Technique known as NAND mirroring, which focuses on bypassing limit on password retry attempts, can be used to break into any model up to the 6
The FBI paid more than $1.3m to unlock the San Bernardino shooter’s iPhone 5C, but one computer scientist from Cambridge University has shown that the passcodes can be hacked using a store-bought kit worth less than $100.
Sergei Skorobogatov demonstrated a technique known as NAND mirroring – dismissed by the FBI director, James Comey, as being unworkable – to break into any model of iPhone up to the iPhone 6, including the iPhone 5C. He outlined the attack in a paper published last week as well as a YouTube video.
The technique focuses on bypassing the limit on password retry attempts. Typically the iPhone will lock users out after six failed attempts to guess the passcode. In eliminating this restriction, anyone trying to break into an iPhone can run through many different combinations of characters until the phone is unlocked.
To achieve this, Skorobogatov soldered off the phone’s NAND chip, the main memory storage system used on many Apple devices. The researcher was then able to reverse-engineer the way the memory system communicated with the phone to create a cloned version of the chip with the password attempt counter set to zero.
“Because I can create as many clones as I want, I can repeat the process many, many times until the passcode is found,” he explained in the video. Each run of six attempts takes around 90 seconds, so to go through a full cycle of all 10,000 potential four-digit passcodes would take around 40 hours – less than two days. Cracking six-digit passcodes would take much longer.
The kit required for the attack can be bought online from eBay, Amazon or Alibaba for around £75 ($100), said Skorobogatov. A similar technique could also be used for newer models including the iPhone 6S and iPhone 7, although “more sophisticated hardware will be required”, wrote Skorobogatov.
In April, Comey revealed that the FBI had paid about $1.3m to a third party for software to hack into the iPhone of San Bernardino gunman Syed Farook. “It was, in my view, worth it,” he said.
At the time Apple had declined to help the bureau break into the phone, arguing it would require weakening the security of all iPhones. This led the US government to issue Apple with a court order to try to force the tech company to give so-called “backdoor access” into Farook’s phone, something Apple battled with a high-profile legal and PR campaign.
The US government subsequently dropped the case after paying an undisclosed, specialist company to break into the phone.
Before gaining access to the phone and its contents, the FBI said it had considered many different techniques, including the NAND mirroring approach. “It doesn’t work,” said Comey at the time. Skorobogatov had demonstrated that he was wrong.
“Skorobogatov was able to do what the FBI said was impossible,” said security and policy researcher Susan Landau in a blogpost.
“The moral of the story? The solution is not, as the FBI has been saying, a bill to make it easier to access encrypted communications, as in the proposed revised Burr-Feinstein bill. Such ‘solutions’ would make us less secure, not more so. Instead we need to increase law enforcement’s capabilities to handle encrypted communications and devices.”