There is something of an unwritten rule in high technology that security bugs should be reported to the manufacturer before they are made public. That makes sense. Even Google’s famous team of bug researchers gives notice before they make a vulnerability or exploit public. Many technology companies even pay a bounty to hackers to find flaws so they can be fixed.
Think of that as finding flaws for profit.
Cellebrite is a company known for its ability to hack into smartphones, specifically Apple’s highly secure iPhone. Thomas Fox-Brewster explains what Cellebrite can unlock:
That included devices running the latest Apple operating system iOS 11.2.6, and the newest models, the iPhone 8 and X.
Cellebrite won’t say. Why not? You can guess the reasons. They charge money to unlock devices.
Cellebrite doesn’t want to give up the secrets that are at the very core of its value to law enforcement and forensics specialists, who want consistent access to iPhones, or any smartphone that potentially holds vital evidence.
If Apple knew what Cellebrite knows, it would find the same vulnerabilities and exploits, and then close them up tight. If the F.B.I. or other authorities knew what Cellebrite knows, they could unlock iPhones and other smartphones with ease.
Give up any details, ones that Apple’s security technicians can latch onto to develop fixes, and the company risks kissing goodbye to its unique unlocking capabilities.
See? The company hides iPhone flaws if found so it can grow revenue and profit.
How is Cellebrite able to crack into iPhones and other devices? Many in the security arena have guesses, including Apple’s engineers, but the most popularly considered option has to do with hacking into the iPhone’s Secure Enclave. Ryan Duff of Point3 Security explains the benefits of a longer alphanumeric password vs. a shorter password:
While this would allow them to guess any six-digit numerical passcode in less than 23 hours, it would take more than five and a half years to try all combinations of a six-character alphanumeric passcode with just lowercase letters and numbers
In short, letters are better than numbers.
It is possible that Cellebrite has another way to crack into an iPhone’s famed security apparatus and they’re not telling. Regardless, the math is on your side. A four-digit number password is an easy hack. Ditto for a six digit number password. But a longer password with a mix of upper and lowercase letters is a monster to hack into.
Unless the hackers know something nobody else knows. They’re not saying. Neither is anyone else. And the F.B.I. has been rather quiet on the subject recently.