A Cambridge based computer scientist has demonstrated that the passcode securing Apple’s iPhones can be defeated using a NAND mirroring technique. This is particularly significant as it was done with off the shelf electronics components; and was originally dismissed by the FBI as impossible.
At the moment, the iPhone only allows users six attempts at entering the passcode before locking the phone down. To work around this, Sergei Skorobogatov of the Cambridge Computer Laboratory security group removed the flash memory chip from an iPhone 5C and cloned it. This method allowed him to swap out the iPhone memory after making the six attempts at the passcode; providing him with another six attempts. The idea is that this provides the opportunity to brute force the passcode to any iPhone.
Of course, the research paper estimates that it would take about 20 hours to guess the four-digit code. While a six-digit code could take up to three months. This isn’t exactly the quickest or most efficient method, as it requires continually swapping the memory chip; but Skorobogatov believes that law enforcement may be willing to spend the time for purposes of national security.
NAND memory mirroring came up during the investigation of the San Bernadino shooting; where the FBI attempted to break into the shooter’s iPhone 5C to look for evidence. The bureau had originally believed the technique to be unworkable, and instead paid several million dollars to a third party for an undisclosed solution.
For now, Skorobogatov has determined that the NAND mirroring attack works on iPhones up to the iPhone 6 Plus. Newer iPhones use a different kind of NAND memory chip, and would require an advanced team to properly research. However, he also notes that Android based phones would also be vulnerable to this attack as they use more commercially available memory.
Most people will not be affected by this sort of attack as it requires the attacker to gain physical possession of the iPhone. Instead, this looks to be more of a proof of concept from a researcher; and is more likely to be used by law enforcement agencies and government bodies.
[Source: Ars Technica, Cornell University Library]
