Relatively simple hardware used to defeat iPhone passcode security

A computer scientist from Cambridge University has proven it is possible to bypass an iPhone passcode using just $100 of electronic components.

The relative simplicity runs counter to the FBI’s claim earlier this year that hacking an iPhone passcode was all but impossible.

iPhone 5c passcode

The FBI’s claim followed its attempts to gain access to the iPhone owned by San Bernardino gunman Syed Rizwan Farook. The Bureau believed his iPhone 5C held important information about collaborators; however, its security system prevented investigators from accessing this data. 

In what turned out to be a very public call to assistance, the FBI asked Apple to provide a software backdoor into the phone, a request the company refused. At the end of it all, the FBI (supposedly) resorted to paying a software company $1 million to retrieve information from the phone. 

Well, it appears all of this headache could well have been avoided had the FBI first contacted Dr. Sergei Skorobogatov from the University of Cambridge. In a published paper, Dr. Skorobogatov details how he was able to remove the phone’s Nand chip (the main memory storage system), figure out how the system communicated with the phone, and then move ahead with cloning the chip itself. He also modified the targeted phone so its Nand chip sat on an external board and copied versions of it could be plugged in, or otherwise removed, without disrupting the device.

Once the system was set up, Dr. Skorobogatov locked the iPhone 5c by trying too many incorrect combinations. When the system refused additional attempts, he simply removed the Nand chip and inserted a clone, which had its pin attempt counter set to zero; this, in turn, allowed Dr. Skorobogatov to keep trying different codes. 

“Because I can create as many clones as I want, I can repeat the process many times until the passcode is found,” he explained.

This technique is nothing new – it’s actually referred to as “Nand mirroring.” What makes it remarkable in this instance is its success when FBI director James Comey specifically said it would not work on Farook’s phone. 

Dr. Skorobogatov explained the process took about 40 hours of work to find the correct four-digit passcode. He surmised that it could take a few hundred hours to find a six-digit passcode. At the end of the day, though, it worked.

Reflecting on the success of his study, Dr. Skorobogatov suggests that a slightly more sophisticated set-up should make it possible to clone memory chips from other iPhones, including the company’s more recent models. This would require a great deal of additional research, though, as it’s not fully understood just yet how Apple stores its data on some of its newer models. 

Of course, Dr. Skorobogatov’s success does bring to question why the FBI was so quick to request a software backdoor. Most will likely claim incompetence on the Bureau’s part, but it should be pointed out that it was dealing with a terrorist situation, and so was likely looking for a way to access the device’s data sooner rather than later. What this study proves, though, is that while software hacks might seem like a quick and easy solution, perhaps it’s worthwhile to invest resources into studying, understanding, and ultimately developing sophisticated hardware and computer security skills within the Bureau and enforcement agencies.

To learn more, download Dr. Skorobogatov’s paper, entitled “The bumpy road towards iPhone 5c NAND mirroring”.

Via the BBC