There's now a basic proof of concept that shows just how the FBI and its mysterious outside party might be unlocking the iPhone of the San Bernardino shooter.
Last week, the feds surprised everyone by cancelling the much-anticipated hearing in their battle with Apple at the last minute, saying they didn't need Apple's help after all, and might have found a way to unlock the iPhone of the San Bernardino shooter.
Since then, there's been a lot of talk about exactly what new technique the FBI might have discovered, as well as who was helping the feds. Most security and forensic experts seemed convinced the FBI would be using a method which would allow the feds to try endless passcode attempts without triggering the phone's security mechanisms by creating a copy of the memory from the phone's NAND chip and reflashing it every time after five or 10 failed tries.
"This technique is kind of like cheating at Super Mario Bros. with a save game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they're trying different PIN combinations," iPhone forensic expert Jonathan Zdziarski wrote in a blog post detailing exactly how this method, commonly referred to as "NAND mirroring," would work.
This was pretty much everyone's best guess, but nobody was sure this actually worked—until Zdziarski successfully tested it himself this weekend.
Zdziarski recorded two videos testing the technique on an iPod touch with iOS 9.0, which has essentially the same software and hardware of the iPhone of the San Bernardino shooter. In the videos, Zdziarski shows that it's possible to trick the device into forgetting that there have ever been any failed passcode attempts, essentially giving him infinite tries to hack into it.
"I could keep trying this all day and I'm not going to end up with a delay," Zdziarski said in the video. "There are ways to get virtually unlimited number of passcode attempts on these devices."
The only caveat is that he didn't use any special hardware to mirror the NAND chip and reflash it, but it still demonstrates that the concept behind the method essentially works. Using special hardware, and other techniques, could make it quicker and more efficient, Zdziarski explained.
The bad news is that we might never know if this is actually how the FBI is trying to unlock Farook's iPhone because the bureau has made the technique classified. Also, FBI Director James Comey on Friday confused everyone by saying that making a copy of the chip "wouldn't work," though he refused to clarify whether the FBI had already tried the technique.
"I think this [demonstration] puts to bed any notion that the technique 'doesn't work,'" Zdziarski concluded.