The mysterious third-party partnering with the FBI to break into San Bernardino terrorist Syed Rizwan Farook’s locked iPhone is Israel-based mobile forensic software firm Cellebrite, according to a report today in Israeli newspaper Yedioth Ahronoth.
And as mobile security experts continue to ponder how the FBI plans to overcome Apple’s built-in security features, one prominent expert is pointing to a technique that involves repeatedly copying a phone’s flash memory until the right access code is discovered.
Ever since the FBI pulled an about-face on Apple, postponing a federal court hearing under the premise that it may no longer require the company’s help finding a workaround for the iPhone’s passcode, speculation has run rampant as to what circumstances changed. Observers apparently now have their answer in Cellebrite, a contractor with a long history of providing equipment and services to the FBI.
On its website, Cellebrite says its mobile forensics solutions “give access to and unlock the intelligence of mobile data sources to extend investigative capabilities, accelerate investigations, unify investigative teams and produce solid evidence.” Asked to confirm if it is working with the feds, Cellebrite issued a no comment to SCMagazine.com through its PR agency.
Meanwhile, McAfee founder John McAfee, who had previously offered to help the FBI with this case, declared yesterday that he knew who the third party was. “I promise you that [Apple CEO] Tim Cook and Apple are not going to be happy with the solution that the FBI has come up with,” said McAfee on CNBC’s show Power Lunch, as reported on the network’s website. McAfee did not name names so it is unclear if he was alluding to Cellebrite.
On his personal blog, forensic scientist Jonathan Zdziarski, noted for his past work identifying iPhone backdoors and vulnerabilities, posed a theory on what method the FBI and Cellebrite would use to crack the phone: a technique known as NAND mirroring, which creates a way to brute-force a passcode without triggering the security feature in iPhones that automatically erases all files after several incorrect entries.
As Zdziarski describes it, the phone’s NAND chip—a style of flash memory storage technology—is “typically desoldered, dumped into a file (likely by a chip reader/programmer which is like a CD burner for chips), and then copied” repeatedly, as many times as needed. If the phone tries to wipe the data after multiple PIN attempts, federal investigators can just insert a replacement NAND chip and start from zero, giving them an unlimited number of tries.
Further hardware modifications would allow the FBI to add sockets for switching out chips quickly or even simulating chips so there is no actual physical replacement of the chips.
Zdziarski also described a tactic whereby investigators could use “hardware invasive technologies” to block the writes of passcode attempts to disk, so the phone’s security mechanism never realizes the maximum threshold of PIN entries has been met. Apple’s iOS 9 operating system was designed to defeat this ploy by requiring that password attempts be verified on the disk after they are written. But again, using NAND mirroring, this fortification can be circumvented.
Zdziarski pinpointed the NAND mirroring by process of elimination, eschewing other methods by factoring in timetables, court brief content and other considerations. He also theorized that in all likelihood, the FBI was already exploring and vetting this Plan B technique for at least “several weeks” while still actively engaging Apple in court.
In that same vein, Evan Greer, campaign director for digital rights organization Fight for the Future, said in an email to SCMagazine.com that the FBI is being duplicitous when it claims this new opportunity to unlock the phone only just materialized. “The FBI’s last-minute excuse is about as believable as an undergrad who comes down with the flu the night before their paper is due. They should come clean immediately, and admit that they misled the court and the public, to avoid further damaging what’s left of their credibility,” said Greer in his statement.
Regardless of when this plan was hatched with Cellebrite, “Expect that this technique was/is sold privately for well over a million,” said Zdziarski in his blog post. While expressing confidence in his NAND theory, Zdziarski acknowledged that the FBI could instead be leveraging a software exploit, a possibility also mentioned by Hardik Modi, director of threat research at Fidelis Cybersecurity, in an email to SCMagazine.com.
“If there’s a moral here, I think that you typically don’t have to break the crypto if you’re patient. Every implementation introduces bugs—see Heartbleed and all the other OpenSSL vulnerabilities,” wrote Modi. “Of course, implementations harden over time but in the case of a consumer gadget, they’re also introducing new features quite rapidly and these open new vulnerabilities… Give it enough time, vulnerabilities [and] exploits will emerge and you should be able to get to the data.”