even when protected by a passcode, with the unlocking time dependent on the complexity of the passcode. The company will unlock your phone and allow you to access all supported iOS versions.

  • iPhone 4S*
  • iPhone 5*
  • iPhone 5S*
  • iPhone 6
  • iPhone 6S
  • iPhone SE
  • iPhone 7
  • iPhone 8
  • iPhone X

*Interestingly, in-house unlocking is required for these three models if they are running iOS 5 or iOS 6, while Cellebrite Premium allows clients to unlock devices directly if running iOS 7 or later.

The reason these models can be cracked regardless of iOS version is because of unpatchable vulnerabilities in these models. One of these was revealed with the checkm8 exploit, and another flaw discovered in the Secure Enclave later the same year. This too cannot be patched.

Full access even when locked, with older iOS versions

There are three models of iPhone the kit can unlock if they are running any version of iOS up to iOS 13.7.

  • iPhone XR
  • iPhone XS
  • iPhone 11

Full access only with passcode

The same three models running iOS 14 or iOS 15 cannot be unlocked by the company, either with Cellebrite Premium or the company’s in-house resources. If clients possess the passcode for the phone, full filesystem access can be obtained.

  • iPhone XR (iOS 14 or 15)
  • iPhone XS (iOS 14 or 15)
  • iPhone 11 (iOS 14 or 15)

Law enforcement may or may not have the power needed to force a suspect to reveal their passcode – this depends on the country and the jurisdiction.

Brute-force unlocking is very time-consuming

Unlocking devices requires the kit to brute-force passcodes. This relies on being able to disable the lockouts Apple applies to repeated passcode attempts, but even so is a slow process due to delays imposed prior to complete lockout.

The company warns that the process can be very time-consuming, with one example in the user guide referencing a rate of a little over 100 attempts per day.

However, the kit does allow users to enter any personal data they have for the phone’s owner, such as date of birth, and other important dates, such as a significant other’s birthday. They will then be used for initial attempts before resorting brute force. This information serves to underline the importance of protecting even relatively trivial personal data.

Autonomous mode

Cellebrite brute-force unlocking used to require the phone to be left connected to the kit until it succeeded. Cellebrite Premium, however, provides an autonomous mode, where the phone can be disconnected once the attack is underway. This is because the kit manages to install the software running the attack directly on the iPhone itself, even though the phone is locked.

Cellebrite uses Cellebrite to run an automatic dictionary attack on target devices. Cellebrite Premium can disconnect the target device from Cellebrite Premium so that the automated bruteforce process runs on multiple devices at once.

It is worth noting that Cellebrite attacks need physical access to your phone. This is in contrast with NSO Pegasus spyware which can be remotely deployed, and includes zero-click options.