Small Australian Company Cracked The San Bernardino Shooter's IPhone For The FBI

from the well...-better-luck-next-time,-Cellebrite dept

Five years ago, the DOJ and Apple engaged in a courtroom fight over device encryption. The DOJ wanted Apple to craft a backdoor so the FBI could search a phone belonging to one of the San Bernardino shooters. It was a work phone owned by Syed Farook, who was killed during a shootout with law enforcement. That it was a work-issued phone suggested it wouldn’t contain much useful evidence or information. But the government insisted it would and attempted to secure an order forcing Apple to do what the DOJ wanted.

While everything still remained unsettled, the DOJ dropped the case after finding someone who could break into the phone. This small victory against device encryption was treated as a loss by many inside the FBI, who really would rather have had court precedent mandating compelled decryption. Ultimately, the millions of dollars spent trying to achieve this — including the $900,000-1.3 million spent on the exploit itself — meant nothing. There was no useful evidence recovered from Farook’s work phone.

Since then, there has been a lot of speculation about which phone cracking tech company provided the exploit to the FBI. It turns out to have been none of the usual suspects. Instead, as Ellen Nakashima and Reed Albergotti report for the Washington Post, it was a small Australian company that has flown under the radar until this point: Azimuth Security.

Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs marathons and who, one colleague said, “can pretty much look at a computer and break into it.” One of his researchers was David Wang, who first set hands on a keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie Award — an Oscar for hackers — for “jailbreaking” or removing the software restrictions of an iPhone.

Now that it’s on the radar, Azimuth appears to have memory-holed its site. Azimuth is owned by L3 Harris, a US government contractor. But before it became a subsidiary of Harris, Azimuth was selling exploits to a very select number of government agencies. That its involvement in this very public fight over device encryption hasn’t been revealed until now suggests it works with a very small group of very trustworthy customers.

The exploit itself involved Apple’s Lightning port and code that allowed hackers to bypass internal security features that wipe the device after ten failed password attempts.

Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person.


Using the flaw Dowd found, Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device.

This is also the first we’re hearing about the exploit used to crack the phone. Azimuth reached out to the FBI and demonstrated the hack for it. Once it was determined it could be run safely, the FBI paid for the assistance with the understanding Azimuth would remain in possession of the code and details of the exploit.

But Apple was only a few court motions away from discovering what the public didn’t know and the DOJ has refused to divulge. In 2019, Apple sued David Wang’s company, Corellium — which sells virtual devices (including virtual iPhones) to developers and security researchers. According to Apple, the creation of virtual devices violated its copyright. Corellium’s first customer, Azimuth Security, was subpoenaed. It refused to answer questions citing national security concerns.

Apple also demanded information directly from Corellium, which might have turned up information on the iPhone exploit used in the San Bernardino case.

Last April, Apple also made a document request in the lawsuit for “all documents concerning, evidencing, referring to, or relating to any bugs, exploits, vulnerabilities, or other software flaws in iOS of which Corellium or its employees currently are, or have ever been, aware.”

Those employees included Wang. The request would have turned up Condor [the hack used to crack Farook’s iPhone].

This motion was denied and Apple’s copyright case tossed out by the judge, who found it “puzzling, if not disingenuous” Apple would claim virtual phones used to find security vulnerabilities somehow harmed iPhone sales (though the anti-circumvention part of the case lives on).

Speaking of “puzzling, if not disingenuous,” the FBI and DOJ continue their anti-encryption clamoring to this day, despite there being a number of options available to help investigators circumvent device encryption. In this case, Azimuth reached out to the FBI with a potential solution, showing there are plenty of smart people working for tech companies who want to help address the challenges raised by encryption. Just because Apple won’t make its devices less secure for every one of its users doesn’t mean the company doesn’t care and doesn’t want to help law enforcement. The FBI continues to insist the only solution is something that can be applied in every case. And, by doing that, the FBI shows it cares far less for the public’s safety and security than the handful of tech companies it continues to portray as its enemies.

