Here’s how the FBI managed to get into the San Bernardino shooter’s iPhone


The FBI partnered with an Australian security company called Azimuth Security to access an iPhone linked to the 2015 Shooting San Bernardino, a new report from The Washington Post reveals. Previously, the methods the FBI used to access the iPhone were kept secret. It was only clear that Apple was not involved, as the company had refused to build a back door in the phone, sparking a legal battle that only ended after the FBI successfully hacked the phone.

The phone in the middle of the fight was seized after its owner, Syed Rizwan Farook, committed an attack that killed 14 people. The FBI tried to get into the phone but couldn’t because of the iOS 9 feature that would wipe the phone after a certain number of failed password attempts. Apple tried to help the FBI in other ways, but refused to build a desk passcode bypass system, saying such a back door would permanently reduce the security of its phones.

After the FBI announced it had gained access to the phone, there were concerns that Apple’s security might have been seriously compromised. But according to The Washington Post, the exploit was simple: Azimuth basically found a way to guess the passcode as many times as he wanted without erasing the phone, allowing the agency to get on the phone in a matter of hourss

The technical details of how the auto-erase feature was bypassed are fascinating. The actual hacking was reportedly done by two Azimuth employees who gained access to the phone by exploiting a vulnerability in an upstream software module written by Mozilla. That code was reportedly used by Apple in iPhones to enable the use of accessories with the Lightning port. After the hackers gained initial access, they were able to link two more exploits together, giving them full control over the main processor, allowing them to run their own code.

Having this power, they were able to write and test software that would guess any combination of passcodes and ignore other systems that would block or wipe the phone. The exploit chain, from Lightning port to processor control, was called Condor. However, as with many exploits, it didn’t last long. Mozilla reportedly fixed the Lightning port exploit a month or two later as part of a standard update, which was then adopted by the companies using the code, including Apple.

In the end, not much happened because of the effort. The FBI reportedly did not get any useful information from the phone, and the agency has never been able to set legal precedent as to whether the government could force companies to compromise the security of their devices. In 2017, a judge ruled that the FBI did not need to disclose how it got into the iPhone, or who helped it, out of concern that the mystery company would face cybersecurity attacks in opposition to helping the FBI if its identity was public made.