Cellebrite’s iPhone Jailbreak Kit allows customers to access virtually all personal data stored on their iPhone, even when the phone is locked. Recently, the 9to5Mac site was able to access user documentation content in a recent version of the Cellebrite Premium toolkit, thereby showing us how it works.
Cellebrite is well known as the company that creates a series of hardware and software suites designed to unlock both iPhones and Android smartphones, and extract most of the data on them.
Some versions of the tool are sold to commercial companies, while Cellebrite Premium is – in theory – only sold to law enforcement agencies. However, this is still not clear. For example, the company recently revealed that it has more than 2,800 customers who are from the US government, but many of those clients are not within what is commonly thought of as ‘law enforcement.’
“U.S. Fish and Wildlife Service investigators work to prevent a wide variety of environmental crimes, from illegal deforestation to unlicensed hunting. Bureau of Fish and Wildlife agents are among a growing number of government employees who can now access encrypted phones and collect data using technology purchased from the company Cellebrite”according to information from Cellebrite’s documentation.
According to 9to5Mac, the list also includes many agencies that do not appear to be part of intelligence collection or law enforcement, such as the departments of Agriculture, Education, Veterans Affairs, and the Department of Housing and Development. Urban; Social Security Administration; The Centers for Disease Control and Prevention,…
Other Cellebrite clients include bluechip companies that want to conduct internal investigations and cybersecurity firms.
The leading phone jailbreak kit offered by the company is called Cellebrite Premium. Here is the bundled hardware and software:
- Cellebrite Premium Laptop with pre-installed software
- Android Adapter
- iOS Adapter
- iOS Adapter (AFU version, for use after the phone has been powered off)
- A set of cables and carrying bag
- A proprietary licensed adapter, without which the software will not run
The software allows users to extract specific data (e.g. messages or photos) or system files, which contain almost all user data – including Keychain passwords.
Cellebrite’s iPhone Jailbreak Ability
Until February 2022, the company kept its most advanced tools private, but it seems that according to the document obtained by 9to5Mac, Cellebrite Premium can now do everything that CAS (Cellebrite Advanced Services) used to do. .
9to5Mac notes that the document they obtained was prior to the iPhone 13 launch date, and at the time, Cellebrite also didn’t appear to have the ability to jailbreak the iPhone 12.
Cellebrite Premium can unlock and access the system of the following iPhone models even when protected with a passcode, with the unlocking time depending on the complexity of the passcode. It doesn’t matter what iOS version the iPhone is running – the tool can unlock the device and access everything.
- iPhone 4s*
- Iphone 5*
- Iphone 5s*
- Iphone 6″
- iPhone 6S
- iPhone SE
- iPhone 7
- iPhone 8
- iPhone X
*Needs to be sent to the company for internal unlocking using the CAS service if they are running iOS 5 or iOS 6, while Cellebrite Premium allows customers to unlock the device directly if running iOS 7 or later.
The reason that these iPhones can be jailbroken regardless of the iOS version is because of their unpatchable security holes. One of these was revealed by checkm8 and another was discovered in the Secure Enclave in late 2020.
In addition, the kit can unlock the following three iPhone models if they are running any version of iOS, up to iOS 13.7.
- iPhone XR
- iPhone XS
- iPhone 11
Jailbreak brute-force and very time consuming
Unlocking devices requires a brute-force passcode attack toolkit. The company warns that the process can be very time-consuming, with one example in the user manual mentioning a rate of just over 100 attempts per day.
However, the toolkit allows users to enter any personal data they know about the phone’s owner, such as birthdays and other important dates. These will be used to generate initial attempts, before resorting to brute-force.
The usual Cellebrite brute-force requires connecting the phone to the kit until it succeeds. However, Cellebrite Premium offers an automatic mode where the phone can be removed from the tool while the jailbreak is in progress. This is because the toolkit is capable of installing software that runs brute-force attacks directly on the iPhone itself, even when the phone is locked.
All attacks using Cellebrite’s tool require physical access to the phone, unlike the NSO Pegasus spyware, which can be deployed remotely.