iPhone Forensics Experts Demonstrate Basic Proof Of Concept That The iPhone Hack The FBI Says 'Doesn't Work' Actually Does Work

from the the-fbi-lied-again? dept

When the DOJ announced that the FBI may have miraculously found a way in to Syed Farook’s work iPhone after swearing to a court that such a thing was impossible, many people zeroed in on the possibility of “NAND Mirroring” as the technique in question. After all, during a Congressional hearing, Rep. Darrell Issa had gone fairly deep technically (for a Congressperson, at least) in asking FBI Director James Comey if the FBI had tested such a method. Well-known iPhone forensics guru Jonathan Zdziarski wrote up a good blog post explaining why such a technique was the most likely. While recognizing that there are other possibilities, he does a good job breaking down why none of the other possibilities are all that likely, given a variety of facts related to the case (I won’t go through all of that — just go read his post). It’s worth a read. It also has a nice quick explanation of NAND mirroring:

This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they?re trying different pin combinations.

However, on Friday, we noted that FBI Director James Comey was already denying this was the method, saying that it “doesn’t work.” The FBI also “classified” the method in question which raised some additional eyebrows. Either way, Zdziarski was pretty sure that Comey’s claim that NAND mirroring doesn’t work was bogus:

FBI Director Comey, in a press conference, claims the NAND technique ?doesn?t work?; this says more about the credibility of this information than anything. Every expert I?ve consulted (including three hardware forensics firms) believe it works, and multiple firms are still in the process of validating the technique. The amount of time to prep and test this technique alone is proving greater than the month that we?ve been discussing it ? it?s very unlikely that any reputable source could have already discredited this method, given how much time and effort it is taking everyone else to fully flesh out and test it. When asked directly if the FBI tried this technique, Comey dodged the question and replied (on the topic of ?chip copying?), ?I don?t want to say beyond that?, indicating the FBI hadn?t tried it. This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.

And now, Zdziarski has cooked up a fairly straightforward proof of concept to show that NAND mirroring absolutely could work:

As Zdziarski explains:

This is a simple ?concept? demonstration / simulation of a NAND mirroring attack on an iOS 9.0 device. I wanted to demonstrate how copying back disk content could allow for unlimited passcode attempts. Here, instead of using a chip programmer to copy certain contents of the NAND, I demonstrate it by copying the data using a jailbreak. For Farook?s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.

I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I?m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook?s device, as the FBI would be physically removing the NAND to copy this data.

Elsewhere Zdziarski also points out that, despite the FBI insisting that it was reaching out to everyone who might be able to help, none of the top researchers in the space have been approached by the FBI (and apparently a few who reached out the other way were rebuffed). Once again, it looks like whatever the FBI is doing with the phone, it’s not being particularly upfront with the public (or, potentially, the courts).

Filed Under: , , , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “iPhone Forensics Experts Demonstrate Basic Proof Of Concept That The iPhone Hack The FBI Says 'Doesn't Work' Actually Does Work”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Incompetence vs Dishonesty

I’m actually starting to wonder if the reason for the ‘classification’ of the technique they ‘discovered’ has less to do with preserving a potentially valuable security exploit and more to do with the fact that it doesn’t actually exist, and is just something they came up with to try and get out of a case that was going poorly for them.

Rather than having to admit that maybe they didn’t actually try all the options available before going legal, they invent some imaginary ‘solution’ and drop the case as quick as possible in order to ‘investigate’ the new possibility.

By refusing to actually say what the ‘solution’ entails, they can spin it to be as simple or complex as they want and no-one will be able to fact check them, giving them time to come up with their next step, whether dropping the case once the attention to it decreases, or waiting to see if any other cases go their way and giving them a better chance in this one to get the precedent they want.

Anonymous Coward says:

Despite all the FBI claims, it’s own actions speak for it that there was one purpose and one purpose only to this case. The waited for terrorist incident appeared and it was time to spring into action to use that incident as a pry bar to beat Apple over the head with to set national precedence in court.

It was the one true goal and anything including lying to the court is worthy of consideration to achieve said goal.

Anonymous Coward says:

Re: Re: Re: Re:

While I agree with the sentiment, in cases like this, I’d prefer calling him Syed Farook to calling him a terrorist or shooter.

With his name, we just get a name. Kind of an issue for otherw who share the name, but that’s about it. When the name fades from social consciousness, the entire thing becomes meaningless, so we keep all the information while letting the hubris evaporate with time.

Based on how loaded the terms “shooter” and “terrorist” are, these can carry the hubris for much longer; tying it to the location also really doesn’t do much, as the issue under discussion is national, not regional.

But it would be nice to see some generic policy, even if it gets broken regularly for intelligent reasons 🙂

Coyne Tibbets (profile) says:

Re: Re:

Well, Mr. Anonymous Coward, I hate to disillusion you, but if you think Mike is exposing some big secret, I have a revelation for you.

I just did a search on Google main for “Syed Farook” and got 445,000 hits. The same search on Google News yields 54,700 hits.

