A new report from the Washington Post revealed that the FBI partnered with Azimuth Security, an Australian security firm, to access an iPhone linked to the 2015 San Bernardino attack. The method the FBI used to get into iPhone was kept secrete previously. It was cleared that Apple was not involved as the company had refused to build a backdoor into the phone. The company kicked off a legal battle that came to an end only when the FBI successfully hacked the phone.
How the FBI managed to hack the iPhone?
At the center of the fight, the phone was seized after its owner, Syed Rizwan Farook, carried an attack that killed 14 people. The FBI was trying to get into the phone but could not do because of the iOS 9 feature after a certain number of failed password attempts that would erase the phone. Apple attempted to help the FBI in other ways but didn’t build a passcode bypass system for the FBI as it would permanently reduce the phone’s security.
It was believed that Apple’s security had been profoundly compromised after the FBI managed to access the phone. The exploit was simple, according to The Washington Post. Azimuth found a way to guess the passcode as many times as it wanted without the phone being erased. In a matter of hours, the FBI got into the phone.
The technical details of how the auto-erase feature was bypassed are interesting. The two Azimuth employees who gained access to the phone reported the actual hacking by exploiting a vulnerability written by Mozilla in an upstream software module. As per reports, that code was used by Apple in iPhones to give the authority to use accessories with the Lightning port.
Once the hackers gained the initial access, they were able to chain together two more exploits, and they got complete control over the central processor, allowing them to run their code. Then the hackers could write and test software that guessed every passcode combination, and any other systems that would erase or lock the phone were ignored. In the end, the FBI didn’t get much information from the phone.