An outside contractor with established ties to the FBI has most likely shown investigators how to circumvent the iPhone's security measures by copying the contents of the device's flash storage, a forensics expert said today.
Called "NAND mirroring," the technique relies on using numerous copies of the iPhone storage to input possible passcodes until the correct one is found.
"The other ideas, I've kind of ruled out," said Jonathan Zdziarski in an interview. Zdziarski is a noted iPhone forensics and security expert. "None of them seemed to fit."
Those other methods, Zdziarski continued, had to be scratched because: they posed dangers to the data; would have been unpalatable to the FBI; could have been explored much earlier in the ongoing dispute with Apple over the iPhone 5C used by Syed Rizwan Farook; or would take much longer than the two weeks the Department of Justice has given itself.
Farook, along with his wife, Tafsheen Malik, killed 14 people in San Bernardino, Calif., on Dec. 2, 2015. The two died in a shootout with police later that day. Authorities quickly called it a terrorist attack.
Last month, the government obtained a court order compelling Apple to write software that would let the FBI electronically blast the iPhone with passcode guesses in the hope of unlocking it, then extracting data from the device. Apple has contested the order.
In obtaining that order, and subsequently, the DOJ repeatedly said in court filings that only Apple was in a position to help. But on Monday, the DOJ made an about-turn, telling the federal magistrate overseeing the case that it had a lead on an alternate way to crack the iPhone.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the DOJ's brief stated. "Testing is required to determine whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple."
The government asked the court to postpone a hearing scheduled for Tuesday, March 22, then promised to provide the court with a status update by April 5.
That led security and forensics experts like Zdziarski to wonder what the "possible method" was.
Zdziarski struck several other techniques from his possible list, and by a process of elimination concluded that NAND mirroring was it.
"They're not going to talk to the jailbreak crowd," Zdziarski said, referring to hackers who look for iOS vulnerabilities that can be exploited to let users add unsanctioned apps to an iPhone. He said that he and other reputable researchers had been turned away by the FBI when they volunteered to help. If they met a blank wall, jailbreak artists would have gotten nowhere, he reasoned.
Other avenues, such as "de-capping," a term used to describe a tear-down of the iPhone's processor using acid and lasers, were also out, Zdziarski said, because they risked destroying the very thing the FBI claimed it needed, the data on Farook's phone.
That left NAND mirroring.
The technique, while advanced, is relatively straight forward. After opening the iPhone, the device's processor is desoldered from the circuit board. Its contents are copied, then the results dumped into a chip reader/programmer, which Zdziarski said was analogous to a CD or DVD burner, but for silicon chips.
With the ability to make an unlimited number of copies from the original data, the "outside party" could try passcodes on one copy until 10 incorrect guesses -- at which point no more are allowed, one of the security safeguards Apple was asked to circumvent. That copy could then be discarded and a fresh version re-copied onto a chip for another 10-guess run.
"It's like saved video games," said Zdziarski. As in a saved game, where a player can re-play a level over and over until she succeeds, the saved data can be subjected to a passcode combination again and again.
According to the government, Farook's iPhone used a four-digit passcode, which would result in 10,000 permutations, a low enough number to be possible to brute force using NAND mirroring, but one high enough that it may take the two weeks the DOJ has given itself to report back to the federal magistrate.
Inputting passcodes may seem tedious, but the method would almost certainly be automated, at least in part. "There won't be some intern punching this in," Zdziarski said. Instead, it's likely that the party the FBI mentioned has automated some sections of the procedure, perhaps also narrowed down the portion of the iPhone's processor that contains the passcode recognition so that they're not copying its entire contents again and again.
The passcodes would be entered electronically -- another government requirement when it demanded Apple's help -- via the iPhone's USB port. That technique has already been used previously by some forensics firms, Zdziarski asserted, to brute force iPhones running older editions of iOS.
"All of this paints a pretty clear picture: The leading theory at present is that an external forensics company, with hardware capabilities, is likely copying the NAND storage off the chip and frequently re-copying all or part of the chip's contents back to the device in order to brute force the [passcode], and may or may not also be using older gear from iOS 8 techniques to do it," Zdziarski wrote in a detailed analysis posted to his website Monday. "The two weeks the FBI has asked for are not to develop this technique (it's most likely already been developed, if [the] FBI is willing to vacate a hearing over it), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units."
Zdziarski declined to name the forensics firms he suspected able to carry out such an examination, but noted that several major vendors had been very tightlipped of late. "There are only a couple which have not denied that they're working on something," he said. Zdziarski also pointed out the FBI's reference to Sunday, which would have been Monday overseas, implying that the forensics firm was not based in the U.S.
In any case, the FBI wanted more time to strike a deal.
"If they liked what they saw, they would need to negotiate a price," Zdziarski said. The red tape and the pressing April 5 deadline would preclude working with an unknown vendor, so Zdziarski assumed that the firm was already on the FBI's contractor list, and like all major players in forensics, already had a chain-of-custody agreement in place with the U.S. government.
Zdziarski has supported Apple in its battle with the FBI, and was one of several prominent iOS security experts who added their names to a friend-of-the-court, or amicus, brief filed earlier this month backing the Cupertino, Calif., company's refusal to help the government unlock Farook's iPhone.
It wasn't a surprise, then, that Zdziarski criticized the government after its 180-degree turn. "They said they had exhausted every attempt," he said, when the FBI went to the magistrate and asked that Apple be forced to assist. "But [on Monday] they admitted that they continued to do research. They weren't completely forthcoming."
Others who have blasted the FBI's attempt to strong-arm Apple echoed that view.
"Now the FBI is acknowledging that its previous statements that only Apple could help may also have been wrong," said Alex Abdo, a staff attorney for the American Civil Liberties Union (ACLU), which also filed an amicus brief this month.
"This doesn't inspire confidence, and it is yet another reason to resist the government's demands in the larger debate about whether tech companies should be forced to weaken the encryption in their devices to provide for governmental access," Abdo said in a Tuesday post to the organization's blog. "There is an extraordinary consensus among security professionals that doing so would be disastrous for security. The FBI has responded by wishing away the consensus of the technical community. The latest development in Apple's case gives little reason to think that the FBI has the technical qualifications necessary to make this point."