Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Here's how the FBI plans to crack terrorist's iPhone

Gregg Keizer | March 24, 2016
In turn-about, government now says Apple's help not needed; 'outside party' has likely demonstrated 'NAND mirroring' technique, says iOS forensics expert

Other avenues, such as "de-capping," a term used to describe a tear-down of the iPhone's processor using acid and lasers, were also out, Zdziarski said, because they risked destroying the very thing the FBI claimed it needed, the data on Farook's phone.

That left NAND mirroring.

The technique, while advanced, is relatively straight forward. After opening the iPhone, the device's processor is desoldered from the circuit board. Its contents are copied, then the results dumped into a chip reader/programmer, which Zdziarski said was analogous to a CD or DVD burner, but for silicon chips.

With the ability to make an unlimited number of copies from the original data, the "outside party" could try passcodes on one copy until 10 incorrect guesses -- at which point no more are allowed, one of the security safeguards Apple was asked to circumvent. That copy could then be discarded and a fresh version re-copied onto a chip for another 10-guess run.

"It's like saved video games," said Zdziarski. As in a saved game, where a player can re-play a level over and over until she succeeds, the saved data can be subjected to a passcode combination again and again.

According to the government, Farook's iPhone used a four-digit passcode, which would result in 10,000 permutations, a low enough number to be possible to brute force using NAND mirroring, but one high enough that it may take the two weeks the DOJ has given itself to report back to the federal magistrate.

Inputting passcodes may seem tedious, but the method would almost certainly be automated, at least in part. "There won't be some intern punching this in," Zdziarski said. Instead, it's likely that the party the FBI mentioned has automated some sections of the procedure, perhaps also narrowed down the portion of the iPhone's processor that contains the passcode recognition so that they're not copying its entire contents again and again.

The passcodes would be entered electronically -- another government requirement when it demanded Apple's help -- via the iPhone's USB port. That technique has already been used previously by some forensics firms, Zdziarski asserted, to brute force iPhones running older editions of iOS.

"All of this paints a pretty clear picture: The leading theory at present is that an external forensics company, with hardware capabilities, is likely copying the NAND storage off the chip and frequently re-copying all or part of the chip's contents back to the device in order to brute force the [passcode], and may or may not also be using older gear from iOS 8 techniques to do it," Zdziarski wrote in a detailed analysis posted to his website Monday. "The two weeks the FBI has asked for are not to develop this technique (it's most likely already been developed, if [the] FBI is willing to vacate a hearing over it), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units."


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.