- Oct 30, 2015
- 1,251
iPhone passcode bypassed with NAND mirroring attack
FBI says it's impossible but Cambridge computer security expert proves them wrong.
Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist.
Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards."
In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement.
The attack works by cloning the iPhone's flash memory chip. iPhones generally allow users six attempts to guess a passcode before locking them out for incrementally longer periods of time; by the complex process of taking the phone apart, removing its memory chip, and then cloning it, an attacker is able to have as many clusters of six tries as they have the patience to make fresh clones. Skorobogatov estimates that each run of six attempts would take about 45 seconds, meaning that it would take around 20 hours to do a full cycle of all 10,000 passcode permutations. For a six-digit passcode, this would grow to about three months—which he says might still be acceptable for national security.
He demonstrated the fruits of his labour in a YouTube video, which clearly shows him making more than the regulation number of passcode entries by switching a fresh, identical chip into a physical port he'd attached to the phone he was attacking. "Because I can create as many clones as I want, I can repeat the process many many times until the passcode is found," he explained in the video.
.............
FBI says it's impossible but Cambridge computer security expert proves them wrong.
Passcodes on iPhones can be hacked using store-bought electronic components worth less than $100 (£77), according to one Cambridge computer scientist.
Sergei Skorobogatov has demonstrated that NAND mirroring—the technique dismissed by James Comey, the director of the FBI, as unworkable—is actually a viable means of bypassing passcode entry limits on an Apple iPhone 5C. What's more, the technique, which involves soldering off the phone's flash memory chip, can be used on any model of iPhone up to the iPhone 6 Plus, which use the same type of LGA60 NAND chip. Later models, however, will require "more sophisticated equipment and FPGA test boards."
In a paper he wrote on the subject, Skorobogatov, a Russian senior research associate at the Cambridge Computer Laboratory's security group, confirmed that "any attacker with sufficient technical skills could repeat the experiment," and while the technique he used is quite fiddly, it should not present too much of an obstacle for a well-resourced branch of law enforcement.
The attack works by cloning the iPhone's flash memory chip. iPhones generally allow users six attempts to guess a passcode before locking them out for incrementally longer periods of time; by the complex process of taking the phone apart, removing its memory chip, and then cloning it, an attacker is able to have as many clusters of six tries as they have the patience to make fresh clones. Skorobogatov estimates that each run of six attempts would take about 45 seconds, meaning that it would take around 20 hours to do a full cycle of all 10,000 passcode permutations. For a six-digit passcode, this would grow to about three months—which he says might still be acceptable for national security.
He demonstrated the fruits of his labour in a YouTube video, which clearly shows him making more than the regulation number of passcode entries by switching a fresh, identical chip into a physical port he'd attached to the phone he was attacking. "Because I can create as many clones as I want, I can repeat the process many many times until the passcode is found," he explained in the video.
.............
