'NAND mirroring' could let FBI break into iPhone without Apple's help, researchers say

Whether or not Cellebrite is involved, the FBI may be able to unlock the iPhone of San Bernardino shooter Syed Farook through a process known as "NAND mirroring," security researchers explained on Wednesday.

The technique involves removing NAND storage from a device, copying it using a chip reader, and then reattaching the original chip using a harness, Jonathan Zdziarski told Re/code. That way, investigators always have a fallback — even in the case of Farook's phone, which is set to self-delete its data after hitting iOS 9's passcode retry limit.

Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, observed that while the process can circumvent encryption, it remains a dangerous approach. Investigators must de-solder a NAND chip to remove it, which runs the risk of doing damage and losing access entirely.

Farook's iPhone, a 5c, is one of the last iPhone models the technique could apply to, since anything with Touch ID — and hence a Secure Enclave — would theoretically be immune.

Zdziarski speculated that whoever is helping the FBI, the short two-week testing window requested by the U.S. Justice Department means the government is likely using an off-the-shelf unlock solution from a forensic firm.

Just one day before a review of the court order issued to Apple, the Justice Department asked to postpone the hearing, saying that "an outside party" had shared a possible method of cracking Farook's phone without asking Apple to build a passcode limit removal. Earlier today reports identified that party as Cellebrite, an Israeli forensics firm.

51 Comments

rezwits 854 comments · 17 Years

About 8 years ago

What about Error 53, when they try to put it back together tho?

Sir_Turkey 46 comments · 8 Years

This is what I was saying in one of my previous posts. Take out the hardware and access the data that way.

This was only partly about accessing that specific data however and yet mostly to do with setting a new benchmark for accessing private data via a "backdoor":

hmlongco 572 comments · 9 Years

rezwits said:

What about Error 53, when they try to put it back together tho?

They're not replacing the TouchID sensor, so np.

sog35 said:

What the FBI wanted Apple to do was a software hack. With software hacks you can access phones WITHOUT possession. And with a backdoor you can access MILLIONS of phones at the same time. In your home. IN your bedroom. That is what I'm afraid of.

Why does it matter to you if the FBI can access private data on suspicion of criminal actively ? Why are you "afraid" ?

NemWan 118 comments · 8 Years

Sir_Turkey said:

sog35 said:

What the FBI wanted Apple to do was a software hack. With software hacks you can access phones WITHOUT possession. And with a backdoor you can access MILLIONS of phones at the same time. In your home. IN your bedroom. That is what I'm afraid of.

Why does it matter to you if the FBI can access private data on suspicion of criminal actively ? Why are you "afraid" ?

The U.S. is not the only government with jurisdiction over iPhone users in the world. You can't pick which ones to secure it from.