An outside contractor with established ties to the FBI has most likely shown investigators how to circumvent the iPhone's security measures by copying the contents of the device's flash storage, a forensics expert said today.
Called "NAND mirroring," the technique relies on using numerous copies of the iPhone storage to input possible passcodes until the correct one is found.
"The other ideas, I've kind of ruled out," said Jonathan Zdziarski in an interview. Zdziarski is a noted iPhone forensics and security expert. "None of them seemed to fit."
Those other methods, Zdziarski continued, had to be scratched because: they posed dangers to the data; would have been unpalatable to the FBI; could have been explored much earlier in the ongoing dispute with Apple over the iPhone 5C used by Syed Rizwan Farook; or would take much longer than the two weeks the Department of Justice has given itself.
Farook, along with his wife, Tafsheen Malik, killed 14 people in San Bernardino, Calif., on Dec. 2, 2015. The two died in a shootout with police later that day. Authorities quickly called it a terrorist attack.
Last month, the government obtained a court order compelling Apple to write software that would let the FBI electronically blast the iPhone with passcode guesses in the hope of unlocking it, then extracting data from the device. Apple has contested the order.
In obtaining that order, and subsequently, the DOJ repeatedly said in court filings that only Apple was in a position to help. But on Monday, the DOJ made an about-turn, telling the federal magistrate overseeing the case that it had a lead on an alternate way to crack the iPhone.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the DOJ's brief stated. "Testing is required to determine whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple."
The government asked the court to postpone a hearing scheduled for Tuesday, March 22, then promised to provide the court with a status update by April 5.
That led security and forensics experts like Zdziarski to wonder what the "possible method" was.
Zdziarski struck several other techniques from his possible list, and by a process of elimination concluded that NAND mirroring was it.
"They're not going to talk to the jailbreak crowd," Zdziarski said, referring to hackers who look for iOS vulnerabilities that can be exploited to let users add unsanctioned apps to an iPhone. He said that he and other reputable researchers had been turned away by the FBI when they volunteered to help. If they met a blank wall, jailbreak artists would have gotten nowhere, he reasoned.
Sign up for Computerworld eNewsletters.