How Powerful is the FBI’s Tool For Unlocking iPhones?

The FBI’s revelation that an “outside party” had shown it how to break into the iPhone used by one of the assailants in the San Bernardino, California, shootings ended the US agency’s legal showdown with Apple, which otherwise might have had to comply with a court order to write a special operating system to unlock the phone.

But it also raised several questions: Did the FBI indeed get help from Cellebrite, an Israeli forensics technology firm, as one Israeli newspaper reported? What Apple devices can the agency now access? And how will it use that access in the future?

How the FBI proceeds in two other court cases, one in Arkansas and the other in Brooklyn, might lead to some answers.

The San Bernardino phone was an iPhone 5c, which means it didn’t contain an extra element called the Secure Enclave, essentially a computer-within-a-computer that reduces reliance on the phone’s software security. That was introduced in the subsequent model, the iPhone 5s. Therefore, the FBI’s ability to bypass security on the San Bernardino shooter’s phone wouldn’t say anything about its ability to deal with phones bearing the Secure Enclave feature.

And that’s where the Arkansas and Brooklyn cases come in. In Arkansas, county prosecutors have asked the agency for help unlocking an iPhone and an iPod with possible ties to a homicide case there. While the FBI would not confirm whether it’s providing assistance, the prosecuting attorney who made the request told the Associated Pressthat it took the FBI less than a day to agree to help.

The Arkansas phone is an iPhone 6. Then there’s the Brooklyn matter, involving an iPhone 5S seized in the course of a drug investigation. A federal magistrate declined to order Apple to help the government bypass the phone’s security, but the case is now on appeal.

So now there are at least two phones with Secure Enclave that the FBI either wants to access or has been asked to help access.

It should be noted, even iPhones with Secure Enclaves have been defeated by off-the-shelf hacking tools. A $200 tool called IP Box hasbroken into an iPhone 5s. Another tool, called the MFC dongle, has been shown working on an iPhone 6.

What these tools can’t do is defeat newer versions of the iOS operating system. Neither tool works on iOS 8.1 and above. The Brooklyn phone runs iOS 7, which wouldn’t present a problem. But the San Bernardino phone runs iOS 9, which means the FBI can do better than the current off-the-shelf tools. It’s not known what version of iOS is running on the Arkansas phone, although iPhone 6 shipped with iOS 8.

One way to compromise the iPhone’s security is by starting it up with different software loaded. Similar vulnerabilities have been used in older models to “jailbreak” iPhones, said Dominic Chell, whose UK-based firm MDSec documented the IP Box hack working successfully. A piece of software called limera1n was used on iOS 4 in the past, he said. “This would allow you to load a custom firmware and brute force”—or systematically guess—”the user’s passcode,” he said.

The FBI is being cagey about the Arkansas case. A statement from the agency notes: “At the time of the request, no information was provided regarding the device models or operating systems, so FBI Little Rock was not able to state if they would be able to provide assistance.” That doesn’t rule out the possibility that it agreed to help sometime after the time of the request. In any case, the FBI says it does not currently have possession of the devices involved in the matter.

But if in fact it has agreed, or will agree, to help, then the agency probably is confident that it has a good shot at cracking a phone equipped with Apple’s best security tools: both Secure Enclave and one of the newer versions of iOS.