Categories
Hardware iPhone News security

Hardware hack for San Bernadino iPhone 5c possible but risky

lockediphone5c

The data onboard the iPhone 5c at the heart of the decryption/unlocking scandal could be accessible via a hardware technique.

This hardware technique, apparently, isn’t for the faint of heart.

In recent days, the American Civil Liberties Union’s technology fellow and former NSA contractor Edward Snowden have suggested a method that would let investigators repeatedly guess the iPhone’s password.

Federal investigators fear San Bernardino shooter Syed Rizwan Farook may have configured his work phone to use an Apple security feature that erases a key for decrypting data after 10 incorrect guesses of the phone’s password.

The forensic technique to get at the data, known as “chip off,” involves removing a NAND flash memory chip and copying its data. If successful, this would yield a decryption key that can be restored if it is erased after incorrect guesses.


The procedure would also bypass the controversial method that’s been suggested wherein the U.S. Justice Department has asked a federal court to order Apple to give the FBI custom software for iOS 9 that can be loaded onto the phone. The software would either disable the auto-erase feature or allow law enforcement to rapidly try different password guesses, or both.

Apple is fighting the order, saying the creation of such software—essentially a backdoor—would put millions of iPhones at risk.

Investigators already have a fair amount of the data from Farook’s online accounts, including backups of his iCloud data, which has been turned over, but Farook’s final iCloud backup is from October 19th, roughly six weeks before the December 2nd San Bernadino shootings. The government contends that the six weeks’ worth of data stored solely on the phone could contain crucial evidence.

The “chip-off” technique, described by Daniel Kahn Gillmor, a technology fellow with the ACLU’s Speech, Privacy and Technology Project, removes the key that is used to encrypt the iPhone’s user data is stored in a section of the phone’s NAND flash chip that Apple calls “effaceable storage.”

To perform a chip-off operation, the Flash chip is de-soldered from the circuit board and then connected it to a NAND flash reader in order to copy its contents.

The chip is then reconnected to the board. If the key is erased after 10 wrong guesses, the backup data can be used to restore it for more attempts.

“If the FBI doesn’t have the equipment or expertise to do this, they can hire any one of dozens of data recovery firms that specialize in information extraction from digital devices,” wrote Gillmor, who couldn’t immediately be reached for comment.

But computer forensics experts, including one who has performed the procedure, say it is slow and delicate with no guarantee of success.

Most chip-off extractions result in the device being destroyed, said Heather Mahalik, principal forensic scientist and team lead for Oceans Edge, a mobile security and development firm. She teaches an advanced smartphone forensics course at the SANS Institute.

“I have done chip off in the past, and getting the phone to work again after is very difficult, so the chances of this working are low,” Mahalik said via email.

Stay tuned for additional details as they become available.

Via Macworld

2 replies on “Hardware hack for San Bernadino iPhone 5c possible but risky”

Comments are closed.