University of Cambridge senior research associate Sergei Skorobogatov has laid waste to United States Federal Bureau of Intelligence (FBI) assertions about iPhone security by demonstrating password bypassing using a $100 NAND mirroring rig.
FBI director James Comey made the claim during the agency's bid to defeat the password lock screen protection on the San Bernardino shooter's iPhone 5c.
The hacking effort erupted into a sparring match between the FBI and Apple, after the agency asked Cupertino to bypass the device's password protection. The agency reportedly paid a security firm more than US$1 million to concoct a bypass for the device.
Forensics expert Jonathan Zdziarsk first flagged NAND mirroring as an option to defeat iPhone password protection and the security controls that would erase device data if the wrong codes were entered 10 times.
Skorobogatov built a working prototype demonstrating how NAND mirroring could work using off-the-shelf components for an updated iPhone 5c, revealing a password in about 24 hours.
The researcher spent four months of part-time work to successfully remove the iPhone 5c NAND memory chip, cloning it so he could launch brute-force attacks against the password control.
Skorobogatov says his work is the first public demonstration of a working NAND mirroring prototype and show the FBI's claims on the technique "were ill-advised".
"[It] was achieved by desoldering the NAND flash chip of a sample phone in order to physically access its connection to the system-on-a-chip and partially reverse engineering its proprietary bus protocol," Skorobogatov says in the paper The bumpy road towards iPhone 5c NAND mirroring [PDF].
"The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors.
"By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts."
The attacks could also work against iPhone 6 with more sophisticated hardware, Skorobogatov says.
He found Apple employed security-through-obscurity rather than "fully thought through" hardening in its protection against NAND mirroring attacks.
Skorobogatov says his set up could help Apple and others find hardware security problems and reliability issues, citing his discovery that some NAND chips from broken iPhone 5c main boards had specific blocks that had failed due to excessive rewriting.
"This might happen because of a bug in Flash memory wear-levelling algorithm as it was implemented in software," he says. ®