A method to surpass the iPhone’s security measures that FBI claimed “doesn’t work” was shown to work just fine by a security researcher.
The latest bit of news in what was the drama regarding the Federal Bureau of Investigation getting access to Rizwan Syed Farook’s iPhone 5C shows what is either incompetence or willful ignorance from the government agency. Sergei Skorobogatov, a security researcher from the Cambridge University, unveiled this Wednesday a paper that details a method to unlock the PIN code requirement to access the phone.
Method #1 for unlocking a phone
This is a technique that had come up during FBI’s case against Apple, where they requested for the American multinational technology company to basically install a backdoor in their operating system to permit law enforcement to access phones, unlocking the security measures put in place by the user.
The technique is called “NAND mirroring,” which more or less consists of hijacking into the signals transmitted between the phone and the memory chip and then proceed to reverse how the phone writes information into the chip.
After this procedure, the hacker could guess a series of PINs, overwrite the phone’s chip data and thus get unlimited guesses, delete the “10 tries or you’re locked out” restriction.
Skorobogatov guessed that he could try all possible PIN combinations in about forty hours. However, a better hacked with more experience could get the correct four digit PIN in just twenty hours, or even the correct six-digit PIN in ninety days.
How? By cloning thousands of copies of the chip in its unmodified state and swapping the original chip with a clone instead of using the lengthy process of rewriting the same chip’s data.
And Skorobogatov says that this whole process could be further automated, allowing to brute-force PIN codes in real devices; four-digit PINs would take less than a day.
Getting rid of various technical hurdles
Skorobogatov’s created method — where he manually separated the NAND chip from the iPhone’s circuit board and then poked a hole in the phone’s casing to pass a wired connector gave him the ability to attach and removing the chip as he needed.
He also created his homemade eavesdropping device, effectively getting rid of various technical hurdles that plagued the method, such as the challenge of wiring a chip outside the phone’s frame.
This process had long been believed possible and had been suggested as an alternative to FBI’s desired solution of forcing Apple Inc. to create a particular version of their firmware which would allow them to surpass the limitations imposed by security measures set by iPhone users.
For example, before Skorobogatov’s breakthrough, a Forensics expert and iOS hacker by the name of Jonathan Zdziarski had demonstrated a proof of concept for the attack back in March, which worked only on jailbroken phones with certain security measures deactivated.
However, FBI had insisted that the method did not work.
— Cathleen Berger (@_cberger_) August 31, 2016
Pick your poison: incompetence or willful ignorance
“This really shows FBI was lacking in its research and due diligence. Setting the precedent was more important than doing the research” says Jonathan Zdziarski.
Cryptographer and computer science professor at Johns Hopkin University Matthew Green notes that, because of the need for “incredible soldering abilities,” the NAND mirroring method would be impractical for FBI, who likely did not wish to risk damaging the culprit’s phone.
Nonetheless, the researcher himself points out that the technique simply isn’t difficult for people sufficiently experienced — which would even include skilled iPhone repair technicians.
“If one researcher can accomplish this relatively quickly, I would think a team of FBI forensics experts with the right hardware and resources could do it even faster” insists Zdziarski.
FBI is getting sued: three news organizations wish to know how FBI hacked the infamous iPhone
The Federal Bureau of Investigation dropped the case against Apple after a third party managed to hack Farook’s phone. FBI claimed they no longer needed Apple’s help back in March, leading to the rather abrupt end of the legal debacle.
The agency has not made public how much was paid and who exactly was the third party involved. Back in April, FBI’s Director, James Comey, said that the price surpassed “one million dollars,” which he claimed, “were well worth it.”
This lawsuit isn’t the first time news agencies tried to discover the details of FBI’s deal to crack the phone.
AP, Vice and USA Today sought the records from the government agency. However, FBI claimed that revealing such information would endanger their investigative efforts.
This pending litigation, filed in Washington by Gannett (USA Today’s parent company), the Associated Press, and Vice Media seeks the information they had been previously denied by FBI, and it claims that FBI has “no lawful basis” to keep this information a secret.
For the concerned: both methods are confined to the iPhone 5C
The everyday user probably shouldn’t be too concerned with getting hacked since current iPhones have different hardware which makes the exploit much harder to pull off.
Comey says that the method used by the third party that helped unlock the phone probably wouldn’t work on anything else but an iPhone 5C with iOS 9. He says it only works in just some phones or a “narrow slice” as he describes.
Sources: USA Today