A few examples, taken just from the first page of the Google News search:

CBS News: “… to help the FBI gain access to the phone used by Syed Farook, one of the two attackers in the December 2 shootings that killed 14 people.”

Counterpunch: “A college graduate, “quiet, polite” Chicago-born Syed Farook who masterminded the San Bernardino massacre, was religiously devout and …”

New York Daily News: “Slain California gunman Syed Farook grew up a home so tense that his mother divorced his father whom she accused of being an abusive …”

Forbes: “… is fighting a court order requiring them to assist the FBI in opening the encrypted iPhone belonging to San Bernardino shooter Syed Farook.”

Next time, you might want to check your opinions against reality before telling others how to do their jobs.

Whoever says:

Re: Re:

Does Techdirt have a policy with respect to using names of notorious criminals? I’d like to see you start using “San Bernardino terrorist” or “San Bernardino shooter” rather than “Syed Farook”.

Because “Syed Farook” is more accurate. More specific. There were two shooters, but the phone was specifically assigned to Farook.

Hans says:

It's the key, not the data

I think the focus on the (encrypted) data in NAND flash is misplaced. When the 10 tries are exceeded, surely the firmware simply zeros the encryption key, not the data. So what matters is where the key is stored and whether that can be mirrored. If the security is worth anything the answer to that is “no”.

Anonymous Coward says:

Re: It's the key, not the data

If you’re willing to go to the trouble to desoldering the chip, any memory can be copied. That’s the thing about security, once you have essentially unlimited funds and access to the device, there is no security measures that can stop you.

Security is not about stopping an attack. It’s about making the attack so costly and time-consuming that it’s not worth the effort.

Anonymous Coward says:

Re: It's the key, not the data

If you’re willing to go to the trouble to desoldering the chip, any memory can be copied. That’s the thing about security, once you have essentially unlimited funds and access to the device, there is no security measures that can stop you.

Security is not about stopping an attack. It’s about making the attack so costly and time-consuming that it’s not worth the effort.

Anonymous Coward says:

Re: It's the key, not the data

The key is generated from 3 things. The passcode, the hardware UID in the phone and a separate key which is stored on the NAND flash. It’s that separate key that gets wiped out after 10 failed attempts. Copying the data from the entire NAND flash would backup that key as well preserving the ability to restore it after 10 failed attempts wipes it out.

Anonymous Coward says:

Re: It's the key, not the data

So what matters is where the key is stored…

We’ve been through this repeatedly, but it’s kind of complicated, and maybe you didn’t catch the previous explanations. So here goes again…

Start out with the iOS Security Guide (iOS 9.0 or later; September 2015). This is essential reading.

Keep in mind, when you’re reading the iOS 9 Security Guide, that the iPhone 5c has a “Apple A6 APL0598 application processor.” The A6 is earlier than “Apple A7 or later A-series processor” (Security Guide p.7). Thus, the A6 does NOT have a “secure enclave.” So, just ignore that parts of the Security Guide that apply to later processors.

What the A6 does have is a “fused” hardware uid (see p.10). That uid fused into the application processor is used (along with user’s pin) to encrypt keys stored in “effaceable storage” See p.58:

Effaceable Storage             A dedicated area of NAND storage, used to store cryptographic keys, that can be addressed directly and wiped securely. While it doesn’t provide protection if an attacker has physical possession of a device, keys held in Effaceable Storage can be used as part of a key hierarchy to facilitate fast wipe and forward security.

Ehud Gavron (profile) says:

FBI lies

The FBI has pretended its mission includes fighting terrorism, and Techdirt has covered this. Now it pretends its mission is to break into iphones.

In reality the FBI was formed to solve crimes. This crime is solved. Syed Farook (or as previous commenter would rather he be called “San Bernardino Shooter McGavin or Whatever) is dead. He and his ugly-ass wife* killed a bunch of people and then they died. This crime is solved.

The crime (manslaughter) was committed in California, hatched in California, done by Californians, and ended in California. Other than watching a bunch of movies where the FBI comes in and “declares” they’re in charge much to the lack of delight of the immediate law-enforcement agency I don’t see where HERE the FBI has *ANY* jurisdiction.

I think the FBI stepped over its own dick in the worst possible way in three separate methods
– they didn’t have jurisdiction
– they tried to make this the raison d’etre for Apple to OBEY YOUR GOVERNMENT MASTERS
– they committed perjury, lying to the Court about there being no other methods and them having consulted everyone about unlocking the iphone.

Linkies to previous TD stories about the FBI’s mission-motto creep, Edward Snowden’s tweets about perjury, various experts opining on the iphone, and analysis about the AWA left out because if you read TD and its comments you know how to read those on your own.

Sorry, FBI, you’re useless and obsolete. Better mission-creep your motto to something you’re good at doing. Right now that doesn’t include law enforcement, investigation, terrorism, using obsolete arcane laws, or parading about your knowledge (or ignorance).


