An Australian security specialist firm has been named as the company that succeeded in unlocking the iPhone 5C used by the perpetrator of the 2015 San Bernardino mass shootings, resolving an escalating conflict between Apple and the US government in the process.
That attack, in which 14 people were killed and 22 others injured in the Californian city, was a significant episode in the US Government’s ongoing fight against domestic terrorism and, at the time, was the deadliest mass shooting in that country since the September 11 attacks 14 years earlier.
The perpetrators died in a shootout with police, which left FBI investigators struggling to access the contents of an iPhone 5C that was believed would hold invaluable details about their connections to Middle East terrorists.
Early requests to Apple for help in unlocking the phone, however, were met with resistance as the company had pushed the security of its devices as a key selling point.
After months of back-and-forth, and a day before a scheduled hearing regarding a potential court order to mandate the phone be unlocked, the FBI withdrew its efforts on advice that it had found a third party capable of unlocking the iPhone 5C.
Despite rumours that security firm Cellebrite had helped the FBI, the true identity of that party was never known until now – and a new report in the Washington Post has named Sydney-based white-hat security firm Azimuth Security.
The company, whose web site advertises “cutting edge security expertise for an uncertain world”, was purchased by major defence contractor L3 Technologies in 2018.
The company’s blog, which has not been updated since late 2015, hints at the firm’s intense scrutiny of iOS and Apple’s evolving protections to prevent backdoor access to the devices.
A pseudo-random number generator (PRNG), introduced in iOS 6 to protect against a number of known iOS exploits but “had a serious defect in that the outputs were well-correlated”, the company noted, that meant “an unprivileged attacker, even when confined by the most restrictive sandbox, can recover arbitrary outputs from the generator and consequently bypass all the exploit mitigations that rely on the early random PRNG.”
Such work meant that founder Mark Dowd and security researcher David Wang, who had been collecting potential exploits for iOS long before the San Bernardino shooting, recognised the potential value of the exploits to the FBI investigation.
Wang’s experience in bypassing iOS protections meant he was able to gain direct access to the iPhone’s core architecture – allowing him to develop an exploit chain, which he named ‘Condor’, that bypassed the Apple feature that erases the phone after 10 incorrect PIN attempts.
This allowed the code to try all 10,000 of the possible four-digit codes that the shooter could have used to secure his phone – and, after several successful tests on other iPhone 5Cs, was ultimately purchased by the FBI for $1.18m ($US900,000) and used to unlock the phone.
The FBI ultimately discovered little of use on the phone, which primarily contained work information – but the episode fuelled an ongoing global debate about whether governments should be able to compel companies like Apple to provide back-doors for emergency access to their devices.
Even with CEO Tim Cook previously expressing concern about “dangerously ambiguous” Australian laws that could mandate such activity, Apple has reportedly softened its stance in recent years – mothballing a technology that would have allowed for the complete encryption of device backups in iCloud accounts.