A researcher has demonstrated an inexpensive iPhone hack that could help with future law enforcement investigations,...
but it is unclear if the process can be extended to newer iPhone models.
The iPhone hack uses NAND mirroring to clone the segment of the iPhone 5c that holds the unlock code and then brute-forces the password without being impeded by Apple's penalties for incorrect attempts. Forensic expert Jonathan Zdziarski presented the concept for this about six months ago, but Sergei Skorobogatov, senior research associate at the University of Cambridge in England, has completed the work for far less than the reported $1 million the FBI paid to crack the iPhone 5c used in the San Bernardino, Calif., attack.
Zdziarski said the NAND chip in the iPhone would need to be physically removed from the device, but he used a jailbroken iPhone to prove the concept. Skorobogatov spent four months working part time to create a NAND-mirroring prototype, which cost just $100.
Skorobogatov told SearchSecurity the most difficult part of the iPhone hack was reverse-engineering Apple's proprietary bus protocol.
"The hardest bit was to work out the proprietary communication protocol with NAND flash. This took half of the project time. Once it was figured out, the implementation of mirroring was relatively straightforward," Skorobogatov said. "For forensics applications, the most dangerous part would be taking the NAND chip off the board, because this operation could damage either the main [printed circuit board] or the NAND package."
Tim Erlin, senior director of IT security and risk strategy at Tripwire Inc., based in Portland, Ore., said the low cost of NAND mirroring could expand the number of threat actors capable of performing the attack.
"This attack was performed with easily accessible hardware and for about $100. While skills were required, this is well within the realm of attackers outside of government and nation states," Erlin said. "Attacks that are advanced very quickly become commoditized after they're published. Protecting from them when they're still theory or minimally available can prevent more significant compromise later on."
Peter Tran, general manager and senior director at RSA, the security division of Dell Technologies, noted a low cost for components does not mean less skill is needed.
"Although the practice of printed circuit board chip or component mirroring has been a longstanding practice in memory forensics, and with the steps for NAND mirroring appearing to be a straightforward process, in theory, the hack method is not trivial by any means to implement easily and quickly," Tran told SearchSecurity. "This technique is certainly not plug and play; even though the hardware material costs are low, the specialization and time required won't make NAND mirroring a universal, quick go-to in the near future."
The extent of the usefulness of a NAND-mirroring iPhone hack is also in question. Skorobogatov said he is planning to test the method on newer iPhones, but the Secure Enclave introduced with the iPhone 5s could mitigate the risk of this type of hack, depending "on how they store the data and whether any encryption at the physical level is involved in NAND communication."
Tran said the Secure Enclave should help, in theory.
"The Secure Enclave makes a clear distinction by design between the iPhone's open user zone, [or] what a user interacts with, and the secured zone -- trusted [or] secured execution -- compartmented for both hardware and software, which would, in theory, help prevent the tamper bleed-over from hacking hardware only via NAND mirroring," Tran said. "Essentially, it's an attempt to air gap within microprocessors."
Regardless of whether NAND mirroring could compromise newer iPhones, Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, suggested Apple should work more closely with security researchers.
"Apple has long since marched on the idea of privacy and that iPhones are as secure as possible. They've openly fought law enforcement on moral and privacy issues," Arsene said. "Recent events should enforce the notion that Apple needs to accept the help of security researchers when it comes to beefing up security against government or nation entities. If they weren't concerned until now, perhaps it would be a good time to start."
Learn more about the potential privacy and security fallout from the Apple-FBI battle.
Find out about the continuing cryptowars in the aftermath of Apple vs. the FBI.