iPhone Forensics Experts Demonstrate Basic Proof Of Concept That The iPhone Hack The FBI Says 'Doesn't Work' Actually Does Work
from the the-fbi-lied-again? dept
When the DOJ announced that the FBI may have miraculously found a way in to Syed Farook's work iPhone after swearing to a court that such a thing was impossible, many people zeroed in on the possibility of "NAND Mirroring" as the technique in question. After all, during a Congressional hearing, Rep. Darrell Issa had gone fairly deep technically (for a Congressperson, at least) in asking FBI Director James Comey if the FBI had tested such a method. Well-known iPhone forensics guru Jonathan Zdziarski wrote up a good blog post explaining why such a technique was the most likely. While recognizing that there are other possibilities, he does a good job breaking down why none of the other possibilities are all that likely, given a variety of facts related to the case (I won't go through all of that -- just go read his post). It's worth a read. It also has a nice quick explanation of NAND mirroring:This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations.However, on Friday, we noted that FBI Director James Comey was already denying this was the method, saying that it "doesn't work." The FBI also "classified" the method in question which raised some additional eyebrows. Either way, Zdziarski was pretty sure that Comey's claim that NAND mirroring doesn't work was bogus:
FBI Director Comey, in a press conference, claims the NAND technique “doesn’t work”; this says more about the credibility of this information than anything. Every expert I’ve consulted (including three hardware forensics firms) believe it works, and multiple firms are still in the process of validating the technique. The amount of time to prep and test this technique alone is proving greater than the month that we’ve been discussing it – it’s very unlikely that any reputable source could have already discredited this method, given how much time and effort it is taking everyone else to fully flesh out and test it. When asked directly if the FBI tried this technique, Comey dodged the question and replied (on the topic of “chip copying”), “I don’t want to say beyond that”, indicating the FBI hadn’t tried it. This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.And now, Zdziarski has cooked up a fairly straightforward proof of concept to show that NAND mirroring absolutely could work:
This is a simple “concept” demonstration / simulation of a NAND mirroring attack on an iOS 9.0 device. I wanted to demonstrate how copying back disk content could allow for unlimited passcode attempts. Here, instead of using a chip programmer to copy certain contents of the NAND, I demonstrate it by copying the data using a jailbreak. For Farook’s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.Elsewhere Zdziarski also points out that, despite the FBI insisting that it was reaching out to everyone who might be able to help, none of the top researchers in the space have been approached by the FBI (and apparently a few who reached out the other way were rebuffed). Once again, it looks like whatever the FBI is doing with the phone, it's not being particularly upfront with the public (or, potentially, the courts).
I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I’m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, fbi, forensics, iphone, james comey, jonathan zdziarski, nand mirroring
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
Incompetence vs Dishonesty
Rather than having to admit that maybe they didn't actually try all the options available before going legal, they invent some imaginary 'solution' and drop the case as quick as possible in order to 'investigate' the new possibility.
By refusing to actually say what the 'solution' entails, they can spin it to be as simple or complex as they want and no-one will be able to fact check them, giving them time to come up with their next step, whether dropping the case once the attention to it decreases, or waiting to see if any other cases go their way and giving them a better chance in this one to get the precedent they want.
[ link to this | view in chronology ]
It was the one true goal and anything including lying to the court is worthy of consideration to achieve said goal.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Does Techdirt have a policy with respect to using names of notorious criminals? I'd like to see you start using "San Bernardino terrorist" or "San Bernardino shooter" rather than "Syed Farook".
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I've also heard of policies of not publicizing suicides for the same reason.
[ link to this | view in chronology ]
Re: Re: Re:
With his name, we just get a name. Kind of an issue for otherw who share the name, but that's about it. When the name fades from social consciousness, the entire thing becomes meaningless, so we keep all the information while letting the hubris evaporate with time.
Based on how loaded the terms "shooter" and "terrorist" are, these can carry the hubris for much longer; tying it to the location also really doesn't do much, as the issue under discussion is national, not regional.
