Jonathan Zdziarski, a leading independent Apple iOS security researcher and forensics expert, has a theory about the FBI’s newly discovered potential route into the iPhone 5C used by San Bernardino shooter Syed Farook.
In a blog post, Zdziarski wrote that the technique the FBI is planning to use to get around having to compel Apple to help bypass the phone’s security is likely a method called NAND mirroring—a hardware-based approach that, while effective, is far from the “golden key” software the FBI had sought.
The FBI reported in its filing to delay a hearing on its dispute with Apple, originally scheduled for March 22, that an outside company had approached the FBI with a solution to the “self-destruct” issue preventing the FBI from repeatedly guessing the device’s four-digit PIN.
In that filing, FBI officials said that they needed just two weeks to certify that they could use the alternative approach to gain access to the phone.
Based on a number of factors, Zdziarski said that the company in question was likely one of the FBI’s external forensics contractors and that it was unlikely that it had found a “zero day” software technique to bypass the password. “Whatever technique is being used likely isn’t highly experimental (or it’d take more time),” Zdziarski noted. “Chances are the technique has been developed over the past several weeks that this case has been going on.”
And Zdziarski believes that technique involves copying the contents of the phone’s flash memory through a process referred to as NAND mirroring.
This would require desoldering and removing the NAND flash memory chip that acts as the phone’s data storage and reading and dumping its contents into a file using a chip reader/programmer—giving the FBI a backup that can be restored to the chip repeatedly if the phone’s security software erases its contents after a number of failed tries. “This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying,” Zdziarski explained.
The FBI would not have to restore the entire chip—it would only have to rewrite the portion of the chip used for user storage, if it could isolate it.
And it’s possible that the FBI could emulate the NAND storage with hardware that is tied to a copy of the original or that it could just make multiple copies and cycle quickly through them. Zdziarski suggested it was also possible to at least partially automate the whole process using “hardware invasive techniques” that emulate the approach the IP-Box forensic device used against iOS 8 devices to automate password guessing.
However, as Zdziarski noted in an update to his post, it’s still possible that the FBI has a zero-day exploit of another kind in hand. “The FBI is rumored to have classified this technique, only 24 hours after requesting a two-week window to give report,” he wrote. “If true, FBI wouldn’t classify something that they haven’t validated, which means they validated it too.
This suggests the technique *could* also be an exploit, so now we’ve two different possibilities to consider.”
Either way, if the FBI goes with an alternative approach and fails, it’s unlikely Apple could (even if compelled) come in and put the pieces back together again for another attempt.