5 Ways Cyber Experts Think the FBI Might Have Hacked the San Bernardino iPhone
Last week, the FBI announced that it had, with the help of a third party, successfully broken into the passcode-protected iPhone 5C owned by San Bernardino shooter Syed Farook. It’s not clear yet whether the FBI found any information useful to its investigation, but the hack brought at least a temporary reprieve to the very public battle between Apple and the FBI over encryption and privacy rights.
The agency hasn’t named its accomplice nor has it revealed how it gained access to the iPhone’s contents. To shed some light on the possibilities, IEEE Spectrum spoke with nine computer security experts and mobile phone forensics specialists about a few techniques that may have been behind this controversial hack:
1. The easy way in
Perhaps the simplest hack of all would be to exploit a vulnerability in iOS 9, the version of Apple’s operating system installed on Farook’s phone. Several experts including Robert Cunningham, chair of the IEEE Cybersecurity Initiative, and Dudu Mimran, chief technology officer for the Telekom Innovation Laboratories at Ben-Gurion University in Israel, believe this is the most likely approach.
Armed with the right security hole, also called a zero-day exploit, a hacker could potentially switch off functions that thwarted the FBI’s entry. These include a built-in delay that prohibits a user from trying too many incorrect password combinations at once, and an optional setting that prompts an iPhone to erase its memory after 10 failed entries. Once a hole is identified, there are many ways to deploy a bug to take advantage of it. The code can be sent as a malicious text message or by exploiting the driver that connects a charger to a laptop to enable new software to be uploaded to a phone.
As an added bonus, maneuvering via a bug is relatively low risk since these strategies avoid tampering with the iPhone’s physical components (more on that approach later). Joel Bollo, CEO at the MSAB, says the vast majority of mobile forensics solutions that his company executes for law enforcement clients are software-based.
So what kind of zero-day may have helped authorities slip in? It’s not entirely clear, but it’s not unreasonable to think that one could exist. There’s a healthy market for uncovering such flaws: The cybersecurity firm Zerodium paid a $1 million bounty last fall to a team that exposed a hole in iOS 9. As Mimran says, “There is no software that is considered bulletproof.”
2. Trick the OS
Inside the iPhone 5C is an A6 chip that features both processors and RAM, which work together to achieve faster speeds than those that were available in previous models. In order to keep track of passcode attempts, this “system on a chip” also communicates with non-volatile memory stored elsewhere, such as in flash memory.
This setup leads experts to a second theory: that hackers may have circumvented the iPhone’s passcode protection by hijacking operations between the A6 and the non-volatile memory.
Ran Canetti, a computer scientist at Tel Aviv University and head of the school’s Check Point Institute of Information Security, says one way to do this would be to tamper with the physical line of communication that carries password recovery instructions between the two. A knowledgeable hacker could use this line to re-route Apple’s software, which typically receives marching orders from both the phone’s flash and RAM, to an external device. The FBI and its silent partner could’ve used such a device to instruct the software to continue accepting failed passcode attempts until the investigators arrived at the correct one.
“They can basically reset the place where it says, ‘Now you've tried nine times,’” Canetti says. “When the phone asks, ‘How many times have you tried?’ they say—‘No, you’ve only tried one time.’”
With the software rejiggered, the FBI could launch a traditional “brute force” attack, employing a software program to rapidly try password combinations until it arrived at the correct one. Since Farook’s iPhone 5C used a four-digit passcode, a program could run through every one of the 10,000 possible password combinations in a matter of minutes.
“That brute force technology isn't very sophisticated,” says Dylan Ayrey, a security engineer with the information security company Praetorian. “You could go on Ebay right now and purchase ways to brute force older versions of the iPhone.”
3. Reset (and reset and reset) the memory
One of the most popular theories among crypto-experts, including Gary McGraw, chief technology officer at the software security consulting firm Cigital, is that the FBI hacked the iPhone through a tactic called NAND mirroring. NAND is a form of flash technology used in memory chips for high-capacity and long-term storage.