But it would be nice to see some generic policy, even if it gets broken regularly for intelligent reasons :)
[ link to this | view in chronology ]
Re:
Personally, I think Techdirt should join the "Some Asshole Initiative"
http://nonadventures.com/2015/06/20/the-some-of-all-fears/
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
I just did a search on Google main for "Syed Farook" and got 445,000 hits. The same search on Google News yields 54,700 hits.
A few examples, taken just from the first page of the Google News search:
CBS News: "... to help the FBI gain access to the phone used by Syed Farook, one of the two attackers in the December 2 shootings that killed 14 people."
Counterpunch: "A college graduate, “quiet, polite” Chicago-born Syed Farook who masterminded the San Bernardino massacre, was religiously devout and ..."
New York Daily News: "Slain California gunman Syed Farook grew up a home so tense that his mother divorced his father whom she accused of being an abusive ..."
Forbes: "... is fighting a court order requiring them to assist the FBI in opening the encrypted iPhone belonging to San Bernardino shooter Syed Farook."
Next time, you might want to check your opinions against reality before telling others how to do their jobs.
[ link to this | view in chronology ]
Re: Re:
http://www.dontnamethem.org/
[ link to this | view in chronology ]
Re:
Because "Syed Farook" is more accurate. More specific. There were two shooters, but the phone was specifically assigned to Farook.
[ link to this | view in chronology ]
Re:
needs everything spelled out to the T
[ link to this | view in chronology ]
It's the key, not the data
[ link to this | view in chronology ]
Re: It's the key, not the data
[ link to this | view in chronology ]
Re: It's the key, not the data
Security is not about stopping an attack. It's about making the attack so costly and time-consuming that it's not worth the effort.
[ link to this | view in chronology ]
Re: Re: It's the key, not the data
[ link to this | view in chronology ]
Re: Re: It's the key, not the data
[ link to this | view in chronology ]
Re: It's the key, not the data
Security is not about stopping an attack. It's about making the attack so costly and time-consuming that it's not worth the effort.
[ link to this | view in chronology ]
Re: It's the key, not the data
[ link to this | view in chronology ]
Re: It's the key, not the data
Start out with the iOS Security Guide (iOS 9.0 or later; September 2015). This is essential reading.
Keep in mind, when you're reading the iOS 9 Security Guide, that the iPhone 5c has a “Apple A6 APL0598 application processor.” The A6 is earlier than “Apple A7 or later A-series processor” (Security Guide p.7). Thus, the A6 does NOT have a “secure enclave.” So, just ignore that parts of the Security Guide that apply to later processors.
What the A6 does have is a “fused” hardware uid (see p.10). That uid fused into the application processor is used (along with user's pin) to encrypt keys stored in “effaceable storage” See p.58:
[ link to this | view in chronology ]
FBI lies
In reality the FBI was formed to solve crimes. This crime is solved. Syed Farook (or as previous commenter would rather he be called "San Bernardino Shooter McGavin or Whatever) is dead. He and his ugly-ass wife* killed a bunch of people and then they died. This crime is solved.
The crime (manslaughter) was committed in California, hatched in California, done by Californians, and ended in California. Other than watching a bunch of movies where the FBI comes in and "declares" they're in charge much to the lack of delight of the immediate law-enforcement agency I don't see where HERE the FBI has *ANY* jurisdiction.
I think the FBI stepped over its own dick in the worst possible way in three separate methods
- they didn't have jurisdiction
- they tried to make this the raison d'etre for Apple to OBEY YOUR GOVERNMENT MASTERS
- they committed perjury, lying to the Court about there being no other methods and them having consulted everyone about unlocking the iphone.
Linkies to previous TD stories about the FBI's mission-motto creep, Edward Snowden's tweets about perjury, various experts opining on the iphone, and analysis about the AWA left out because if you read TD and its comments you know how to read those on your own.
Sorry, FBI, you're useless and obsolete. Better mission-creep your motto to something you're good at doing. Right now that doesn't include law enforcement, investigation, terrorism, using obsolete arcane laws, or parading about your knowledge (or ignorance).
