We knew that sooner or later we'll revisit the FBI-Apple dispute about getting access to iPhones. Here we are, proving ourselves right with a piece of big news: Security researcher Sergei Skorobogatov announced he hacked a locked iPhone 5C with basic equipment for under $100!
In case you don't remember, several months ago the FBI needed to access a locked iPhone 5C belonging to the deceased San Bernardino shooter. They demanded a backdoor (a.k.a. a very bad idea) from Apple but got rejected. Then they hired Israeli mobile forensics company Cellebrite and reportedly paid them about $1 million to hack the phone, which they quickly did.
So how did Sergei Skorobogatov, a single researcher from the University of Cambridge, do what an entire forensics company did? And all he needed was store-bought equipment instead of special machinery and $1 million!
How to hack an iPhone up to iPhone 6 Plus on a $100 budget
The answer is a technique known as NAND mirroring, which he successfully used to bypass the passcode retry limit on iPhone 5C, updated to the latest iOS 9.3. Yes, the same technique that the FBI said it wouldn't work, so they spent a million instead.
NAND refers to the phone’s flash memory, which researchers had already theorized it could be copied. And the device in question was passcode-protected with an auto-erase function that would activate after 10 failed tries, deleting all locally stored data.
Skorobogatov published the details in his paper The bumpy road towards iPhone 5c NAND mirroring, which is available online.
"This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts," Skorobogatov notes in the abstract of the paper.
He further explains that the mirroring solution was achieved using off-the-shelf components bought with a budget of under $100 and any attacker with sufficient skills could do it.
Moreover, the attack doesn't just work on iPhone 5C but on the newer models as well. The same type of LGA60 NAND chips are used up to iPhone 6 Plus. Newer iPhones, however, will require more sophisticated equipment and FPGA test boards, he adds.
Friendly advice: use stronger, longer passcodes
Skorobogatov also makes several recommendations in terms of countermeasures against mirroring at software, hardware and usability level. While normal users can't do anything about the first two levels, they can certainly make drastic, yet simple security improvements at the usability level. All they need to do is use at least 6-digit, or better 8-character passcodes, as the standard 4-digit ones are too easy to guess.
"Attacking such passcodes would require access to the SoC directly to reduce the waiting time between attempts," he points out.
Skorobogatov’s method involves taking the iPhone apart, desoldering the memory and then creating a copy.
“Because I can create as many clones as I want, I can repeat that process many, many times,” he said in a video explaining the process.
The passcode still needs to be guessed but the process can be automated so it becomes extremely efficient.
According to Skorobogatov, it takes about 20 hours or even less to guess a 4-digit passcode. A 6-digit one, however, would require about three months. Of course, this is his theoretical assumption and he doesn't specify what computing power could achieve such terms. Anyway, everyone knowledgeable about cybersecurity acknowledges the huge difference several characters can make.
NAND mirroring also works on iPod Touch
So far, the FBI and Apple haven’t commented on the paper. One prominent security expert, however, did: Jonathan Zdziarski, who earlier this year also demonstrated a software-based concept method to use NAND mirroring on a jailbroken iPod Touch. He called Skorobogatov's research “very respectable”.
Zdziarski, of course, criticized the FBI for spending so much to unlock an iPhone when a single security researcher can do it with “almost zero budget”.
One more important question remains. Why would the FBI need a backdoor from Apple or Cellebrite when the iPhone backdoor already exists? What is it? The ability to load and execute modified firmware without user intervention. Maybe they lack the skills or simply want a shortcut.
“The FBI needs computer-security expertise, not backdoors,” commented security guru Bruce Schneier in his blog.
For the best protection, get the best secure phone
I think the takeaway is clear. A normal phone can be hacked with normal equipment, despite its protection. All a person needs is skill, and hackers aren't hard to find these days.
If you're looking for real security and privacy for your personal life or business, you need a real solution. Normal phones are for selfies, games and social media, not for protection. Secure phones are about security. And this is what we do.
Our flagship product line is called namely Secure Phone and it offers high-class protection to your entire mobile life. Every channel of communication is encrypted end to end. Every bit of locally stored information is also encrypted and hidden behind a second, super strong passcode. The OS and every app is custom for security reasons. All this, and many more security elements work together with the sole purpose to give you piece of mind.
In addition, Secure Phone can be wiped in numerous ways, including manually from the device, remotely from our exclusive Secure Administration System (SAS), via sending a special message to either the Secure Email or the Secure Chat app, as well as automatically in case of entering wrong pass codes or losing connectivity with the server for some predefined period.
So if your life or business is at stake, think twice. Do you believe your phone can protect you?