Experts say 'chip off' procedure to access terrorist's iPhone is risky

An error in removing the iPhone's flash memory could make the data unreadable forever

The iPhone 5c at the center of the legal battle between Apple and the FBI might be accessible through a delicate hardware technique, but experts warn it would be difficult.

In recent days, the American Civil Liberties Union's technology fellow and former NSA contractor Edward Snowden have suggested a method that would let investigators repeatedly guess the iPhone's password.

Federal investigators fear San Bernardino shooter Syed Rizwan Farook may have configured his work phone to use an Apple security feature that erases a key for decrypting data after 10 incorrect guesses of the phone's password. 

The forensic technique for getting at the data, known as "chip off," involves removing a NAND flash memory chip from a device and copying its data, yielding a decryption key that can be restored if it is erased after incorrect guesses.

Instead of trying that procedure, the U.S. Justice Department has asked a federal court to order Apple to give the FBI custom software for iOS 9 that can be loaded onto the phone. The software would either disable the auto-erase feature or allow law enforcement to rapidly try different password guesses.

Apple is fighting the order, saying the creation of such software -- essentially a backdoor -- would put millions of iPhones at risk.

Investigators already have a lot of data from Farook's online accounts, including backups of the phone stored in Apple's iCloud servers, which the company has turned over.

But the last iCloud backup investigators have is from Oct. 19, about six weeks before the Dec. 2 shootings that killed 14 people and injured 22 others. The government contends that the six weeks' worth of data stored solely on the phone could contain crucial evidence.

Daniel Kahn Gillmor, a technology fellow with the ACLU's Speech, Privacy and Technology Project, described the technical details involved in a chip-off operation in a Monday blog post.

Snowden cited Gillmor's Wednesday post on Twitter and contested the FBI's position via a video link from Moscow at Common Cause's Blueprint for Democracy conference. 

"There are hardware attacks that have existed since the '90s," he said.

The key that is used to encrypt the iPhone's user data is stored in a section of the phone's NAND flash chip that Apple calls "effaceable storage," Gillmor wrote.

To perform a chip-off operation, the Flash chip is de-soldered from the circuit board and then connected it to a NAND flash reader in order to copy its contents.

The chip is then reconnected to the board. If the key is erased after 10 wrong guesses, the backup data can be used to restore it for more attempts.

"If the FBI doesn't have the equipment or expertise to do this, they can hire any one of dozens of data recovery firms that specialize in information extraction from digital devices," wrote Gillmor, who couldn't immediately be reached for comment.

But computer forensics experts, including one who has performed the procedure, say it is slow and delicate with no guarantee of success.

Most chip-off extractions result in the device being destroyed, said Heather Mahalik, principal forensic scientist and team lead for Oceans Edge, a mobile security and development firm. She teaches an advanced smartphone forensics course at the SANS Institute.

"I have done chip off in the past, and getting the phone to work again after is very difficult, so the chances of this working are low," Mahalik said via email. 

Cindy Murphy, a computer forensics expert with the Madison, Wisconsin, police department, said it's neither easy nor simple to remove and replace flash memory.

"To do this once, let alone as many times as would be necessary to brute-force the passcode, would be a feat of patience and perseverance and likely wouldn’t be successful," she wrote via email.

If auto-erase is enabled, investigators would have to remove and replace the chip for every 10 wrong guesses. Apple also enforces a delay in between wrong guesses, increasing the amount of time it would take to guess the passcode through brute force.

"This would also be an extremely slow and manual process," said Sarah Edwards, a digital forensics analyst who also teaches a SANS course.

And if the procedure goes poorly, "then you get zero chances to get the data," she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applefbi

More about AppleFBINSASANS InstituteTechnologyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place