An exclusive new report today from the Washington Post claims to have the details about how the FBI was able to crack the iPhone 5C in the San Bernardino case, who the little-known security firm was that it used, and how Apple has ended up suing a company co-founded by one of the hackers that cracked the iPhone.
Fascinating new details have been allegedly uncovered by the Washington Post about the intense battle between the FBI and Apple over the San Bernardino case. As a refresher, after the terrorist attack, the FBI asked Apple to unlock an iPhone 5C that was used by one of the shooters. Apple gave the FBI the information it had but said it wouldn’t create a backdoor into iOS to fully unlock the device as it would compromise the security of all iPhone users.
In the end, the FBI was able to get the iPhone 5C unlocked by a third party, however, the firm was never known. Cellebrite is one of the most well-known security firms that regularly works with law enforcement and governments to crack devices – and it was floated as the one who helped the FBI. But WP’s anonymous sources helped it uncover that it was actually a little-known white-hat Australian security firm called Azimuth.
At the time, the challenge of breaking into the iPhone 5C in the San Bernardino case was getting around the new iOS feature that erased the device after 10 incorrect passcode attempts. Azimuth ended up discovering an exploit chain that started with a Mozilla/Lightning port vulnerability.
Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters. Founder Mark Dowd, 41, is an Australian coder who runs marathons and who, one colleague said, “can pretty much look at a computer and break into it.” One of his researchers was David Wang, who first set hands on a keyboard at age 8, dropped out of Yale, and by 27 had won a prestigious Pwnie Award — an Oscar for hackers — for “jailbreaking” or removing the software restrictions of an iPhone.
The remaining parts of the exploit chain were uncovered after the FBI reached out to Azimuth.
Azimuth specialized in finding significant vulnerabilities. Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person. He found it even before Farook and his wife opened fire at the Inland Regional Center, and thought it might be useful at some point to develop into a hacking tool. But Azimuth was busy at the time with other projects.
David Wang was able to find and use two more exploits to work with the original one that Dowd had found “giving him full control over the phone’s core processor.”
Two months after the attack, Comey testified to Congress that investigators were still unable to unlock the terrorist’s iPhone. Seeing the media reports, Dowd realized he might have a way to help. Around that time, the FBI contacted him in Sydney. He turned to 30-year-old Wang, who specialized in exploits on iOS, the people said.
In March 2016, the FBI tested Dowd and Wang’s “Condor” hack. It was successful and was purchased from Azimuth for $900,000. The report notes that while the FBI was relieved, they were also disappointed at losing the chance to press Apple to create a backdoor into iOS.
From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries.
Wang and Dowd tested the solution on about a dozen iPhone 5Cs, including some bought on eBay, the people said. It worked. Wang dubbed the exploit chain “Condor.”
Very interestingly though, that’s not the end of the story. David Wang of Azimuth ended up going on to be the co-founder of a new research company, Correlium that offers researchers software to virtualize iOS.
They knew they were losing an opportunity to have a judge bring legal clarity to a long-running debate over whether the government may compel a company to break its own encryption for law enforcement purposes.
Apple filed a lawsuit back in 2019 against Corellium over a claim of selling “perfect replicas” of iOS and profiting “off its blatant infringement.” For its part, Corellium said Apple was attempting to “eliminate public jailbreaks” and that all security researchers, developers, and jailbreakers should be concerned.
In December 2020, Apple lost that lawsuit against Corellium with the judge ruling that the iOS virtualization was within fair use.
Interestingly, Apple pushed in the Corellium lawsuit to get more information about Azimuth.
Then in April 2020, Apple also requested:
In 2019, Apple sued Corellium for copyright violation. As part of the lawsuit, Apple pressed Corellium and Wang to divulge information about hacking techniques that may have aided governments and agencies like the FBI.
Apple subpoenaed Azimuth, Corellium’s first customer, according to court documents. Apple wanted client lists from Azimuth, which is now owned by L3 Harris, a major U.S. government contractor, that might show malign entities. L3 and Azimuth said they were “highly-sensitive and a matter of national security,” according to court documents.
That request was denied but very notably would have revealed project Condor.
[a]ll documents concerning, evidencing, referring to, or relating to any bugs, exploits, vulnerabilities, or other software flaws in iOS of which Corellium or its employees currently are, or have ever been, aware.
Notably, while Apple lost the first lawsuit it brought against Corellium, it may appeal that ruling and has already filed another claim about the research firm illegally bypassing Apple’s security.
During a deposition, Apple questioned Wang about the morality of selling exploits to governments, according to court records. A lawyer pressed him during the deposition on whether he was aware of any bugs that were not reported to Apple but were later found by malicious hackers.
Apple “is trying to use a trick door to get [classified information] out of him,” Corellium attorney Justin Levine said, according to a transcript. Corellium declined to comment for this story.