iPhone Forensics Experts Demonstrate Basic Proof Of Concept That The iPhone Hack The FBI Says 'Doesn't Work' Actually Does Work

from the the-fbi-lied-again? dept

When the DOJ announced that the FBI may have miraculously found a way in to Syed Farook's work iPhone after swearing to a court that such a thing was impossible, many people zeroed in on the possibility of "NAND Mirroring" as the technique in question. After all, during a Congressional hearing, Rep. Darrell Issa had gone fairly deep technically (for a Congressperson, at least) in asking FBI Director James Comey if the FBI had tested such a method. Well-known iPhone forensics guru Jonathan Zdziarski wrote up a good blog post explaining why such a technique was the most likely. While recognizing that there are other possibilities, he does a good job breaking down why none of the other possibilities are all that likely, given a variety of facts related to the case (I won't go through all of that -- just go read his post). It's worth a read. It also has a nice quick explanation of NAND mirroring:
This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations.
However, on Friday, we noted that FBI Director James Comey was already denying this was the method, saying that it "doesn't work." The FBI also "classified" the method in question which raised some additional eyebrows. Either way, Zdziarski was pretty sure that Comey's claim that NAND mirroring doesn't work was bogus:
FBI Director Comey, in a press conference, claims the NAND technique “doesn’t work”; this says more about the credibility of this information than anything. Every expert I’ve consulted (including three hardware forensics firms) believe it works, and multiple firms are still in the process of validating the technique. The amount of time to prep and test this technique alone is proving greater than the month that we’ve been discussing it – it’s very unlikely that any reputable source could have already discredited this method, given how much time and effort it is taking everyone else to fully flesh out and test it. When asked directly if the FBI tried this technique, Comey dodged the question and replied (on the topic of “chip copying”), “I don’t want to say beyond that”, indicating the FBI hadn’t tried it. This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.
And now, Zdziarski has cooked up a fairly straightforward proof of concept to show that NAND mirroring absolutely could work:
As Zdziarski explains:
This is a simple “concept” demonstration / simulation of a NAND mirroring attack on an iOS 9.0 device. I wanted to demonstrate how copying back disk content could allow for unlimited passcode attempts. Here, instead of using a chip programmer to copy certain contents of the NAND, I demonstrate it by copying the data using a jailbreak. For Farook’s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.

I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I’m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.
Elsewhere Zdziarski also points out that, despite the FBI insisting that it was reaching out to everyone who might be able to help, none of the top researchers in the space have been approached by the FBI (and apparently a few who reached out the other way were rebuffed). Once again, it looks like whatever the FBI is doing with the phone, it's not being particularly upfront with the public (or, potentially, the courts).
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, fbi, forensics, iphone, james comey, jonathan zdziarski, nand mirroring
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 28 Mar 2016 @ 4:54am

    Incompetence vs Dishonesty

    I'm actually starting to wonder if the reason for the 'classification' of the technique they 'discovered' has less to do with preserving a potentially valuable security exploit and more to do with the fact that it doesn't actually exist, and is just something they came up with to try and get out of a case that was going poorly for them.

    Rather than having to admit that maybe they didn't actually try all the options available before going legal, they invent some imaginary 'solution' and drop the case as quick as possible in order to 'investigate' the new possibility.

    By refusing to actually say what the 'solution' entails, they can spin it to be as simple or complex as they want and no-one will be able to fact check them, giving them time to come up with their next step, whether dropping the case once the attention to it decreases, or waiting to see if any other cases go their way and giving them a better chance in this one to get the precedent they want.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 28 Mar 2016 @ 6:39am

    Despite all the FBI claims, it's own actions speak for it that there was one purpose and one purpose only to this case. The waited for terrorist incident appeared and it was time to spring into action to use that incident as a pry bar to beat Apple over the head with to set national precedence in court.

