LAPD hacks iPhone 5s, but how?

The iPhone 5c belonging to San Bernadino shooter Syed Rizwan Farook is not the only iPhone that the US authorities have managed to hack this year. According to a report by Los Angeles Times, the Los Angeles Police Department has "bypassed the security features" of an iPhone 5s.

The iPhone 5s in question was used by April Jace, the wife of The Shield actor Michael Jace, who is facing murder charges, being accused of killing his partner on May 19, 2014. And, according to court documents reviewed by the publication, on March 18 the LAPD claimed to have found a "forensic cellphone expert" who could hack the device, which is believed to hold important evidence in the trial.

Data stored on that iPhone 5s was examined last month by "a senior investigator with the district attorney's office" and "Jace's private cellphone expert", according to a warrant reviewed by the Los Angeles Times. The publication does not have any information regarding the technique that was used to hack into that iPhone 5s, nor does it know which iOS version it was running at the time.

Now, this is where things really get interesting. Since that iPhone 5s was used by the victim prior to her death it is likely that, as Apple Insider points out, it was running iOS 7. Remember, on May 19, 2014, the most-recent version of iOS was iOS 7, with which iPhone 5s made its public debut. Apple launched iOS 8 in September that year, and the first beta of iOS 8 only arrived following WWDC 2014 which took place on June 2.

Furthermore, Michael Jace was in LAPD custody prior to the release of iOS 8, pleading "not guilty" on June 19, 2014. The Los Angeles Times says that the iPhone 5s was passcode-locked shortly after the murder of April Jace, but obviously before that court date, and it likely got into LAPD evidence after the aforementioned warrant was carried out.

Why is this important? Well, because, the first iOS release to add encryption by default was iOS 8. I covered this around the time of its public launch, explaining that passcode-locked devices would generate a key that only users have access to. According to Apple's Legal Process Guidelines, which you can read here, the authorities stand a chance of retrieving data on pre-iOS 8 devices, assuming they serve a valid search warrant.

For iOS devices running iOS versions earlier than iOS 8.0, upon receipt of a valid search warrant issued upon a showing of probable cause, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode ("user generated active files"), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 through iOS 7. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, MMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party app data.

The Los Angeles Times notes that an LA judge ordered an Apple technician to help the LAPD extract data from that iPhone 5s in 2015, at which time the smartphone could have also been running iOS 8. Unless someone from the LAPD upgraded the device, that is unlikely. The technician apparently failed to do so, which is interesting.

An investigator with the LA County's DA's office tried the same thing in late January this year, but failed because it was "disabled". In this case, it does not look as if the software was getting in the way, because, according to the court papers in question, the authorities could not even turn it on in February.

Basically, the authorities were looking at a dead iPhone 5s which was holding important data that they could not retrieve. There are some missing pieces here, like why did that Apple technician fail to retrieve data from the device, despite Apple's claims that it is able to do so, and why was the iPhone disabled? A reason for the latter could be failed attempts to unlock it through brute force, a technique which, after 10 failed attempts, could trigger a self-reset if the respective option is enabled in the device's Settings menu.

With iOS 7 or newer on board, and that option enabled, it is possible to more or less render an iPhone 5s useless. But since the data is not encrypted on the device, if it is running iOS 7, it is indeed possible to recover it. Even if you manually delete something that does not also mean that it is gone forever. There is a reason why there are so many programs to help you recover deleted files.

The FBI, after it hacked that iPhone 5c, said that it couldn't apply the same technique on other, newer, devices. (Remember that iPhone 5c is a rebranded iPhone 5 in a plastic shell, while iPhone 5s, though introduced at the same time, has different, newer hardware.) That must be true, because otherwise the LAPD or some other agency could have since asked for assistance. But since it did not have to break Apple's encryption to do so, things were much easier. All that was needed to do was recover some data from unencrypted storage.

Photo Credit: xavier gallego morell/Shutterstock