Ehud
* Total opinion here, but they're dead, so not only can I not be sued for slander but there's nobody with standing anyway :)
[ link to this | view in chronology ]
Re: FBI lies
This is the thing though, isn't it? Without getting too far into the details, the short answer is they very likely have all the evidence they're gonna get. It's just a ruse, and it's an obvious ruse. Anyone that looks at the facts surrounding this phone should be heavily questioning the FBI's intentions. There's a number of things to this case that support the theory that there's nothing of value on the phone. There's far less that indicates that there is anything on the phone. It' pure speculation that throws out the other side of the argument, because if that argument were there, it'd sweep the feet out from under that speculation.
FBI don't care what's on the phone. They likely know there's nothing of importance on that phone. They just want Apple, and only Apple, to open it up for them.
[ link to this | view in chronology ]
Re: Re: FBI lies
[ link to this | view in chronology ]
Re: Re: Re: FBI lies
Praise be upon him, oh holy Jobs. Save us from this plight. Amen.
[ link to this | view in chronology ]
Re: FBI lies
[ link to this | view in chronology ]
Re: FBI lies
The police and FBI allowed the neighbors to break in to and loot the shooter's condo less than 2 days after the murders.
I would have thought that their personal household would hold a hell of a lot more clues than his work phone. Yet in less than 48 hours they left it all open to be spoiled.
http://www.theguardian.com/us-news/2015/dec/04/reporters-rush-into-home-san-bernardino-shoot ing-suspects
[ link to this | view in chronology ]
Their solution doesn’t exist. Their desire to get into the phone has nothing to do with the ongoing investigation. It’s very likely there’s nothing to be found on that phone, and they very well know that as much as we do. So that they’re so hell bent to get into it, as has been speculated by and large, is only to set a precedent.
They wanted to use this to force Apple’s hand only for the precedent. They don’t care about what’s on the phone, they just want it in the books that they can force apple to do it.
As we all know, from this point, things got bad for them in the PR department. They faced a huge backlash from the public that was only made worse by continued comments on the matter, and their attempts to vilify Apple.
So all the sudden they found a possible way to get in. It’s likely a lie to get out of the mess they got themselves into. Before they found this miracle solution, they rejected help from others as it was, and it goes to show they weren’t interested in finding a non-apple solution, or just any solution. What they wanted was Apple, and that’s all they wanted.
They’ll back out of this case, perhaps. And that’s the end we’ll hear of it. The phone likely doesn’t actually matter to them, and they’ll just go on to find a new case, and a new phone, to try and force this precedent with, and they’ll likely try harder to make it so it doesn’t come out in the public again, to avoid the backlash.
This has nothing to do with terrorism, or this criminal case, or whatever. All it has to do with is trying to force Apple into compliance so they can abuse them down the road.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Apple has the sort of control over their platform that allows them to bring older phones up to date security wise, to a point. It allows them to keep current phones up to date against security vulnerabilities too. Overall, locking down the platform as they have, and being able to maintain control from one end to the other, has given them a recipe for strong security, past and future. It has also given them the ability to quickly act upon security threats in a way that the Android market can't.
There's caveats to those statements, but generally we can hold them as realistic. It's a trade off that people pay. As with Android phones you get access to your device that Apple doesn't allow on their platform.
On Apple's platform, if you take the time to update your phone, generally you're decently secure. On the Android platform, you can't always update to the latest, as the manufacture of the hardware and the cell phone carrier can both hinder that process greatly, and in a lot of cases, you'll never see those security updates at all.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If you are aware of these two's actions you don't need a label.
[ link to this | view in chronology ]
The tweaked new OS is the real goal
[ link to this | view in chronology ]
right?
The problem is the recopying the data back onto the machine, what was edited? Added? Changed? It's not evidence then.
The FBI is right. It's not their job to decrypt the phone. There should be an automatic path for them, into the phone if approved by the state/courts. Now, should the key be held by the state, no, it should have been in a safe place. But Apple, must have decided, what?
[ link to this | view in chronology ]
Re: right?
A kind of "golden" key? Wow, what an idea! Why hasn't anyone thought of that before?
/s
[ link to this | view in chronology ]
Einsteins, all of them.
That's because FBI agents are so smart, they actually know more about such things than the engineers who design them. In fact, the typical FBI agent could engineer something like an iPhone in a heartbeat, if he wanted to lower himself to do so.
/s
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Great
Thanks!
[ link to this | view in chronology ]