A researcher from the University of Cambridge has proven the FBI wrong after Bureau officials said the technique known as NAND mirroring wouldn't work in hacking the San Bernardino's iPhone.

During the months in which the FBI and state officials put an immense legal pressure on Apple to assist law enforcement in breaking into the shooter's iPhone, several hardware experts recommended that investigators use a technique known as NAND mirroring.

This procedure works by creating copies of the iPhone's NAND (Negative-AND) Flash memory and attempting to break the phone's passcode, by hand or automatically, on those copies instead of the real phone.

The FBI, represented by Director James Comey, said during a congressional hearing that the technique "doesn't work," without providing any additional details.

Several weeks after, according to sources the FBI ended up paying around $1.3 million for a company to hack Rizwan Farook's iPhone, which as many predicted, didn't hold any valuable information.

Hardware experts had recommended the technique

One of the people that contested the FBI's claims was hardware hacker Jonathan Zdziarski, who after Comey's announcement published a concept demonstration of the NAND technique on a jailbroken iPhone, but said that one could very easily adapt the technique to non-jailbroken devices.

It's precisely this demo and Comey's statements that Sergei Skorobogatov, the Cambridge researcher, cites in his paper's introduction.

The UK-based researcher successfully created a method of bypassing the iOS passcode system on an iPhone 5C, running iOS 9.3. The researcher spent a few months fine-tuning his research, but he says this was not his primary work, and that FBI's computer forensics experts would have been able to achieve the desired results much faster.

Skorobogatov's research, adequately titled "The bumpy road towards iPhone 5c NAND mirroring," is a step-by-step guide to hardware hacking iPhone devices.

iPhone 5c mainboard and NAND chip
iPhone 5c mainboard and NAND chip

The researcher says the first thing he did was to break down the device and get hold of its mainboard. The hardest part was in the beginning when he had to desolder the NAND Flash memory off of the mainboard. Skorobogatov says he had to heat a Nichrome wire to over 700ºC, which he then used to soften the epoxy glue holding the NAND memory on the mainboard.

To avoid pulling other components from the board along with the NAND chip, the researcher covered them in a high-temperature epoxy, which would help keep them in place. The super-heated wire was then wrapped around the NAND memory chip only, leaving the other components unaltered, and preventing damage to the rest of the phone.

iPhone 5c with removed NAND
iPhone 5c with removed NAND

When the epoxy had weakened, the researcher used a very thin knife to pull the NAND chip of the circuit board. This procedure was very delicate because he had to protect the NAND Flash memory chip's connectors. This was also the step which the FBI probably feared the most, and possibly the reason why they choose to go with a software hack instead.

iPhone  5c with wired up NAND
iPhone 5c with wired up NAND

Once he removed the NAND, the researcher connected wires from the mainboard's pins to the NAND's connectors to test if the removal operations damaged the phone.

iPhone 5c pieced back together
iPhone 5c pieced back together

At this point, everything was up and running just fine, but the entire NAND and wire ensemble was very fragile and could deteriorate the memory chip. So Skorobogatov created a special connector to attach and detach the NAND chip at will.

iPhone 5c with NAND on connector
iPhone 5c with NAND on connector

But Skorobogatov's job wasn't done because he had to figure out how the chip communicated with the iPhone. For this, he had to reverse engineer the electrical signals passing through the NAND and determine what they meant.

The researcher created another board which he used to capture electrical signals and sent them to a nearby oscilloscope. Using special software and the oscilloscope, the researcher managed to examine and determine how the NAND used and stored information.

iPhone 5c with intermediate board for eavesdropping
iPhone 5c with intermediate board for eavesdropping

He then used this data to create another circuit board, which he used to copy the iPhone's NAND memory chip to another backup chip.

Skorobogatov created only two copies of the original NAND but says that the FBI could have created multiple NAND clones and sped up the password brute-forcing attacks.

est board for copy ing NAND chips

Test board for copying NAND chips

With this setup in place, Skorobogatov would insert the cloned NAND chip on the iPhone's connector, boot up the device, enter six PIN codes, shut it down, wipe the NAND, restore a backup of the original NAND dada, and then start from scratch with another set of six password retries.

According to his calculations, breaking a four-digit code would take an attacker at most 20 hours. For six-digit passcodes, this would take up to three months, but this timeframe could be reduced if multiple NAND clones would be used and more people would be working together on the project.

Below is a video recorded by Skorobogatov illustrating this process.

Besides the iPhone 5c, his attack also works on iPhone 5s and iPhone 6 phones as well, since they both use the same type of NAND Flash memory. Of course, with a little effort, the FBI could take his research and adapt it to any other iPhone model.

With all this information in the public domain, hopefully the FBI and government officials will stop pushing for encryption backdoors. Sadly, they probably won't.


Related Articles:

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

New CSS Attack Restarts an iPhone or Freezes a Mac

Apple Launches iPhone XR, iPhone XS, iPhone XS Max and Watch Series 4