Researcher describes working hack on iPhone 5c San Bernardino shooter

Security researcher Sergei Skorobogatov has published a research paper demonstrating a nand mirroring technique that could have cracked Syed Farook’s iPhone 5c in two days using only easy-to-grasp electronics.

The Russian researcher at Cambridge University’s proof-of-concept questions the FBI’s claims about the San Bernardino shooting. Six months ago, the American security service demanded Apple’s cooperation in cracking the encrypted iPhone 5c of perpetrator Syed Farook. The agency claimed it would be impossible to do without the help of the manufacturer, so Apple had to produce a master key that would allow the FBI to access the phone’s data. Apple refused to cooperate because the service could also gain access to many millions of other smartphones. The FBI took Apple to court, but dropped the case when it received a working hack from another party. It is unknown how this hack works. Possibly the Israeli Cellebrite is behind this.

The fact that the hack on the phone now appears to be relatively simple suggests that the FBI’s lawsuit was not so much about accessing the data on Farook’s phone as it was about the legal precedent it set. If the FBI succeeded in forcing Apple to grant access to a device, it can be repeated all the more easily in subsequent cases, including with other devices and companies. The FBI and President Obama have been critical of strong encryption in the past.

Sergei Skorobogatov’s paper describes that in addition to the target phone, a soldering iron, a hot air gun, some precision tools and the same donor phone are required. After dismantling the iPhone, Skorobogatov removes the nand memory and the main PCB with the hot air gun and a piece of electrically heated nichrome wire, at temperatures of 300 and 900 degrees, respectively. The former to loosen the soldering points and the latter to make the binding epoxy completely plastic. When the pcb and the nand are loose, they are reattached to the rest of the device with wires. Although Skorobogatov ran into some difficulties getting the two parts to work remotely, he finally succeeded.

The next step is to copy the contents of the nand memory, where the operating system of the smartphone is stored, to the nand of the donor device. When this is done, the target device’s nand can be returned to its original state after Skorobogatov has been temporarily locked out. This happens on iOS after six unsuccessful attempts to guess the phone’s four-digit PIN. Restoring the backup could be done in 90 seconds, according to Skorobogatov, which means that the code can be cracked within two days. With a nand emulator, for example, the process could go even faster, he says.

Skorobogatov also posted a video of the trial online. Because the iPhone 6 and 6 Plus use the same type of nand memory, the technology could also work with those devices. The iPhone 5c ran on ‘the latest version of iOS 9.3’, according to the researcher.