A Moscow legal battle strongly indicates that phone forensics tools used by both the FBI and FSB are exploiting security loopholes in Apple’s operating system.
A legal dispute between two Russian hackers has revealed a weakness and possible “zero day” vulnerability in Apple’s iOS 16 operating system.
The lawsuit, filed by Elcomsoft, a Russian company founded by CEO Vladimir Katalov, alleges that competitor MKO-Systems has stolen code that can reach deep into Apple iPhones running iOS 16 to grab hidden passwords, location and browsing history, photos and other sensitive data.
For Elcomsoft’s law enforcement customers, such tools are incredibly useful in extracting more data from an unlocked iPhone than is possible with a manual review of the phone and its backups.
This kind of forensic tool would need to exploit weaknesses in iOS if they’re to acquire such sensitive data. It might use either an unpatched flaw, known as a zero-day, or a chain of vulnerabilities in iOS 16, according to security expert Bruce Schneier.
Jake Williams, a former NSA staffer and now a faculty member at cybersecurity analyst firm IANS Research, said it was more likely, however, that the hackers had “reverse engineered some data structures or obfuscation algorithms nobody else has.”
It’s unclear if iOS 17, released by Apple in September, is affected.
“There’s no doubt that Russia is performing forensics on mobile devices captured from high value targets in Ukraine.”
Jake Williams, faculty member at cybersecurity analyst firm IANS Research
Katalov declined to comment about the nature of any vulnerabilities his software exploited. Apple did not respond to multiple requests for comment. MKO did not respond to a request for comment.
Though Elcomsoft has only taken legal action against MKO, the suit also alleges the same stolen code is used in an iPhone forensics product from American-based rival Oxygen Forensics, which was founded by two Russian entrepreneurs who also helped set up MKO: Oleg Fedorov and Oleg Davydov (the company did not respond to a comment request).
If Elcomsoft’s assertions are accurate, the iOS hacking code is now in the hands of Russian and American law enforcement.
Government contracting records show Elcomsoft’s tools have been used by the FBI and Customs and Border Protection, while Katalov told Forbes it sells to the FSB, Moscow’s police intelligence body.
Oxygen has numerous contracts with federal agencies across the U.S., including the FBI, Immigrations Customs Enforcement (ICE) and Customs and Border Protection (CBP).
MKO technology has been sold to FSB and the Ministry of Internal Affairs, according to the website of one of its partners, which resells MKO software.
That means myriad government agencies in both the U.S. and Russia can all get deep access to unlocked iPhones running the operating system, whether they belong to a terrorist, a street criminal, an undocumented citizen or a protester.
That the Russian government has access to tools that can break iOS 16 protections could present particular concerns in light of the war in Ukraine.
“There’s no doubt that Russia is performing forensics on mobile devices captured from high value targets in Ukraine,” said Williams. “Russian intelligence and defense can tap into tools acquired by Russian law enforcement, which probably includes most mobile forensics tools on the market today.”
In the lawsuit, which was filed in a Moscow arbitration court in late November, Elcomsoft alleges that MKO-Systems stole its proprietary iOS hacking code and included it in its own forensics product “almost unchanged.”
Before filing suit, Elcomsoft demanded that MKO cease selling licences to software containing the code, and that it pay compensation of 5,000,000 rubles ($56,000). In response to the demand, MKO’s lawyers denied that there had been any kind of IP theft.
MKO has not yet responded to the lawsuit and it did not respond to a request for comment at the time of publication.
Elcomsoft is not suing Oxygen, despite naming it in the suit. But the allegations have highlighted that company’s connections to Russia, notable in light of Oxygen’s contracts with the FBI, ICE and CPB.
“It’s hard to assess whether Oxygen represents a direct national security concern today based on their former ties to Russia. However, that evaluation looks worse now than it did previously given the allegations of code theft by Elcomsoft,” Williams said. “Organizations using Oxygen should evaluate their risk profile… after evaluating the claims in the suit.”
Oxygen has, in recent years, sought to distance itself from its Moscow origins. It registered its business in Virginia in 2013.
But, per a 2017 Forbes report, its software had continued to be developed in Russia before being shipped to the U.S. Oxygen’s cofounder and CEO at the time, Oleg Fedorov, told Forbes then that he wanted to stay away from geopolitical issues.
Since then, Fedorov and his business partner Davydov have distanced themselves further from both Oxygen and MKO, no longer holding any roles or titles at either. Oxygen is now helmed by Lee Reiber, a former Boise Police Department investigator.
The general director of MKO, which was called Oxygen Software until mid-2022 (though was still separate from the American Oxygen), is listed as Gutman Olga Vasilevna, who, according to her LinkedIn profile, was previously the company marketing director.
However, Forbes found at least one remaining connection between Oxygen and Russia.
It has a Cyprus-registered entity — Oxygen Forensics Limited — whose director is listed as Maksim Vialkov, a Russian who has registered various forensics-focused websites using his Russian phone number.
He was a listed director for Oxygen’s U.S. business up until February this year, when he was removed from its corporate books. Neither Oxygen nor MKO responded to questions about whether there were any remaining ties between the two companies.
Per recent reporting by the International Consortium of Investigative Journalists, Cyprus has become a hub for businesses specialising in hacking phones on behalf of governments, largely because of its lack of oversight over spyware technologies.
This article was first published on forbes.com and all figures are in USD.
