San Bernardino iPhone was hacked using a zero-day exploit

When a couple of terrorists attacked and killed 14 people in San Bernardino, California in December last year, an iPhone 5c was recovered, and it’s been in the news almost as much as the terror attack itself. The phone was said to contain pertinent information that the FBI really wanted their mitts on, and the Washington Post today reports that it was able to, with the help of professional hackers using a security flaw in the iPhone that was previously unknown.

We already knew that the FBI had successfully hacked the phone when it postponed and later abandoned a legal case against Apple to unlock the phone, but until now, it remained a mystery how it happened. According to the Washington Post, hackers were able to access the data on the phone by using a ‘new’ security weakness in the iPhone, in what is called a zero-day exploit. In this case, it appears that the exploit was specific to the iPhone 5c, and that the attack vector used to get the data from the phone wouldn’t have worked on current-generation phones.

It is believed that the hackers were able to find a way to circumvent the brute-force protections built into the iPhone. There are two: The first gradually increases the delay between each PIN attempt; you can try this on your own iPhone by typing in the 4-digit pin 3 times. It then makes you wait for a minute. Get it wrong again, and it makes you wait for five minutes. The second security measure is that if the PIN is entered incorrectly 10 times, the default is to irrecoverably wipe the device completely.

The reason why this is such a big deal, is that a 4-digit pin on its own isn’t much of a deterrent: There are only 10,000 different combinations. If you’re able to try a combination every second, you’re likely to have opened the phone in under three hours. Even if the hack delayed the process slightly if it takes 30 seconds to enter a password, discover it’s the wrong one, reset the security measures and try again, it would still only take 3 days and 11 hours to try every possible combination.

The hack enabled the FBI to apparently use a custom-fabricated piece of hardware to brute-force all the possible four-digit passwords, eventually finding the correct PIN, and then accessing the contents on the San Bernardino iPhone.

The FBI reportedly paid an unnamed independent security contractor an one-time fee for the information on the security exploit, which evidently was all it needed to crack the phone.