* Total opinion here, but they’re dead, so not only can I not be sued for slander but there’s nobody with standing anyway 🙂

Josh says:

Re: FBI lies

“This crime is solved. Syed Farook (or as previous commenter would rather he be called “San Bernardino Shooter McGavin or Whatever) is dead. He and his ugly-ass wife* killed a bunch of people and then they died. This crime is solved.”

This is the thing though, isn’t it? Without getting too far into the details, the short answer is they very likely have all the evidence they’re gonna get. It’s just a ruse, and it’s an obvious ruse. Anyone that looks at the facts surrounding this phone should be heavily questioning the FBI’s intentions. There’s a number of things to this case that support the theory that there’s nothing of value on the phone. There’s far less that indicates that there is anything on the phone. It’ pure speculation that throws out the other side of the argument, because if that argument were there, it’d sweep the feet out from under that speculation.

FBI don’t care what’s on the phone. They likely know there’s nothing of importance on that phone. They just want Apple, and only Apple, to open it up for them.

Josh says:

Re: Re: Re: FBI lies

I think the iPhone is more of a pathogen to its user. It infects them, takes over their lives, causes them to believe that their ecosystem has no escape. It indoctrinates them into the holy church of Steve Jobs, and its lead pastor, Tim Cook.

Praise be upon him, oh holy Jobs. Save us from this plight. Amen.

yankinwaoz (profile) says:

Re: FBI lies

The FBI’s obsession with his work phone appears even more disingenuous when you factor in what they did with the physical evidence.

The police and FBI allowed the neighbors to break in to and loot the shooter’s condo less than 2 days after the murders.

I would have thought that their personal household would hold a hell of a lot more clues than his work phone. Yet in less than 48 hours they left it all open to be spoiled.


Josh says:

Here’s a theory. Half of this is things we already think, but let’s string them together into a coherent story.

Their solution doesn’t exist. Their desire to get into the phone has nothing to do with the ongoing investigation. It’s very likely there’s nothing to be found on that phone, and they very well know that as much as we do. So that they’re so hell bent to get into it, as has been speculated by and large, is only to set a precedent.

They wanted to use this to force Apple’s hand only for the precedent. They don’t care about what’s on the phone, they just want it in the books that they can force apple to do it.

As we all know, from this point, things got bad for them in the PR department. They faced a huge backlash from the public that was only made worse by continued comments on the matter, and their attempts to vilify Apple.

So all the sudden they found a possible way to get in. It’s likely a lie to get out of the mess they got themselves into. Before they found this miracle solution, they rejected help from others as it was, and it goes to show they weren’t interested in finding a non-apple solution, or just any solution. What they wanted was Apple, and that’s all they wanted.

They’ll back out of this case, perhaps. And that’s the end we’ll hear of it. The phone likely doesn’t actually matter to them, and they’ll just go on to find a new case, and a new phone, to try and force this precedent with, and they’ll likely try harder to make it so it doesn’t come out in the public again, to avoid the backlash.

This has nothing to do with terrorism, or this criminal case, or whatever. All it has to do with is trying to force Apple into compliance so they can abuse them down the road.

Josh says:

Re: Re: Re:

I think it’d be easier for them to get into Android phones, by the very nature of what Android is. There are a ton of phones out there that are highly outdated in their security. Manufactures are pretty bad about updating with security patches too.

Apple has the sort of control over their platform that allows them to bring older phones up to date security wise, to a point. It allows them to keep current phones up to date against security vulnerabilities too. Overall, locking down the platform as they have, and being able to maintain control from one end to the other, has given them a recipe for strong security, past and future. It has also given them the ability to quickly act upon security threats in a way that the Android market can’t.

There’s caveats to those statements, but generally we can hold them as realistic. It’s a trade off that people pay. As with Android phones you get access to your device that Apple doesn’t allow on their platform.

On Apple’s platform, if you take the time to update your phone, generally you’re decently secure. On the Android platform, you can’t always update to the latest, as the manufacture of the hardware and the cell phone carrier can both hinder that process greatly, and in a lot of cases, you’ll never see those security updates at all.

Anonymous Coward says:

The tweaked new OS is the real goal

If they had access to an upgradable unlocking version, they could load that into their latest gen Stingray. Since they are automatically trusted by the phone by pretending to be an official tower, they can change the OS of any devices that connect to them, adding apps and programming as needed to turn that phone into a real time sound, data and location bugging device.

jim says:


I believe you should can your techexpert, suggesting that they alter the data? At least that is how the defense attorney would see that procedure that way. Any superior court would have to throw out that evidence as hearsay.
The problem is the recopying the data back onto the machine, what was edited? Added? Changed? It’s not evidence then.
The FBI is right. It’s not their job to decrypt the phone. There should be an automatic path for them, into the phone if approved by the state/courts. Now, should the key be held by the state, no, it should have been in a safe place. But Apple, must have decided, what?

Sharatan says:

Einsteins, all of them.

This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.

That’s because FBI agents are so smart, they actually know more about such things than the engineers who design them. In fact, the typical FBI agent could engineer something like an iPhone in a heartbeat, if he wanted to lower himself to do so.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...