A researcher, named Sergei Skorobogatov at Cambridge University has come up with a solution on how to bypass a protection layer for the very same model iPhones like the one FBI was trying to hack. The independent expert has come up with a research that illustrates the usage of the so-called “NAND mirroring” technique.
What is NAND Monitoring
This technique essentially involves the copying of the NAND flash memory into another chip. This type of memory is the one that contains the NAND flash storage which in this case has the password for unlocking a phone. The same memory is also used on other drives such as flash drives, phone memory cards, and others.
Since the iPhone, a fail-safe system that locks it out completely after a hacker tries to brute force this password, according to Skorobogatov, the copying of this NAND memory allows for this memory to be copied on other devices and allow the hackers to make as many attempts as they wish on the phone.
The FBI has disagreed that this method would work, and they have paid a hefty sum to a private contracting company that was able to hack the phone.
NAND Mirroring Works
The researcher not only explained that this type of hacking technique works but had proven it as well. What he did is he took an iPhone (5c) that is running the 9.3 version of iOS and then he disassembled the phone.
After doing this, he created copies of the data of the NAND memory a lot of times, making multiple copies.
Then, a simple brute-forcer was used that uses different combinations until it discovers the proper code that unlocks the phone. During the process, the brute force had to change between many copies of the NAND memory.
The researcher has explained(https://arxiv.org/ftp/arxiv/papers/1609/1609.04327.pdf) that depending on the password, it’s cracking can take from up to a day to several months. However, do not think that this process is easy. It is a very painful process where one has to perform several methodologic steps:
- Disassemble the iPhone
- Make his way to the chip.
- The painful process of removing the chip.
- Writing the NAND memory to copy by connecting cables to it’s pads. This is a tricky process because the signals of the connector are not constant. The researcher had to insert resistors to stabilize them.
- Eavesdrop on the communication of the NAND chip and the phone.
- Backing up and mirroring the phone’s NAND memory using a PC.
- Bruteforcing the password with specific software.
Once iPhone is turned on, and it’s screen asks for a passcode, this passcode can be entered six times before the phone is locked. Since the researcher could not initially copy the memory from one chip to another iPhone because of errors in some memory sectors, he devised a method to go around this. He discovered and fixed the errors (inconsistencies between different chips) in the memory and after several failed attempts it was successful to clone the NAND Flash memory chip to a fully working copy of it.
Even though the FBI did not believe that copying of such technology will not work, a simple research proved otherwise. The results of this memory cloning raise some important questions about data security and what measures should be taken into making future iPhones even more secure than before. Thankfully since this situation Apple have released a new iOS 10 that has some improvements regarding security. However, Sergei Skorobogatov is still convinced that even newer iPhones like the six could be hacked using the same method, in case there is a passcode involved.