Researcher posts paper detailing US$100 iPhone 5C NAND mirroring device

News by Roi Perez

Cambridge researcher Sergei Skorobogatov has released a paper detailing a proof-of-concept, which is accompanied by a YouTube video explaining how he is able to crack the iPhone 5c passcode screen.

A researcher has discovered a way to potentially hack the iPhone 5c for a fraction of the price which the FBI paid for the hack of the iPhone of Rizwan Syed Farook, the San Bernadino shooter.

The FBI vs Apple case is now well-rested, it has been over six months since the FBI got in touch with Apple, requesting help accessing the data on Farook's iPhone.

When the case reached courtrooms, people debated the morality of the situation, and Tim Cook, Apple's CEO, made a statement declaring that such a move would declare dangerous precedent for spying on US citizens.

The crux of the argument was that the FBI originally claimed that it was impossible to gain access to the iPhone data using NAND mirroring and because of this it needed Apple's help.

An Israeli company was consequently awarded USD $1.3 million (GBP £995,871) after it was able to unlock the iPhone.

A researcher has now proven that it is possible to hack an iPhone 5c device with the mirroring technique, and can even be done using US $100 hardware.

Sergei Skorobogatov, a security researcher at Cambridge University, claims that it is possible to get through the iPhone 5c's PIN code security measure using NAND mirroring.

The video below shows the researcher removing the NAND memory chip from the circuit board of an iPhone 5c and re-writing the data repeatedly.

This allows him to track the number of times incorrect PIN codes have been entered on the phone's lock-screen.

It is a well-known security feature of the iPhone, where it locks down after 10 incorrect PIN code attempts. However, Skorobogatov showed that using his device, this process could be repeated multiple times during a 24 hour period.

The researcher has released a paper on the topic which claims that this is the first time that anyone has publicly demonstrated the, “real hardware mirroring process for iPhone 5c.”

He further noted that “any attacker with sufficient technical skills could repeat the experiments.”

Skorobogatov claims: “This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol.

He continued: “The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts.”

In the paper Skorobogatov also detailed how this technique can be automated and streamlined through a USB keyboard to enter PIN codes from a pre-programmed script.

He believes that this can be developed into a “fully automatic setup and used as a tool for brute-forcing passcodes in real devices.” contacted Apple to ask if it is possible to carry out a similar attack on newer iPhone models such as the iPhone 7, but it did not respond in time for publication.

Concluding, Skorobogatov said: “This really shows the FBI was lacking in its research and due diligence. Setting the precedent was more important than doing the research.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews