FBI could have unlock iPhone 5c without Apple’s help in under two days

It turns out the FBI could have beaten Apple’s ten-try limit to unlock the San Bernardino shooter’s iPhone 5c using cheap and easily available tools.

A researcher from Cambridge University in the UK has provided the first demonstration of a technique called "NAND mirroring" that would have taken no more than two days to beat Apple's security measure in the iPhone 5c.

In doing so, the researcher has proved the FBI didn’t need Apple to provide a special version of iOS -- a backdoor -- to overcome the password retry limit to unlock the iPhone 5c of San Bernardino shooter, Syed Farook.

The FBI claimed only Apple could help it unlock the iPhone and obtained a court order requiring it build what Apple called “GovOS”. By February, the FBI declared it had found an alternative route but never revealed what it was.

iPhone forensic expert Jonathan Zdziarski said at the time that the most likely of several available options, such as buying an iOS exploit, was NAND Mirroring.

NAND is a type of Flash memory and mirroring is a technique used in standard disaster recovery and backup systems.

“This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip,” Zdziarski wrote.

He compared it to “cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations.”

The FBI in March, after quitting its attempt to force Apple’s hand, denied NAND mirroring worked. Zdziarski then built a software-based demonstration to show that it would work on an iOS 9 device. Still, it didn’t show the hardware-based attack the FBI would use.

This week, Sergei Skorobogatov, a researcher from the University of Cambridge’s Computer Laboratory, published a paper that details exactly the technique the FBI could have used, which he described as a “real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9.”

“This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol,” writes Skorobogatov.

While he says there were numerous pitfalls and traps, his successful attack was achieved with cheap, off-the-shelf equipment. “All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts,” he wrote.

Skorobogatov points out that data mirroring is widely used in disaster recovery systems, such as in standard RAID systems. After pulling apart the iPhone 5c, the process involved backing up its NAND storage to another NAND chip, which was used to restore data in the original NAND chip after several password attempts.

“The process of NAND mirroring is relatively simple,” explains Skorobogatov “Once the backup copy is created and verified, the original chip is plugged back into the iPhone 5c. After the power up, which takes about 35 seconds, we enter the passcode 6 times. Then the phone is powered down by holding the power button and sliding the power off message.”

“Once the phone is powered up and the screen is slid the passcode can be entered six times until the delay of one minute is introduced again. Then the process of mirroring from backup can be repeated again and again until the correct passcode is found. On average each cycle of mirroring for six passcode attempts takes 90 seconds. Hence, a full scan of all possible 4-digit passcodes will take about 40 hours or less than two days.”

As Skorobogatov notes, it’s pretty hard explaining on paper exactly how the attack works, so he made a video demonstrating the attack, which is shown below.

Susan Landau, a security researcher at the Worcester Polytechnic Institute Department of Social Science and Policy Studies, said Skorobogatov’s work showed the FBI should, instead of pushing for dangerous mandated backdoors, boost their own security capabilities.

“We need to increase law enforcement's capabilities to handle encrypted communications and devices. This will also take more funding as well as redirection of efforts. Increased security of our devices and simultaneous increased capabilities of law enforcement are the only sensible approach to a world where securing the bits, whether of health data, financial information, or private emails, has become of paramount importance,” she wrote on the LawFare blog.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleiPhone 5CSyed FarookSuper Mario BrosGovOSfbiSan Bernardino shooterCSO AustraliaNAND mirroring

More about AppleCambridge UniversityFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts