From the Washington Post’s “The FBI wanted to unlock the San Bernardino shooter’s iPhone. It turned to a little-known Australian firm” posted Wednesday:
All sophisticated software contains “bugs” or flaws that cause computer programs to act in unexpected ways. Not all bugs are significant, and on their own they don’t pose a security risk. But hackers can seek to take advantage of certain bugs by writing programs called exploits. Sometimes they combine a series into an “exploit chain” that can knock down the defenses of a device like the iPhone one-by-one.
Azimuth specialized in finding significant vulnerabilities. [Founder Mark] Dowd, a former IBM X-Force researcher whom one peer called “the Mozart of exploit design,” had found one in open-source code from Mozilla that Apple used to permit accessories to be plugged into an iPhone’s lightning port, according to the person. He found it even before Farook and his wife opened fire at the Inland Regional Center, and thought it might be useful at some point to develop into a hacking tool. But Azimuth was busy at the time with other projects.
Two months after the attack, Comey testified to Congress that investigators were still unable to unlock the terrorist’s iPhone. Seeing the media reports, Dowd realized he might have a way to help. Around that time, the FBI contacted him in Sydney. He turned to 30-year-old Wang, who specialized in exploits on iOS, the people said.
Using the flaw Dowd found, [Yale dropout David] Wang, based in Portland, Ore., created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability, according to the people. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device. From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries.
Wang and Dowd tested the solution on about a dozen iPhone 5Cs, including some bought on eBay, the people said. It worked. Wang dubbed the exploit chain “Condor.”
In mid-March, Azimuth demonstrated the solution at FBI headquarters, showing Comey and other leaders how Condor could unlock an iPhone 5C. Then, one weekend, the FBI lab did a series of forensic tests to be sure it would work without destroying data. The tests were all successful, according to the people. The FBI paid the vendor $900,000, according to remarks by Sen. Dianne Feinstein (D-Calif.) in May 2017.
My take: Four exploits, brute force and a $900,000 reward. That’s what it took to crack a 2015-era iPhone 5C.