Professor proves NAND mirroring attack thwarts iPhone 5c security protocols

As reported by the BBC, University of Cambridge professor Sergei Skorobogatov worked for four months on a NAND cloning and passcode testing rig to successfully bypass the security protocols Apple built into iPhone 5c. That same phone model was at the heart of a contentious debate between Apple and the U.S. government concerning the public's right to encryption.

Last week, Skorobogatov published his findings in a research paper and posted a proof-of-concept video of the process to YouTube. In practice, the method thwarts Apple's passcode counter, which limits the number and frequency of passcode attempts to safeguard against brute force attacks. An iPhone can also be configured to wipe its onboard data cache after a certain number of unsuccessful tries.

To circumvent Apple's protections, the professor first desoldered the handset's NAND flash chip and reverse engineered Apple's proprietary bus protocol, the latter of which is used to communicate with the A6 processor. Using an external harness connected to the A6 SoC, Skorobogatov was able to run through the maximum number of passcode entry attempts on a first NAND chip, then swap in a fresh NAND clone and try again.

"Because I can create as many clones as I want, I can repeat the process many many times until the passcode is found," he said.

A four-digit passcode took about 40 hours to crack, Skorobogatov said, adding that a six-digit code could take hundreds of hours. Apple estimated similar numbers when the FBI obtained a court order forcing Apple to access an iPhone 5c tied to last year's San Bernardino terror attack.

At the time, FBI and U.S. Justice Department experts claimed unlock methods like NAND mirroring are ineffective against Apple's built-in security protocols. To gain access to potential mission critical data, Apple would need to engineer a bespoke bypass tool, the FBI said. Security researchers theorized that NAND mirroring was a viable attack vector, but cautioned against the hardware-based hack, citing a high potential for data loss.

Apple fought the U.S. government's unlock request in a highly public court battle, saying the bypass tool would undeniably create a backdoor, thereby putting millions of iOS devices at risk. Discussion ended when the FBI commissioned technology from a third party to crack into the target iPhone.

As for Skorobogatov's NAND mirroring technique, the professor says the procedure can be applied to more recent iPhone models like the iPhone 6. Those claims are questionable, however, as the iPhone 5c was the last iPhone to go into production without Touch ID and corresponding Secure Enclave technology, both of which offer hardened protection against hacks.