IOActive has stepped into the standoff between Apple and the FBI over unlocking a terrorist's iPhone by claiming the password could be grabbed using a risky hardware hack.
The ‘de-capping' attack could cost hundreds of thousands of pounds and even lose the data forever if it goes wrong, but it is real and not hypothetical, said IOActive senior security consultant Dr Andrew Zonenberg.
It could be used to break the deadlock between Apple and the US Government, after Apple CEO Tim Cook last week refused a California judge's order to unlock the iPhone 5c belonging to Syed Rizwan Farook who, with his wife Tashfeen Malik, killed 14 people in a terrorist attack last December in San Bernardino, California. The couple were later killed in a shootout with the police.
The FBI wants to access the phone, saying it could contain vital data relating to the shooting. But it says only Apple can help by building one-time firmware to disable the iPhone 5c's security – which prevents them brute-force guessing the password because it wipes the phone after 10 wrong guesses.
John McAfee, founder of the eponymous anti-virus scanner and now US presidential hopeful, said last week that he and his team of technical experts could crack the phone for the FBI, thus avoiding the awkward situation of forcing Apple to do it. So far there is no news of whether the FBI is minded to accept his offer.
Apple has run into criticism from a raft of public figures including another presidential candidate, Donald Trump, for refusing to comply with the court order to unlock the phone, on the grounds of protecting the principle of safeguarding customers' privacy.
However, while McAfee has no track record of breaking into encrypted phones, Zonenberg says IOActive's labs have carried out physical attacks on processor chips, a process called de-capping which could apparently crack the encryption.
De-capping (de-capsulating) involves removing the packaging and shielding around a processor chip with acid, then using an ion beam to probe the precise area of the exposed chip containing the ID, related encrypted data and security fuses protecting it. Having accessed the encrypted data, this is fed into a supercomputer which carries out the brute force attack without risk of wiping the iPhone.
<< IOActive says it would use acid to de-cap the chip, exposing the processor inside
Zonenberg told SCMagazineUK.com via email: "We haven't tried breaking the iPhone specifically, but we are familiar with techniques that could probably be applied to it. The attack would likely require several months and a few hundred thousand dollars of research to find the portion of the chip to target, followed by maybe a week and a few tens of thousands of dollars to extract data from a specific physical phone.
“There is a non-trivial risk of destroying the device permanently in the process – the magnitude of the risk depends on specifics of the iPhone's hardware design that we are not familiar with at this time.”
<< Once into the chip, they have to find the contact pads (white squares) which are half the width of a human hair
Zonenberg added: "We can't speak to whether or not it will take heat off of Apple, but an 'isolated invasive attack' would involve doing most of the expensive research and development to find the location of the fuses. This would significantly reduce the cost of a future invasive attack against the same model of phone, not a backdoor per se, but the setup cost (per device) is still high."
Commenting on the feasibility of this move, cyber expert Laurie Mercer, a solution architect at Veracode, said the attack's cost meant it was unlikely to pose a threat to other iPhone users.
He told SC: “This exploit is very theoretical – it reads like science fiction. Hardware can be hacked as well as software. However, the level of resources required to perform such an attack should allay the fears of individuals worried about their private data.
“Not only would attackers need physical access to the device, they will also need a lab full of scientists and software engineers in order to even begin this exercise in data extraction.”
Security expert Professor John Walker of Nottingham Trent University agreed the attack is prohibitively expensive.
“This is taking us back to the days of the Cold War, when overwriting highly classified data could only be done by dipping media/platters into an acid bath or possibly subjecting them to smelting,” Walker told SC.
“In this particular case we are seeing the emergence of the same type of cost-prohibitive, highly sophisticated reverse-engineering which involves taking to pieces the hardware components – which can be very effective if it works. However, when applied to a single-component analysis, this may also result in corruption of the component.
“It may be that common sense should prevail to seek a more contained, sensible solution, aimed at protecting all members of the public whilst resolving the matter in hand.”
Tim Cook explained Apple's stance in a letter to customers last week: “We were shocked and outraged by the deadly act of terrorism in San Bernardino. But now the US Government has asked us for something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone's physical possession.”
But FBI director James Comey countered in a letter published on Sunday: “The San Bernardino litigation is about the victims and justice. Fourteen people were slaughtered and many more had their lives and bodies ruined.
“We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That's it. We don't want to break anyone's encryption or set a master key loose on the land.”• A new survey says most Americans think that Apple should unlock the phone. According to Pew Research, 51 percent believe Apple should help the FBI, while 38 percent say it should refuse, to ensure the security of its other users' information.