The Celebrite iPhone Cracking Kit allows the company’s customers to access almost all personal data stored on the phone – in some cases, even if the phone is locked.
But the exact capabilities depend on both the model of the iPhone and the version of iOS it is running. We managed to get access to the user documentation for the most recent version of the kit to see what it can do…
background
Celebrite makes a range of hardware and software kits designed to unlock both iPhone and Android smartphones and remove most of the data on them.
Some versions are sold to commercial companies, while Celebrite Premium is – in theory – sold only to law enforcement agencies. However, the exact situation is not clear. For example, the company recently disclosed that it has more than 2,800 US government customers, many of which do not fall within what one would typically consider ‘law enforcement’.
U.S. Fish and Wildlife Service investigators often work to thwart a variety of environmental crimes, from illegal deforestation to unlicensed hunting. While these are actual crimes, they are not typically associated with aggressive phone hacking tools. But fish and wildlife agents are among an increasingly broad group of government employees who can now break into encrypted phones and siphon off piles of data with technology purchased from surveillance company Celebrite. […]
The list includes many people who appear to be away from intelligence collection or law enforcement, such as the Departments of Agriculture, Education, Veterans Affairs and Housing and Urban Development; Social Security Administration; US Agency for International Development; and the Centers for Disease Control and Prevention.
Other Cellebrite customers include bluechip companies that want to conduct internal investigations, and cybersecurity companies.
Celebrite Premium Kit
The flagship phone cracking kit offered by the company is known as Celebrite Premium. It is a hardware and software package that includes:
- Celebrite Premium Laptop with pre-installed software
- android adapter
- iOS Adapter
- iOS Adapter (AFU version, for use after the phone is turned off)
- A complete set of cables and carry bags
- A hardware license dongle, without which the software will not run
The software allows users to extract either specific target data (for example, messages or photos) or the entire file system, which includes almost all user data, including Keychain passwords, which then allows the user to access most of the services you use. gives the ability to reach Here’s what the company says about it:
By performing full-file system and physical extraction, you can retrieve much more data than is possible via logical extraction, and access highly protected areas such as the iOS Keychain or Secure Folder.
Accessing third party application data, stored passwords and tokens, chat conversations, location data, email attachments, system logs, as well as deleted content, increases the chances of finding incriminating evidence.
Celebrite iPhone Cracking Capabilities
Back in February, the company kept its most advanced capabilities in-house, but the webpage related to it has disappeared, and it appears from the documentation we reviewed that Celebrite Premium can now do everything that CAS used to do. .
We should note that the documents we have obtained pre-date the launch of the iPhone 13, and at the time the company apparently had no ability to access the iPhone 12.
Full access even when locked with any supported iOS version
Celebrite Premium can unlock and access the full file system of the following models of phones even when protected by a passcode, the unlocking time depends on the complexity of the passcode. It doesn’t matter which supported iOS version the phone is running – the company can unlock the device and access everything.
- iphone 4s*
- Iphone 5*
- Iphone 5s*
- Iphone 6
- iphone 6s
- iPhone SE
- iPhone 7
- iphone 8
- iphone x
*Interestingly, these three models require in-house unlocking if they’re running iOS 5 or iOS 6, while Celebrite Premium allows customers to unlock the device directly if they’re running iOS 7 or later.
The reason why these models are cracked regardless of iOS version is because of unrecoverable vulnerabilities in these models. One of these was exposed with the checkm8 exploit, and the second flaw was discovered in Secure Enclave later that year. It also cannot be patched.
Full access even when locked with older iOS versions
There are three models of iPhone the kit can unlock if they are running any version of iOS up to iOS 13.7.
- iphone xr
- iphone xs
- iphone 11
Full access with passcode only
The same three models running iOS 14 or iOS 15 cannot be unlocked by the company with Sailbright Premium or the company’s in-house resources. However, if the client has the phone’s passcode, then full access to the file system is available.
- iPhone XR (iOS 14 or 15)
- iPhone XS (iOS 14 or 15)
- iPhone 11 (iOS 14 or 15)
Law enforcement may or may not have the necessary power to compel a suspect to reveal their passcode – depending on the country and jurisdiction.
Brute-force unlocking is too time-consuming
Unlocking devices requires the kit to brute-force a passcode. This relies on being able to disable lockout as Apple applies repeated passcode attempts, but is still a slow process due to the delays imposed before complete lockout.
The company warns that the process can be very time-consuming, with one example in the user guide referencing a rate of slightly over 100 attempts per day.
However, the kit allows users to enter any personal data they have for the phone owner, such as the date of birth, and other important dates, such as a significant other’s birthday. These would be used to generate the initial effort, before resorting to brute force. This information underscores the importance of protecting relatively insignificant personal data.
autonomous mode
Cellbrite brute-force unlocking requires the phone to be connected to the kit until it succeeds. However, Cellebrite Premium offers an autonomous mode where the phone can be disconnected after an attack. This is because the kit manages to install the software running the attack directly on the iPhone itself, even if the phone is locked.
Celebrite’s autonomous bruteforce capability triggers an automated dictionary attack directly on the device. Once the process is started, the target device can be disconnected from Celebrite Premium, therefore allowing autonomous bruteforce to run the process on multiple devices simultaneously.
It’s worth noting that all Sailbrite attacks require physical access to the phone, unlike the NSO Pegasus spyware, which can be deployed remotely, including zero-click options.
FTC: We use income generating auto affiliate links. More.
For more Apple news, check out 9to5Mac on YouTube:
Source
