Skip to main content

Here’s how the FBI managed to get into the San Bernardino shooter’s iPhone

Here’s how the FBI managed to get into the San Bernardino shooter’s iPhone

/

An Australian firm helped hack into the device, starting with a Lightning port exploit

Share this story

Illustration by Alex Castro / The Verge

The FBI partnered with an Australian security firm called Azimuth Security to gain access to an iPhone linked to the 2015 San Bernardino shooting, a new report from The Washington Post reveals. Before now, the methods the FBI used to get into the iPhone were kept secret. It was only clear that Apple wasn’t involved, as the company had refused to build a backdoor into the phone, kicking off a legal battle that only ended after the FBI successfully hacked the phone.

The phone at the center of the fight was seized after its owner, Syed Rizwan Farook, perpetrated an attack that killed 14 people. The FBI attempted to get into the phone but was unable to due to the iOS 9 feature that would erase the phone after a certain number of failed password attempts. Apple attempted to help the FBI in other ways but refused to build a passcode bypass system for the bureau, saying that such a backdoor would permanently decrease the security of its phones.

After the FBI announced that it had gained access to the phone, there were concerns that Apple’s security could have been deeply compromised. But according to The Washington Post, the exploit was simple: Azimuth basically found a way to guess the passcode as many times as it wanted without erasing the phone, allowing the bureau to get into the phone in a matter of hours.

The technical details of how the auto-erase feature was bypassed are fascinating. The actual hacking was reportedly done by two Azimuth employees who gained access to the phone by exploiting a vulnerability in an upstream software module written by Mozilla. That code was reportedly used by Apple in iPhones to enable the use of accessories with the Lightning port. Once the hackers gained initial access, they were able to chain together two more exploits, which gave them full control over the main processor, allowing them to run their own code.

After they had this power, they were able to write and test software that guessed every passcode combination, ignoring any other systems that would lock out or erase the phone. The exploit chain, from Lightning port to processor control, was named Condor. As with many exploits, though, it didn’t last long. Mozilla reportedly fixed the Lightning port exploit a month or two later as part of a standard update, which was then adopted by the companies using the code, including Apple.

In the end, not much happened as a result of the effort. The FBI reportedly didn’t get any useful information from the phone, and the bureau never got to set a legal precedent about whether the government could compel companies to compromise the security of their devices. In 2017, a judge ruled that the FBI didn’t have to reveal how it had gotten into the iPhone, or who had helped it, due to concern that the mystery firm would face cybersecurity attacks as backlash for helping the FBI if its identity was made public.