    It was the one true goal and anything including lying to the court is worthy of consideration to achieve said goal.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 28 Mar 2016 @ 6:56am

    Mike,

    Does Techdirt have a policy with respect to using names of notorious criminals? I'd like to see you start using "San Bernardino terrorist" or "San Bernardino shooter" rather than "Syed Farook".

    link to this | view in thread ]

  4. identicon
    rikuo, 28 Mar 2016 @ 7:04am

    Re:

    Curious. Why does it matter to you? This way at least we know precisely who Mike is talking about.

    link to this | view in thread ]

  5. icon
    Roger Strong (profile), 28 Mar 2016 @ 7:20am

    Re: Re:

    Some news organizations have policies like this for crimes done to make a political point, or any crime seemingly done for shock value or publicity. It idea is that they don't want to encourage others to do the same.

    I've also heard of policies of not publicizing suicides for the same reason.

    link to this | view in thread ]

  6. icon
    Gwiz (profile), 28 Mar 2016 @ 7:37am

    Re:

    Does Techdirt have a policy with respect to using names of notorious criminals?


    Personally, I think Techdirt should join the "Some Asshole Initiative"

    http://nonadventures.com/2015/06/20/the-some-of-all-fears/

    link to this | view in thread ]

  7. identicon
    Hans, 28 Mar 2016 @ 8:04am

    It's the key, not the data

    I think the focus on the (encrypted) data in NAND flash is misplaced. When the 10 tries are exceeded, surely the firmware simply zeros the encryption key, not the data. So what matters is where the key is stored and whether that can be mirrored. If the security is worth anything the answer to that is "no".

    link to this | view in thread ]

  8. icon
    Mat (profile), 28 Mar 2016 @ 8:24am

    Re: It's the key, not the data

    The point is the 10 try count is, hilariously, one of those things that's being copied back, and thus reset. I'm personally hoping on the next iPhone that isn't already out, that the passcode count -and- the key are kept on flash memory directly attached or internal to the CPU.

    link to this | view in thread ]

  9. icon
    Ehud Gavron (profile), 28 Mar 2016 @ 8:25am

    FBI lies

    The FBI has pretended its mission includes fighting terrorism, and Techdirt has covered this. Now it pretends its mission is to break into iphones.

    In reality the FBI was formed to solve crimes. This crime is solved. Syed Farook (or as previous commenter would rather he be called "San Bernardino Shooter McGavin or Whatever) is dead. He and his ugly-ass wife* killed a bunch of people and then they died. This crime is solved.

    The crime (manslaughter) was committed in California, hatched in California, done by Californians, and ended in California. Other than watching a bunch of movies where the FBI comes in and "declares" they're in charge much to the lack of delight of the immediate law-enforcement agency I don't see where HERE the FBI has *ANY* jurisdiction.

    I think the FBI stepped over its own dick in the worst possible way in three separate methods
    - they didn't have jurisdiction
    - they tried to make this the raison d'etre for Apple to OBEY YOUR GOVERNMENT MASTERS
    - they committed perjury, lying to the Court about there being no other methods and them having consulted everyone about unlocking the iphone.

    Linkies to previous TD stories about the FBI's mission-motto creep, Edward Snowden's tweets about perjury, various experts opining on the iphone, and analysis about the AWA left out because if you read TD and its comments you know how to read those on your own.

    Sorry, FBI, you're useless and obsolete. Better mission-creep your motto to something you're good at doing. Right now that doesn't include law enforcement, investigation, terrorism, using obsolete arcane laws, or parading about your knowledge (or ignorance).

    Ehud

    * Total opinion here, but they're dead, so not only can I not be sued for slander but there's nobody with standing anyway :)

    link to this | view in thread ]

  10. identicon
    Josh, 28 Mar 2016 @ 8:31am

    Here’s a theory. Half of this is things we already think, but let’s string them together into a coherent story.

    Their solution doesn’t exist. Their desire to get into the phone has nothing to do with the ongoing investigation. It’s very likely there’s nothing to be found on that phone, and they very well know that as much as we do. So that they’re so hell bent to get into it, as has been speculated by and large, is only to set a precedent.

    They wanted to use this to force Apple’s hand only for the precedent. They don’t care about what’s on the phone, they just want it in the books that they can force apple to do it.

    As we all know, from this point, things got bad for them in the PR department. They faced a huge backlash from the public that was only made worse by continued comments on the matter, and their attempts to vilify Apple.

    So all the sudden they found a possible way to get in. It’s likely a lie to get out of the mess they got themselves into. Before they found this miracle solution, they rejected help from others as it was, and it goes to show they weren’t interested in finding a non-apple solution, or just any solution. What they wanted was Apple, and that’s all they wanted.

