Small Australian Company Cracked The San Bernardino Shooter's IPhone For The FBI
from the well...-better-luck-next-time,-Cellebrite dept
Five years ago, the DOJ and Apple engaged in a courtroom fight over device encryption. The DOJ wanted Apple to craft a backdoor so the FBI could search a phone belonging to one of the San Bernardino shooters. It was a work phone owned by Syed Farook, who was killed during a shootout with law enforcement. That it was a work-issued phone suggested it wouldn’t contain much useful evidence or information. But the government insisted it would and attempted to secure an order forcing Apple to do what the DOJ wanted.
While everything still remained unsettled, the DOJ dropped the case after finding someone who could break into the phone. This small victory against device encryption was treated as a loss by many inside the FBI, who really would rather have had court precedent mandating compelled decryption. Ultimately, the millions of dollars spent trying to achieve this — including the $900,000-1.3 million spent on the exploit itself — meant nothing. There was no useful evidence recovered from Farook’s work phone.
Since then, there has been a lot of speculation about which phone cracking tech company provided the exploit to the FBI. It turns out to have been none of the usual suspects. Instead, as Ellen Nakashima and Reed Albergotti report for the Washington Post, it was a small Australian company that has flown under the radar until this point: Azimuth Security.
Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs marathons and who, one colleague said, “can pretty much look at a computer and break into it.” One of his researchers was David Wang, who first set hands on a keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie Award — an Oscar for hackers — for “jailbreaking” or removing the software restrictions of an iPhone.
Now that it’s on the radar, Azimuth appears to have memory-holed its site. Azimuth is owned by L3 Harris, a US government contractor. But before it became a subsidiary of Harris, Azimuth was selling exploits to a very select number of government agencies. That its involvement in this very public fight over device encryption hasn’t been revealed until now suggests it works with a very small group of very trustworthy customers.
The exploit itself involved Apple’s Lightning port and code that allowed hackers to bypass internal security features that wipe the device after ten failed password attempts.
Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person.
Using the flaw Dowd found, Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device.
This is also the first we’re hearing about the exploit used to crack the phone. Azimuth reached out to the FBI and demonstrated the hack for it. Once it was determined it could be run safely, the FBI paid for the assistance with the understanding Azimuth would remain in possession of the code and details of the exploit.
But Apple was only a few court motions away from discovering what the public didn’t know and the DOJ has refused to divulge. In 2019, Apple sued David Wang’s company, Corellium — which sells virtual devices (including virtual iPhones) to developers and security researchers. According to Apple, the creation of virtual devices violated its copyright. Corellium’s first customer, Azimuth Security, was subpoenaed. It refused to answer questions citing national security concerns.
Apple also demanded information directly from Corellium, which might have turned up information on the iPhone exploit used in the San Bernardino case.
Last April, Apple also made a document request in the lawsuit for “all documents concerning, evidencing, referring to, or relating to any bugs, exploits, vulnerabilities, or other software flaws in iOS of which Corellium or its employees currently are, or have ever been, aware.”
Those employees included Wang. The request would have turned up Condor [the hack used to crack Farook’s iPhone].
This motion was denied and Apple’s copyright case tossed out by the judge, who found it “puzzling, if not disingenuous” Apple would claim virtual phones used to find security vulnerabilities somehow harmed iPhone sales (though the anti-circumvention part of the case lives on).
Speaking of “puzzling, if not disingenuous,” the FBI and DOJ continue their anti-encryption clamoring to this day, despite there being a number of options available to help investigators circumvent device encryption. In this case, Azimuth reached out to the FBI with a potential solution, showing there are plenty of smart people working for tech companies who want to help address the challenges raised by encryption. Just because Apple won’t make its devices less secure for every one of its users doesn’t mean the company doesn’t care and doesn’t want to help law enforcement. The FBI continues to insist the only solution is something that can be applied in every case. And, by doing that, the FBI shows it cares far less for the public’s safety and security than the handful of tech companies it continues to portray as its enemies.