How Azimuth cracked the San Bernardino iPhone

From the Washington Post’s “The FBI wanted to unlock the San Bernardino shooter’s iPhone. It turned to a little-known Australian firm” posted Wednesday:

All sophisticated software contains “bugs” or flaws that cause computer programs to act in unexpected ways. Not all bugs are significant, and on their own they don’t pose a security risk. But hackers can seek to take advantage of certain bugs by writing programs called exploits. Sometimes they combine a series into an “exploit chain” that can knock down the defenses of a device like the iPhone one-by-one.

Azimuth specialized in finding significant vulnerabilities. [Founder Mark] Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person. He found it even before Farook and his wife opened fire at the Inland Regional Center, and thought it might be useful at some point to develop into a hacking tool. But Azimuth was busy at the time with other projects.

Two months after the attack, Comey testified to Congress that investigators were still unable to unlock the terrorist’s iPhone. Seeing the media reports, Dowd realized he might have a way to help. Around that time, the FBI contacted him in Sydney. He turned to 30-year-old Wang, who specialized in exploits on iOS, the people said.

Using the flaw Dowd found, [Yale dropout David] Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device. From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries.

Wang and Dowd tested the solution on about a dozen iPhone 5Cs, including some bought on eBay, the people said. It worked. Wang dubbed the exploit chain “Condor.”

In mid-March, Azimuth demonstrated the solution at FBI headquarters, showing Comey and other leaders how Condor could unlock an iPhone 5C. Then, one weekend, the FBI lab did a series of forensic tests to be sure it would work without destroying data. The tests were all successful, according to the people. The FBI paid the vendor $900,000, according to remarks by Sen. Dianne Feinstein (D-Calif.) in May 2017.

My take: Four exploits, brute force and a $900,000 reward. That’s what it took to crack a 2015-era iPhone 5C.


  1. Gregg Thurman said:
    Apple erred by not having a formal program that rewarded hackers for revealing exploits. It wasn’t until after the San Bernardino shooting and subsequently unlocking of the suspects iPhone that Apple introduced such a program.

    Since then we haven’t heard from hackers publicly revealing exploits they have discovered.

    April 15, 2021
  2. Jerry Doyle said:
    ….. “If Apple wants to make their phones more secure against these government-affiliated bug hunters, then they should make their phones more secure,” said Matthew D. Green, a computer scientist at Johns Hopkins University, who has led research that found holes in Apple’s encryption. “They shouldn’t be going after people in a courtroom.”

    I agree with Matthew D. Green. Instead of expending energy, time and money in litigation use all those resources to stay one step ahead of the white hat hackers (and the black hat hackers). Competition is what brings out the best in us all. Preclude this process and Apple still will have the black hat hackers out in the wild surreptitiously carrying on their endeavors doing exactly what the white hat hackers are doing. Apple needs the white hat hackers to stay on its competitive game and ahead of the black hat hackers.

    April 15, 2021

Leave a Reply