    They’ll back out of this case, perhaps. And that’s the end we’ll hear of it. The phone likely doesn’t actually matter to them, and they’ll just go on to find a new case, and a new phone, to try and force this precedent with, and they’ll likely try harder to make it so it doesn’t come out in the public again, to avoid the backlash.

    This has nothing to do with terrorism, or this criminal case, or whatever. All it has to do with is trying to force Apple into compliance so they can abuse them down the road.

    link to this | view in thread ]

  11. identicon
    Josh, 28 Mar 2016 @ 8:39am

    Re: FBI lies

    "This crime is solved. Syed Farook (or as previous commenter would rather he be called "San Bernardino Shooter McGavin or Whatever) is dead. He and his ugly-ass wife* killed a bunch of people and then they died. This crime is solved."

    This is the thing though, isn't it? Without getting too far into the details, the short answer is they very likely have all the evidence they're gonna get. It's just a ruse, and it's an obvious ruse. Anyone that looks at the facts surrounding this phone should be heavily questioning the FBI's intentions. There's a number of things to this case that support the theory that there's nothing of value on the phone. There's far less that indicates that there is anything on the phone. It' pure speculation that throws out the other side of the argument, because if that argument were there, it'd sweep the feet out from under that speculation.

    FBI don't care what's on the phone. They likely know there's nothing of importance on that phone. They just want Apple, and only Apple, to open it up for them.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 28 Mar 2016 @ 8:41am

    Re: It's the key, not the data

    If you're willing to go to the trouble to desoldering the chip, any memory can be copied. That's the thing about security, once you have essentially unlimited funds and access to the device, there is no security measures that can stop you.

    Security is not about stopping an attack. It's about making the attack so costly and time-consuming that it's not worth the effort.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 28 Mar 2016 @ 8:41am

    Re: It's the key, not the data

    If you're willing to go to the trouble to desoldering the chip, any memory can be copied. That's the thing about security, once you have essentially unlimited funds and access to the device, there is no security measures that can stop you.

    Security is not about stopping an attack. It's about making the attack so costly and time-consuming that it's not worth the effort.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 28 Mar 2016 @ 8:48am

    They say it don't work because they are on attempt 10. So they would have to nand with every attempt.. LOL

    link to this | view in thread ]

  15. icon
    That One Guy (profile), 28 Mar 2016 @ 9:00am

    Re: Re: FBI lies

    But... but... (potential) cyber pathogens!

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 28 Mar 2016 @ 9:02am

    Re: It's the key, not the data

    The key is generated from 3 things. The passcode, the hardware UID in the phone and a separate key which is stored on the NAND flash. It's that separate key that gets wiped out after 10 failed attempts. Copying the data from the entire NAND flash would backup that key as well preserving the ability to restore it after 10 failed attempts wipes it out.

    link to this | view in thread ]

  17. icon
    Ryunosuke (profile), 28 Mar 2016 @ 9:03am

    Re: FBI lies

    i wouldn't say obsolete, however imo, they HAVE overstepped their boundaries when asking for apples "Assistance" in producing a separate OS for itself and possibly other law enforcement agencies, see: Stingrays.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 28 Mar 2016 @ 9:39am

    Re: Re: Re:

    While I agree with the sentiment, in cases like this, I'd prefer calling him Syed Farook to calling him a terrorist or shooter.

    With his name, we just get a name. Kind of an issue for otherw who share the name, but that's about it. When the name fades from social consciousness, the entire thing becomes meaningless, so we keep all the information while letting the hubris evaporate with time.

    Based on how loaded the terms "shooter" and "terrorist" are, these can carry the hubris for much longer; tying it to the location also really doesn't do much, as the issue under discussion is national, not regional.

    But it would be nice to see some generic policy, even if it gets broken regularly for intelligent reasons :)

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 28 Mar 2016 @ 10:14am

    I'd rather see him called by name. This does not give the public any reference to these terrorist supporting outfits by name recognition, be that action or actual naming of some group.

