The FBI ended up dropping the case after using a “tool” from a third party that unlocked the data from the iPhone.
Advertisement
Skorobogatov told SearchSecurity that the most hard part of the iPhone hack was reverse engineering Apple’s proprietary bus protocol.
He found Apple employed security-through-obscurity rather than “fully thought through” hardening in its protection against NAND mirroring attacks.
Finding a four-digit code took about 40 hours of work, Dr Skorobogatov said.
He demonstrated the fruits of his labour in a YouTube video, which clearly shows him making more than the regulation number of passcode entries by switching a fresh, identical chip into a physical port he’d attached to the phone he was attacking.
A researcher demonstrated an low-cost iPhone hack that could help with future law enforcement investigations, but it is unclear if the process can be extended to newer iPhone models. “Once it was figured out the implementation of mirroring was relatively straightforward”, Skorobogatov said.
Skorobogatov says his set up could help Apple and others find hardware security problems and reliability issues, citing his discovery that some NAND chips from broken iPhone 5c main boards had specific blocks that had failed due to excessive rewriting. He then worked out how it communicated with the phone and cloned the chip.
With this basis and a little refinement, it is possible for a determined hacker to use the technique to brute-force the re-engineered iPhone’s passcode, giving full access without the possibility of overwriting the memory too much and changing vital information within.
This allows someone wanting to access the phone to make unlimited attempts to crack the passcode without the phone locking forever.
The extent of the usefulness of a NAND mirroring iPhone hack is also under question. He admitted that the process could be improved, but said that it is still a successful proof-of-concept.
“The Secure Enclave makes a clear distinction by design between the iPhone’s “open user zone” – what a user interacts with – and the “secured zone” – trusted/secured execution – compartmented for both hardware and software which would in theory help prevent the tamper bleed over from hacking hardware only via NAND mirroring”, Tran said.
Back in April, the Federal Bureau of Investigation reportedly paid at least $1.3 million (£900,000) to hack into the iPhone of San Bernardino killer Syed Farook.
In order to analyse iPhone 7 for any threats an advanced team of researchers will be necessary, this of course requires substantial funding.
Advertisement
And because Android phones are “normally based on standard NAND products, reading them and cloning should be easier because standard off-the-shelf programmes can be used”.
