appleinsider logo
Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

'NAND mirroring' could let FBI break into iPhone without Apple's help, researchers say

Image Credit: iFixit

Whether or not Cellebrite is involved, the FBI may be able to unlock the iPhone of San Bernardino shooter Syed Farook through a process known as "NAND mirroring," security researchers explained on Wednesday.

The technique involves removing NAND storage from a device, copying it using a chip reader, and then reattaching the original chip using a harness, Jonathan Zdziarski told Re/code. That way, investigators always have a fallback — even in the case of Farook's phone, which is set to self-delete its data after hitting iOS 9's passcode retry limit.

Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, observed that while the process can circumvent encryption, it remains a dangerous approach. Investigators must de-solder a NAND chip to remove it, which runs the risk of doing damage and losing access entirely.

Farook's iPhone, a 5c, is one of the last iPhone models the technique could apply to, since anything with Touch ID — and hence a Secure Enclave — would theoretically be immune.

Zdziarski speculated that whoever is helping the FBI, the short two-week testing window requested by the U.S. Justice Department means the government is likely using an off-the-shelf unlock solution from a forensic firm.

Just one day before a review of the court order issued to Apple, the Justice Department asked to postpone the hearing, saying that "an outside party" had shared a possible method of cracking Farook's phone without asking Apple to build a passcode limit removal. Earlier today reports identified that party as Cellebrite, an Israeli forensics firm.