Questions answered over Russian ambassador’s assassin’s telephone hack

Following Mevlüt Mert Altıntaş’s assassination of Russian Ambassador to Turkey Andrei Karlov, unknown individuals accessed his smartphone using a virtual machine and deleted his emails and social media messages…

Ahval’s recent article on Turkish prosecutors’ assessments of what had happened to the assassin’s phone data in the wake of the assassination of the Russian ambassador led to fierce social media debate as to the technical capacity required to hack into an iPhone.

So, we asked two experts, programmers Can Duruk and Kaveh Nematipour, to clarify whether the prosecutor’s narrative was possible and how it might have been done.


Q. Do you think it was possible that an iPhone could have been broken into remotely by a third party and its contents deleted? If so, how technologically sophisticated a third party?

Duruk: Technically, yes. Anyone who knows the user’s Apple ID password could remotely wipe the phone. (Remote Wipe is built into Apple phones via iCloud) ... That wouldn’t be a sophisticated attack; you just need to figure out someone’s Apple ID password. Most users use same passwords across different internet services (they shouldn’t), so cracking one would be enough. This attack would require a dedicated attacker, but it wouldn’t require extremely sophisticated tools. It also wouldn’t be guaranteed.


Nematipour: How do the prosecution know that Facebook and Gmail account was hacked to begin with? If they didn’t break into the killer’s phone, which the article says they didn’t, then how do they know about this hack? … Even if I go to my Gmail account right now and delete a bunch of conversations, if they were deleted successfully, how do they know there were deleted messages?


Q. How about if given advance permission/allowed to install trojan software by its owner?


Duruk: Apple’s operating system generally doesn’t allow trojan-type software (deleting all contents) without the owner going out of their way to break the OS, but it is possible. However, it’s probably not needed.


Nematipour: I have to refer you to the Orlando shooter’s story where the FBI asked apple for a long time to open the phone while the phone was in their possession and they failed. Apple refused and an Israeli firm revealed that this is one of the versions that they could break into an they provided the service to FBI, all the while they had the phone in their possession. To perform such an attack remotely, well, if proven would be the first of its kind and also would affect Apple’s stock price.


Q. Apple has said that it could not help Turkish authorities discover the user's password. Is this realistic?


Duruk: Two aspects to consider. Technically, if the phone is an iPhone 4S, Apple could help the TR government, technically.

However, Apple has an extremely strong stance against helping governments work around the encryption it builds into its phones. For example, in the San Bernandino case, Apple refused to help the Federal Bureau of Investigation (FBI) unlock the suspect’s phone (which was an on iPhone 5S), arguing that’d be a slippery slope. Tim Cook, Apple CEO, wrote a public letter and went on TV making Apple’s cause in the court of public opinion.

In that case, Apple held its ground and the FBI finally managed to find a way to crack the password. Note that now FBI was being sued to reveal its methods but decided not to reveal the vendor.


Nematipour: This is a commercial technology backed by probably the richest company on the planet and it is not a joke. Also, please do keep in mind that the other two companies that are accused of being hacked are Google and Facebook. You are talking about three of the biggest companies on earth.



Q. Turkish authorities say they cannot trace the user who deleted the files because the user used a virtual machine and a VPN which did not keep logs. Is this likely?


Duruk: The correct approach to this problem would be turning the phone off immediately when it would recovered to make sure it couldn’t be accessed via the internet. If this was done, it would increase the chances of recovering data immensely. In general, Apple devices past iPhone 7 have extremely strong encryption even physical access cannot work around, but in older devices, physical access would yield quite a bit of data.

If the user deleted the contents via Apple’s Remove Wipe, only Apple would have some data as to how the phone was wiped. They would likely have some IP data and such as to who made that request, but it’d unlikely be traceable to a single individual.

If the phone owner set up a VPN on their phone, that would make forensics harder. If the remote wipe was done via trojan-type app, having a persistent VPN connection could make it impossible to determine who wiped the phone.


Nematipour: It’s rightfully mentioned in the article that I read that VPN Express is not subject to US/Europe Laws as they are registered in the British Virgin Islands that has its own judicial system. The company is, therefore, accountable to almost no one. I think they can be pushed to reveal the identity of the party that was paying for the service but it would need political interference. 

Another point is the assumption that someone connected with a VPN to the phone. We cannot know that unless we have broken into the phone and we have analysed every bit of it ... Another likely scenario is that he (Altıntaş) was actually using this VPN service to encrypt his traffic and he probably didn’t disconnect it that day.


Q. Could the prosecutor have known that the Gülen movement carried out the attack if it came from an untraceable connection?


Duruk: This sounds contradictory to me. It’s possible that only some of the content was deleted (emails, text messages), and the remainder pointed (contacts) to a certain group, but that seems unlikely.


Nematipour: Frankly, I think the last question is a rhetorical one. You either know the identity of the attacker or not. Personally, I doubt the veracity of the attack to begin with and the extent of it for sure and to identify the affiliations of such an attacker is beyond me.