Cellebrite Unlocks the Apple® iOS 11 Operating System

Bill Siuru, Ph.D., PE

Smartphones, such as the Apple iPhone®, the Samsung Galaxy and other similar devices, are found everywhere today and are used by an immense segment of the population around the world.

It is estimated that over 90 percent of American adults use cell phones which store detailed information about their lives, relationships and daily habits. Unfortunately, this includes those involved in criminal enterprise, terrorism, drug and human trafficking, and other nefarious activities. Forensic retrieval of the data on these smartphones and other devices has become an important part of many investigations since it can provide footprints of a victim or suspect and reveal important details hidden in messaging, location information and other data. This information can be used to prevent and solve crimes and terrorist incidents, as well as provide key evidence which result in convictions.

Getting Through

People expect privacy when using digital devices, so manufacturers like Apple and Samsung make it increasingly more difficult for hackers to gain access to their products. These privacy safeguards also make the digital forensic expert’s job more difficult. Even if an unlocked smartphone is recovered, or if law enforcement is granted consent to do a search, because of enhanced embedded security measures, it may not be possible to do a complete file extraction. This is particularly true for the latest Apple iOS and Google Android devices. To date, the biggest challenge is gaining access to devices running Apple’s iOS 11 operating system; for example, on the iPhone 8 and iPhone X.

Cellebrite, with over 60,000 licenses in 150 countries, provides law enforcement, as well as military and intelligence agencies, with its digital intelligence solutions for investigations and operations globally. Its lawfully authorized examinations can access Apple devices running iOS 5 through iOS 11, including all iPhone, iPad®, iPad Pro®, iPad mini, and iPod touch® models. Its extraction capabilities also include Google Android devices, such as the Samsung Galaxy and Galaxy Note, and other popular devices from Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, and ZTE. This list is continuously updated.

Cellebrite’s ability to access the contents of a device running iOS 11 is surprising, considering this operating system’s release also introduced new security features which made it harder to break. This includes the SOS mode that disables Touch ID® which effectively prevents police from forcing a suspect to unlock their iPhone using a fingerprint.

Tricks of the Trade

As might be expected, Cellebrite doesn’t disclose how it is able to defeat iOS 11’s security. If it did, Apple would almost certainly attempt to patch the security flaw as quickly as possible. Generally speaking, to access a device, forensic experts look for flaws in the operating system. When they find one, they use it to break into the device. Thus, small details about unlocking methods would allow OEM device engineers to fix any flaws in the operating systems’ security and forensics companies would have to find another flaw. Cellebrite claims a 100 percent success rate in helping law enforcement globally access hundreds of devices.

When law enforcement has seized a locked and/or encrypted device it wants to access, they can either attempt an extraction using software in the law enforcement agency’s lab or they can use Cellebrite’s Advanced Unlocking and Extraction Services by sending the device by a trusted courier or hand carrying it to one of the Cellebrite Forensic Labs located around the globe.

Cellebrite’s Advanced Unlocking and Extraction Services retrieve data from complex devices by using trained Cellebrite forensic experts to perform the unlocking and/or extraction service with carefully controlled techniques which ensure the forensic integrity of the data. Court tested chain of custody procedures are maintained at all times. Any extracted data is sent typically within ten business days to the agency in encrypted form to ensure privacy and protect operational information. Under special circumstances, Cellebrite can provide Advanced Unlocking and Extraction Services onsite.

Alternatively, law enforcement agencies can then perform the extraction themselves on the unlocked device using Cellebrite’s Universal Forensic Extraction Device (UFED) solutions which are  small, portable computers which extract the entire contents of a device when physically connected by a cable, via Bluetooth® if within range or from a SIM card. Using prompts on the display screen, UFED allows investigators in the field or at the crime lab to extract contact lists, call history, text messages, social networking files, downloads, browser history, pictures and video, and Web browsing. The leading GPS enabled iOS and Android devices also store files on the user’s location when used.

In the Interest of Public Safety

In a recent interview with Forbes, Cellebrite’s Chief Marketing Officer Jeremy Nazarian talked about the broader benefits of unlocking digital intelligence for law enforcement. “There’s a public safety imperative here,” he told Forbes. “These capabilities are germane to homicide, crimes against children, drug gangs, major public safety threats in any community. We feel an obligation to those serving the public safety mission to ensure those capabilities are preserved, to the extent that they can be.”

Recent Developments

Around mid-June of this year, Apple announced that it was altering its iPhone settings in response to law enforcement’s ability to access the iOS operating system. Referred to as “USB Restricted Mode,” it was announced that Apple was changing the default settings of future versions of the iOS operating system – which cuts off communication through the USB port of a device which has not been unlocked during a period of 60 minutes. Doing so forces users to unlock their iPhone with a passcode when connecting it to a USB accessory each time the phone has not been unlocked for a period of one hour. The USB port is the standard cable connection interface through which companies such as Cellebrite and Grayshift connect devices in order to extract information. This new setting will be instituted in upcoming versions of the iOS operating system and it will be made permanent in a future conventional release. It has been speculated that this will allow law enforcement only one hour (or less) to access information, before the ability to connect through the USB port is automatically blocked. Needless to say, this is not the “final answer” as the cat-and-mouse game between competing technologies will undoubtedly continue.

Bill Siuru is a retired USAF colonel. He has a Ph.D. in mechanical engineering from Arizona State University. He has been writing about automotive, aviation and technology subjects for many years.


Cellebrite’s Textalyzer

Currently, texting while driving is illegal in 47 states and the District of Columbia. However, texting while driving is still rampant because the laws are hard to enforce. Using its smartphone unlocking and extraction experience, Cellebrite has developed the Textalyzer as a tool in the fight against distracted driving when drivers text, E-mail, browse social networks, or other things on their phone.

The Textalyzer, which is about the size of a tablet, would be used by law enforcement to extract information from the phone of a driver suspected of texting while driving. It doesn’t catch those texting in the act; however, like a Breathalyzer, the Textalyzer would be used by police after an accident to determine whether the driver was distracted by using a phone, thus contributing to the accident. Connected to the smartphone and without leaving the hands of the driver, the Textalyzer would extract every tap and click made in the minutes before the accident, but would provide nothing in the way of content or personal information, just definitive proof of whether or not the phone was being used during the period in question.

How could the Textalyzer reduce this dangerous practice? If drivers know that now police can determine if they were texting before an accident, they are less likely to do it, realizing that they are more likely to be found at fault and/or suffer additional legal and financial consequences.

Of course, privacy advocates say the Textalyzer represents an invasion of privacy. Currently, the only way police can find that out is with a search warrant allowing them to download data from a smartphone. The advocates maintain police should have to get a warrant to gain access. Celebrite says the Textalyzer only provides the touches and swipes, not anything about what was said in the texts or who it was said to or other information.

The Textalyzer is still in the prototype stage. Law enforcement won’t get a device like the Textalyzer until individual states pass legislation allowing its use.  Also, New York, New Jersey, Tennessee, and Chicago are considering legislation where refusal would lead to similar penalties as there are for refusing a portable breath test. The penalties for refusing that sobriety test are violations which would incur a fine or affect driving privileges, but are not criminal charges.