Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researcher Proves FBI Wrong With iPhone Passcode Hack

Expert Shows FBI Could Have Easily Hacked San Bernardino Shooter’s iPhone 

Expert Shows FBI Could Have Easily Hacked San Bernardino Shooter’s iPhone 

A researcher has demonstrated that a known hardware hacking method could have been used to bypass the passcode retry limitations on the San Bernardino shooter’s iPhone, despite the FBI’s claims that the technique would not work.

In December 2015, Syed Rizwan Farook and his wife Tashfeen Malik killed 14 people in a mass shooting in San Bernardino, California, and they later died in a shootout with police. Investigators believed Farook’s work-issued iPhone 5c could contain important evidence, but they could not access it because the device was protected by a passcode and the security mechanisms implemented by Apple prevented brute-force attacks.

The FBI tried to convince a judge to force Apple to create a backdoor to the iPhone, but the tech giant refused, arguing that it would create a dangerous precedent. In the end, the agency managed to hack Farook’s iPhone with the help of an unidentified “outside party,” and reportedly paid as much as $1 million to get the job done.

While the FBI was trying to figure out how to access the data on the phone without triggering its security mechanisms, which could result in the data getting erased, iPhone forensics experts suggested a hardware hacking technique known as NAND mirroring. However, FBI Director James Comey said during a press conference in March that the technique would not work on Farook’s phone.

Sergei Skorobogatov of the University of Cambridge in the United Kingdom has proved the FBI wrong and demonstrated that NAND mirroring does work in these types of scenarios.

NAND mirroring involves removing the NAND flash memory chip from the device by desoldering it and creating backup copies or clones of the chip. By cloning the chip, the original memory is fully preserved while the copies can be used as many times as necessary to figure out the 4-digit passcode.

Skorobogatov conducted a successful attack using off-the-shelf components bought from an electronics distributor for less than $100.

Advertisement. Scroll to continue reading.

NAND chip removed from iPhone

An iPhone is disabled for one minute after six incorrect passcode entry attempts to prevent brute-force attacks. In scenarios where a backup of the NAND memory is created and the NAND is restored from this backup after every six attempts, the expert calculated that it would take roughly 40 hours to scan all possible 4-digit codes.

If the NAND chip is cloned and a number of clones are created in advance and restored in parallel while the test is being conducted, the maximum attack time decreases to 20 hours.

Skorobogatov noted that while he conducted his experiments on an iPhone 5c, iPhone 5s and 6 use the same type of NAND flash memory so it’s likely that the attack works on these models as well, although more sophisticated equipment might be needed.

It’s unclear what method has been used to crack Farook’s phone, but experts pointed out that Skorobogatov’s research once again shows that encryption backdoors are not the answer, as proposed by some U.S. lawmakers. Susan Landau, a faculty member in the Worcester Polytechnic Institute Department of Social Science and Policy Studies, noted that a better solution is to increase the security of devices while law enforcement improves its cyber security expertise.

“The moral of the story? It’s not, as the FBI has been requesting, a bill to make it easier to access encrypted communications, as in the proposed revised Burr-Feinstein bill,” Landau explained. “Such ‘solutions’ would make us less secure, not more so. Instead we need to increase law enforcement’s capabilities to handle encrypted communications and devices. This will also take more funding as well as redirection of efforts.”

Related: Multiple Passcode Bypass Vulnerabilities Discovered in iOS 9

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.