    If you are aware of these two's actions you don't need a label.

    link to this | view in thread ]

  20. icon
    Mat (profile), 28 Mar 2016 @ 10:17am

    Re: Re: It's the key, not the data

    "First rule of computer security: If the attacker has physical access to the machine, it is no longer your machine."

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 28 Mar 2016 @ 10:27am

    The tweaked new OS is the real goal

    If they had access to an upgradable unlocking version, they could load that into their latest gen Stingray. Since they are automatically trusted by the phone by pretending to be an official tower, they can change the OS of any devices that connect to them, adding apps and programming as needed to turn that phone into a real time sound, data and location bugging device.

    link to this | view in thread ]

  22. icon
    Coyne Tibbets (profile), 28 Mar 2016 @ 10:29am

    Re:

    Well, Mr. Anonymous Coward, I hate to disillusion you, but if you think Mike is exposing some big secret, I have a revelation for you.

    I just did a search on Google main for "Syed Farook" and got 445,000 hits. The same search on Google News yields 54,700 hits.

    A few examples, taken just from the first page of the Google News search:

    CBS News: "... to help the FBI gain access to the phone used by Syed Farook, one of the two attackers in the December 2 shootings that killed 14 people."

    Counterpunch: "A college graduate, “quiet, polite” Chicago-born Syed Farook who masterminded the San Bernardino massacre, was religiously devout and ..."

    New York Daily News: "Slain California gunman Syed Farook grew up a home so tense that his mother divorced his father whom she accused of being an abusive ..."

    Forbes: "... is fighting a court order requiring them to assist the FBI in opening the encrypted iPhone belonging to San Bernardino shooter Syed Farook."


    Next time, you might want to check your opinions against reality before telling others how to do their jobs.

    link to this | view in thread ]

  23. identicon
    Josh, 28 Mar 2016 @ 10:31am

    Re: Re: Re: FBI lies

    I think the iPhone is more of a pathogen to its user. It infects them, takes over their lives, causes them to believe that their ecosystem has no escape. It indoctrinates them into the holy church of Steve Jobs, and its lead pastor, Tim Cook.

    Praise be upon him, oh holy Jobs. Save us from this plight. Amen.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 28 Mar 2016 @ 10:37am

    Re: Re:

    The no-names policy in place at some media outlets isn't about keeping a secret, it's about reducing fame and notoriety -- things that are motivational to some potential criminals.

    http://www.dontnamethem.org/

    link to this | view in thread ]

  25. identicon
    Whoever, 28 Mar 2016 @ 10:42am

    Re:

    Does Techdirt have a policy with respect to using names of notorious criminals? I'd like to see you start using "San Bernardino terrorist" or "San Bernardino shooter" rather than "Syed Farook".


    Because "Syed Farook" is more accurate. More specific. There were two shooters, but the phone was specifically assigned to Farook.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 28 Mar 2016 @ 11:09am

    Re: It's the key, not the data

    So what matters is where the key is stored…
    We've been through this repeatedly, but it's kind of complicated, and maybe you didn't catch the previous explanations. So here goes again…

    Start out with the iOS Security Guide (iOS 9.0 or later; September 2015). This is essential reading.

    Keep in mind, when you're reading the iOS 9 Security Guide, that the iPhone 5c has a “Apple A6 APL0598 application processor.” The A6 is earlier than “Apple A7 or later A-series processor” (Security Guide p.7). Thus, the A6 does NOT have a “secure enclave.” So, just ignore that parts of the Security Guide that apply to later processors.

    What the A6 does have is a “fused” hardware uid (see p.10). That uid fused into the application processor is used (along with user's pin) to encrypt keys stored in “effaceable storage” See p.58:
    Effaceable Storage             A dedicated area of NAND storage, used to store cryptographic keys, that can be addressed directly and wiped securely. While it doesn’t provide protection if an attacker has physical possession of a device, keys held in Effaceable Storage can be used as part of a key hierarchy to facilitate fast wipe and forward security.

    link to this | view in thread ]

  27. icon
    trparky (profile), 28 Mar 2016 @ 11:09am

    Re: Re:

    That makes a whole lot of sense. Very good.

    link to this | view in thread ]

  28. identicon
    jim, 28 Mar 2016 @ 11:24am

    right?

