'NAND mirroring' could let FBI break into iPhone without Apple's help, researchers say
Whether or not Cellebrite is involved, the FBI may be able to unlock the iPhone of San Bernardino shooter Syed Farook through a process known as "NAND mirroring," security researchers explained on Wednesday.
Image Credit: iFixit
The technique involves removing NAND storage from a device, copying it using a chip reader, and then reattaching the original chip using a harness, Jonathan Zdziarski told Re/code. That way, investigators always have a fallback -- even in the case of Farook's phone, which is set to self-delete its data after hitting iOS 9's passcode retry limit.
Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, observed that while the process can circumvent encryption, it remains a dangerous approach. Investigators must de-solder a NAND chip to remove it, which runs the risk of doing damage and losing access entirely.
Farook's iPhone, a 5c, is one of the last iPhone models the technique could apply to, since anything with Touch ID -- and hence a Secure Enclave -- would theoretically be immune.
Zdziarski speculated that whoever is helping the FBI, the short two-week testing window requested by the U.S. Justice Department means the government is likely using an off-the-shelf unlock solution from a forensic firm.
Just one day before a review of the court order issued to Apple, the Justice Department asked to postpone the hearing, saying that "an outside party" had shared a possible method of cracking Farook's phone without asking Apple to build a passcode limit removal. Earlier today reports identified that party as Cellebrite, an Israeli forensics firm.
Image Credit: iFixit
The technique involves removing NAND storage from a device, copying it using a chip reader, and then reattaching the original chip using a harness, Jonathan Zdziarski told Re/code. That way, investigators always have a fallback -- even in the case of Farook's phone, which is set to self-delete its data after hitting iOS 9's passcode retry limit.
Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, observed that while the process can circumvent encryption, it remains a dangerous approach. Investigators must de-solder a NAND chip to remove it, which runs the risk of doing damage and losing access entirely.
Farook's iPhone, a 5c, is one of the last iPhone models the technique could apply to, since anything with Touch ID -- and hence a Secure Enclave -- would theoretically be immune.
Zdziarski speculated that whoever is helping the FBI, the short two-week testing window requested by the U.S. Justice Department means the government is likely using an off-the-shelf unlock solution from a forensic firm.
Just one day before a review of the court order issued to Apple, the Justice Department asked to postpone the hearing, saying that "an outside party" had shared a possible method of cracking Farook's phone without asking Apple to build a passcode limit removal. Earlier today reports identified that party as Cellebrite, an Israeli forensics firm.
Comments
This was only partly about accessing that specific data however and yet mostly to do with setting a new benchmark for accessing private data via a "backdoor":
The issue now becomes what constitutes "possession"? What if the police have your phone after an arrest? When you're brought in for questioning? During a routine traffic stop? What about a TSA or HS agent who detains you at an airport or border crossing?
Well, that will get them something they can hack without erasing the data.
They may still not be able to decrypt the data.
It may take a 100 years by which time ISIS will be long gone and the USS Enterprise will be running iOS for spaceships.
I believe that Apple has hired some firmware security folks that may prevent this kind of hardware hacking in the future.
Time will tell.
Lies, lies, bullshit, and more lies.
Someone in a bedroom. Meaning anyone can access your back door once it's created.
Nicely written article that seems to omit the OBVIOUS. NAND mirroring only replaces the data on the phone. All of the security is located in the Processor, this according to Apple's documentation. So while you may be able to save the data after the try and wipe process, this process does nothing to restore the phone access functionally. From what I understand once the 10 try counter reaches 10 the phone will always wipe data from the phone even if a successful passkey is entered via the GUI. Restoring the phone access is what decrypts the data without knowing what the encryption key is. Altering the processor has its own hazards given that there are hash signed certificates that insure that only authorized and unaltered code is executed. Apple's security white paper states that the security features are stored in the boot ROM with keys burnt into the ROM at the factory. Much of this information is also stated in court documents provided by the FBI. Then there's the very simply question; NAND mirroring is such a simple process that it boggles ones mind to think that the FBI hasn't thought of doing this given that the San Bernardino phone is not the first phone the FBI has that they can't unlock. BTW, court documents state that the iOS is 9, not 8, but the phone processor does not have a secure enclave. A secure enclave only makes the processor more secure, not the data on the NAND chip.
The process that seems to be most viable is the delayering of the processor to expose the encryption key and the key itself might be encrypted. The problem; you get one shot. The FBI has also mentioned the Israeli firm Cellebrite, a well recognized firm that has developed software to hack other iphones without altering the phone in any way. The OS noted by the FBI in court documents is iOS4.