'NAND mirroring' could let FBI break into iPhone without Apple's help, researchers say

Image Credit: iFixit

AppleInsider may earn an affiliate commission on purchases made through links on our site.

Whether or not Cellebrite is involved, the FBI may be able to unlock the iPhone of San Bernardino shooter Syed Farook through a process known as "NAND mirroring," security researchers explained on Wednesday.

The technique involves removing NAND storage from a device, copying it using a chip reader, and then reattaching the original chip using a harness, Jonathan Zdziarski told Re/code. That way, investigators always have a fallback — even in the case of Farook's phone, which is set to self-delete its data after hitting iOS 9's passcode retry limit.

Matthew Green, a cryptographer and assistant professor at the Johns Hopkins Information Security Institute, observed that while the process can circumvent encryption, it remains a dangerous approach. Investigators must de-solder a NAND chip to remove it, which runs the risk of doing damage and losing access entirely.

Farook's iPhone, a 5c, is one of the last iPhone models the technique could apply to, since anything with Touch ID — and hence a Secure Enclave — would theoretically be immune.

Zdziarski speculated that whoever is helping the FBI, the short two-week testing window requested by the U.S. Justice Department means the government is likely using an off-the-shelf unlock solution from a forensic firm.

Just one day before a review of the court order issued to Apple, the Justice Department asked to postpone the hearing, saying that "an outside party" had shared a possible method of cracking Farook's phone without asking Apple to build a passcode limit removal. Earlier today reports identified that party as Cellebrite, an Israeli forensics firm.