    I believe you should can your techexpert, suggesting that they alter the data? At least that is how the defense attorney would see that procedure that way. Any superior court would have to throw out that evidence as hearsay.
    The problem is the recopying the data back onto the machine, what was edited? Added? Changed? It's not evidence then.
    The FBI is right. It's not their job to decrypt the phone. There should be an automatic path for them, into the phone if approved by the state/courts. Now, should the key be held by the state, no, it should have been in a safe place. But Apple, must have decided, what?

    link to this | view in thread ]

  29. identicon
    Sharatan, 28 Mar 2016 @ 11:24am

    Einsteins, all of them.

    This speaks volumes about how flippantly the FBI is willing to discount viable methods endorsed by numerous researchers.

    That's because FBI agents are so smart, they actually know more about such things than the engineers who design them. In fact, the typical FBI agent could engineer something like an iPhone in a heartbeat, if he wanted to lower himself to do so.
    /s

    link to this | view in thread ]

  30. identicon
    Sharatan, 28 Mar 2016 @ 11:27am

    Re: right?

    Now, should the key be held by the state, no, it should have been in a safe place.

    A kind of "golden" key? Wow, what an idea! Why hasn't anyone thought of that before?
    /s

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 28 Mar 2016 @ 11:43am

    Re:

    typical millenial.

    needs everything spelled out to the T

    link to this | view in thread ]

  32. icon
    yankinwaoz (profile), 28 Mar 2016 @ 12:16pm

    Re: FBI lies

    The FBI's obsession with his work phone appears even more disingenuous when you factor in what they did with the physical evidence.

    The police and FBI allowed the neighbors to break in to and loot the shooter's condo less than 2 days after the murders.

    I would have thought that their personal household would hold a hell of a lot more clues than his work phone. Yet in less than 48 hours they left it all open to be spoiled.

    http://www.theguardian.com/us-news/2015/dec/04/reporters-rush-into-home-san-bernardino-shoot ing-suspects

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 28 Mar 2016 @ 12:38pm

    Re:

    Next down the line will be a phone from LG, HTC or the like. They will not have the limitless resources of an Apple's legal department. And let's wrap a non-disclosure gag on it too. You know while we are at it.

    link to this | view in thread ]

  34. identicon
    Josh, 28 Mar 2016 @ 12:46pm

    Re: Re:

    I think it'd be easier for them to get into Android phones, by the very nature of what Android is. There are a ton of phones out there that are highly outdated in their security. Manufactures are pretty bad about updating with security patches too.

    Apple has the sort of control over their platform that allows them to bring older phones up to date security wise, to a point. It allows them to keep current phones up to date against security vulnerabilities too. Overall, locking down the platform as they have, and being able to maintain control from one end to the other, has given them a recipe for strong security, past and future. It has also given them the ability to quickly act upon security threats in a way that the Android market can't.

    There's caveats to those statements, but generally we can hold them as realistic. It's a trade off that people pay. As with Android phones you get access to your device that Apple doesn't allow on their platform.

    On Apple's platform, if you take the time to update your phone, generally you're decently secure. On the Android platform, you can't always update to the latest, as the manufacture of the hardware and the cell phone carrier can both hinder that process greatly, and in a lot of cases, you'll never see those security updates at all.

    link to this | view in thread ]

  35. identicon
    JBDragon, 28 Mar 2016 @ 2:20pm

    Re: Re: It's the key, not the data

    What they are talking about, removing a copying, wouldn't work on a newer iPhone with the Secure Enclave.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 28 Mar 2016 @ 6:38pm

    Re:

    now they just have to setup another "fake terrorism plot" and use that instead as the basis to forcing apple to do what they demand.

    link to this | view in thread ]

  37. identicon
    Isakill, 29 Mar 2016 @ 6:54pm

    Couldn't they do this same attack with a very elaborate emulator? All they could need is the 1:1 NAND from the phone, and just attack it through the emulator. Replacing the attacked copy after the attacks with a fresh one and start over?

    link to this | view in thread ]

  38. identicon
    Arline, 26 Aug 2016 @ 7:23am

    I would like also to recommend another whatsapp spy apps.

    link to this | view in thread ]

  39. identicon
    Paul, 8 Jun 2020 @ 10:23pm

    Great

    Thanks!

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.