Filed Under: , , , , , ,
Companies: apple, azimuth security, corellium, harris

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Small Australian Company Cracked The San Bernardino Shooter's IPhone For The FBI”

Subscribe: RSS Leave a comment
Koby (profile) says:

This motion was denied and Apple’s copyright case tossed out by the judge, who found it "puzzling, if not disingenuous" Apple would claim virtual phones used to find security vulnerabilities somehow harmed iPhone sales (though the anti-circumvention part of the case lives on).

A number of acquaintances of mine were Apple enthusiasts, and I remember at the time of this incident that they were rather hopeful that Apple products were nearly impenetrable. Then, we got news that the phone got cracked, and the enthusiasts were no longer so enthusiastic. Rather, they seemed resigned to the concept that the contents of their phone couldn’t be cracked by some off-the-street thief, but the 3-letttered U.S. agencies could do whatever they wanted.

Their constant purchases and upgrades to the latest model have dwindled since then.

This comment has been deemed insightful by the community.
That Anonymous Coward (profile) says:

"There was no useful evidence recovered from Farook’s work phone."

The tigers did not attack this time, but unless we purchase more tiger repelling rocks they MIGHT attack next time.

From the braintrust that has created more ‘home grown’ terrorists than actual terrorist groups, perhaps we need to stop treating them like they know what the hell they are doing.

Everyone ooohs and awwws when they roll up some poor sucker with an IQ of 75 they turned into a wanna be terrorist, but managed to be completely blindsided by every white nationalist terrorism incident that was openly planned & promoted and well lets be honest a bunch of their colleagues attended those events.

Perhaps if they started stopping actual terrorists planning in the open, we might consider their requests to break encryption a bit more before telling them to fsck off.
But they can;t tell us how many locked phones they have, how many people walked because phones remained locked, how their entire agency failed to investigate all possibilities b/c oh here is a phone it’ll answer everything.

Anonymous Coward says:

Re: Re:

When the GOP was arguing that they had to fill the Supreme Seat, because the Dem’s would even if they couldn’t at the time, I made the point that it’s not a defense when one is standing over a dead body to say, "if he had a gun, he’d have shot me, so I had to shoot him first, even if he doesn’t own a gun".

Sometimes I feel like our entire intelligence apparatus operates under this modality.

That Anonymous Coward (profile) says:

Re: Re: Re:

Its performative theatrics to impress Congress.
(DHS head replicating the bridge of the STTNG Enterprise as his office comes to mind).

They reward results, not attempts.
This explains why the FBI has a steady stream of ‘terrorist’ busts that fall apart when you look at how they groomed the person to become a terrorist so they could bust them.

The IRS audits little people, because the rich have money & can fight back. They are rewarded for wins not tries.
(plus them leaving & getting cushy jobs with those they should have jailed)

The hired insurance execs to run the programs to help citizens after disasters. No one told them they were supposed to run the main fund out of money helping people. Now they look for every little thing they can because (shakes his head) not actually helping people in desperate need & save us money!

They care about awesome blinky lights & that any spying on citizens exempts them.

I mean I listened to the Congress person who’s district covered the Hamptons cheering for Trump running MS13 out of his district.
O_O How do you run out what was never there?
It was a performance piece to be accepted uncritically.

Notice they spent way more time on "going dark" than answering questions how the fsck they missed Jan 6th being planned IN THE OPEN.

Soundbites & Headlines rule the nation instead of reason & rational thought.

Abstinence Only doesn’t work but we still have it.

We demand people in 3rd world countries having survival sex not be informed about condom use or we cut off aid to them.

We donate prom dresses to disaster relief.

We need to stop giving everyone a ribbon for participating & start demanding basic common sense rule the day. Dumping a shitload of old clothes you were going to throw out to victims of a disaster doesn’t make you a good person, it makes you someone to lazy to deal with their own trash & then claim they helped those poor people.

Bobvious says:

Of course it happened ɹǝpu∩ uʍop

"Scientists. PI is EXACTLY equal to 3",

Must be the coriolis effect,

By forcing PI to be exactly 3, this leaves an almost 5% gap in the maths, allowing the government to get in through the back door,

Coming up next, all passwords must be variations of the last 20 digits of PI.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...