Researcher hacks iPhone 5c device of San Bernardino shooter Rizwan Syed Farook with just $100 hardware — Remember, the FBI had paid $1.3 million to get Farook’s iPhone unlocked.
It has been over six months since Apple was contacted by the Federal Bureau of Investigation (FBI) to help bureau access data present on Rizwan Syed Farook’s iPhone 5c.
The FBI and Apple got into a heated debate that reached the courtrooms over this issue and much has already been said about whether the iPhone maker should have let the agency unlock the encrypted information contained on the killer’s smartphone or not.
The FBI was desperate for the information and the agency could not access the data present on the device, due to Apple’s strong encryption technology. The FBI’s claim was that there was no possible way for the agency to unlock the attacker’s iPhone and thus, it needed Apple’s cooperation. The FBI also claimed that it was impossible to crack the data using NAND mirroring and thus, the agency needed Apple to cooperate. In the end, with the help of an Israeli company and a massive price of 1.3 million, the agency was able to unlock the iPhone. A researcher has now proven that it was easily possible to hack an iPhone 5c device with mirroring technique simply by using $100 hardware.
Sergei Skorobogatov, a security researcher at Cambridge University, claims that it is possible to get through the iPhone 5c’s PIN code security measure via NAND mirroring. In other words, he has proven that the FBI’s claims were based on a false premise.
The researcher proved it by removing the NAND memory chip from the circuit board of an iPhone 5c and rewrote the data repeatedly to track the number of times incorrect PIN codes have been entered on the phone’s lock-screen. It is commonly known fact that the iPhone locks itself after ten incorrect PIN code attempts but Skorobogatov showed that with a cheap hardware device, any hacker can keep on entering the four digit PINs for as long as 24 hours.
In a research paper published by Skorobogatov [PDF], the researcher explained that this is for the first time that anyone has publicly demonstrated the “real hardware mirroring process for iPhone 5c.” He further noted that “Any attacker with sufficient technical skills could repeat the experiments.”
This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-ofconcept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised.
According to Skorobogatov, this technique can be automated and streamlined through a USB keyboard to enter PIN codes from a pre-programmed script. He believes that this can be developed into a “fully automatic setup and used as a tool for brute-forcing passcodes in real devices.”
There is nothing to worry about, though. The technique does not threaten latest versions of iPhones since these new models’ hardware is quite different and advanced from iPhone 5c and therefore, much harder to hack.
From another perspective, the whole tirade that occurred between Apple and FBI over gaining access to the attacker’s phone seems like an attempt to set a precedent to force tech firms to cooperate with the agency in future. It can be so because a California magistrate was convinced by the FBI to order Apple to help the agency unlock the attacker’s phone since the bureau had run out of options.
The case against Apple was eventually dropped by the FBI citing that the bureau has identified a way to unlock the killer’s phone. However, Skorobogatov opines that “This really shows the FBI was lacking in its research and due diligence. Setting the precedent was more important than doing the research.”