Within an iPhone, NAND is thought to play a role in erasing a digital key required to unlock an iPhone’s memory after logging 10 failed password attempts. But if someone knows how to circumvent or reset the tally after each attempt, they could help themselves to unlimited tries.
One way to manually do that might be to remove the memory chip that NAND protects and make a digital copy of it. Once the copy is made, a hacker could test out combinations and simply reload the memory back onto the original chip before the 10-attempt limit is reached. iPhone forensics expert Jonathan Zdziarski has said this strategy is a lot like hitting “save” on a video game. If you die (or, in this case, lose your data) you simply go back and pick up where you left off.
Though it’s a crowd favorite among cybersecurity experts, FBI Director James Comey said in a press briefing in March that this approach, also called a replay or reset attack, wouldn’t work on Farook’s phone. But many remain skeptical of Comey’s insistence; shortly after he made that statement, Zdziarski contradicted it with a demonstration of the technique in a blog post.
That’s the post that won Citigal’s McGraw over to this theory, and he’s not the only one. Praetorian’s Ayrey says, “I think that strategy is very likely and I think that's basically the same sneak we would do here.”
4. Tear the whole thing apart
An iPhone’s memory chips are shrouded in layers of both physical and digital protections to block hackers. To uncover its secrets, hackers must sometimes mount a physical attack in order to bypass certain tamper-resistant features.
There are a few ways to do this. A hacker could start by heating up the device in order to detach a memory chip. The next step: using acid to remove the surface layers of the chip in an act known as “decapping.” That could be followed up with some precision work with a tiny laser drill for reaching sections of the chip the hacker wants to more closely examine.
Ari Juels, a professor in the Cornell Tech Security Group, says the goal in the Farook case would be to extract the handset’s unique ID, which is a special digital key that Apple assigns to each device during manufacturing and could be used to decode an iPhone’s memory.
Apple said in a white paper published last fall that in order to obtain this key, a hacker would have to mount a “highly sophisticated and expensive physical attack.” This is certainly an option the FBI may have considered, but runs the risk of obliterating the memory forever if a technician makes even the slightest miscalculation.
“This is a very invasive and expensive and tricky thing to do,” Dan Wallach, a computer security expert at Rice University, warns. “It's a destructive process that has a percentage chance of destroying the device.”
5. Sneak in through the side
A device that is hard at work can offer clues about the information it is handling. These clues include its power consumption, acoustic properties, electromagnetic radiation, or the time it takes for a specific component to complete a task.
In what’s known as a side-channel attack, experts can use specialized tools to monitor these properties and use the data they gather to infer what’s happening inside a device. For example, a hacker could hook up a resistor to the iPhone’s internal circuits and read the amount of energy that flows by with each passcode attempt. Ben-Gurion University’s Mimran likens it to putting your ear up to a safe, listening for a satisfying click as you turn the dial.
While Cunningham of the IEEE Cybersecurity Initiative says a hacker wouldn’t likely be able to read a PIN or passcode through this method, a would-be invader could almost certainly glean details about the size or complexity of the key and the nature of the cryptographic system within.
For example, a passcode retrieval process that relies on a form of encryption called Montgomery multiplication requires a chip to repeatedly square a large string of numbers. Eventually, it instructs the chip to multiply its result with the last integer used in this massive calculation. Depending on the integers and at what point the chip performs this computation, this process could require more or less energy.
Rice University’s Wallach says the best place to start when mounting a side channel attack would be to order specs on the iPhone 5C from a company such as Chipworks or iFixit. These firms specialize in breaking down commercial devices and writing detailed reports about their components, as well as offering their best guesses as to how information flows throughout a device.
But even with a cheat sheet, a side channel attack is also a very delicate process given the tiny wires and chips that make up a smartphone’s circuitry and internal components. What’s more, chipmakers have wisened up to this strategy, so many now install features that cause a chip to generate electromagnetic noise or maintain a steady power draw no matter what function they’re performing in order to confuse attackers.