Re/code: How the FBI Might be Hacking the San Bernardino iPhone Without Apple’s Help

Originally published by Re/code.

By Dawn Chmielewski

Finchen / Shutterstock

Nature deplores a vacuum. So in the absence of any details about how the FBI plans to access the information locked on Syed Rizwan Farook’s iPhone without Apple’s help, forensic scientists have been filling the void with some well-informed speculation.

Forensic scientist Jonathan Zdziarski (who’s known in the hacking community as NerveGas) has suggested one theory that others in the cyber security community agree holds promise. It’s a technique called NAND mirroring — and it involves making backup copies of the phone’s memory, so the information could be quickly restored if the device slows down or attempts to wipe the data after five or 10 failed password attempts.

This sort of technique would clear the way for the kind of “brute force” attack the FBI has described in court papers, in which investigators would make thousands of guesses at a password without risking the loss of evidence.

“Think of this as a game save, like Super Mario Brothers. You want to play the same level, so you keep killing Mario to restore the game state,” Zdziarski said in an interview with Re/code.

In a blog post, he explained how it would work: The NAND chip would be removed from the device and placed in a chip reader to copy the contents of the memory. The original chip would be reattached to the phone with a harness. After 10 failed password attempts, the memory could be restored using the backup file, eliminating the risk that the data would be lost to the iPhone’s auto-erase security feature.

“This seems like a promising approach,” said Matthew Green, a noted cryptographer and assistant professor at the Johns Hopkins Information Security Institute. “The main barrier is just the ability to de-solder the Flash memory chips without damaging them, and install a device in between the phone and the chips. This isn’t easy, since the solder joints are delicate, but it doesn’t require breaking any encryption.”

Zdziarski theorizes that the mysterious “outside party” that offered the FBI a last-minute assist is an external forensic company that may be using older gear from a past version of the operating system (iOS 8). The fact that U.S. law enforcement asked for just two weeks to evaluate the technique suggests it already exists — and may indeed have already been demonstrated in a field test.

Given the timing of the offer — Sunday, days before a scheduled hearing on whether Apple could be forced to help the government hack the iPhone — Zdziarski suspects the firm is based in Europe (or, in light of a report today, Israel), where the business week would have already begun.

One U.S. data recovery firm, DriveSavers, is testing the theory. Engineering director Mike Cobb said his firm has already removed the NAND chip from an iPhone 5c — delicate work, because it’s attached by epoxy — and plans to mirror the data, reattach the chip and attempt to crack the password.

“All these things seem very doable,” said Cobb, whose company has been recovering family photos and other data from smartphones, hard drives and thumb drives for years.

But this technique has limited application — the approach wouldn’t work on newer iPhones with more rigorous security, such as the Secure Enclave.

An FBI spokesperson was not immediately available for comment.