This story is over 5 years old.


Here’s How the FBI Might Unlock the San Bernardino iPhone Without Apple’s Help

After weeks of encryption battles, the government thinks it might not need Apple’s help after all.
Janus Rose
New York, US

On Monday afternoon, the US Department of Justice was granted a last-minute request to cancel a highly anticipated hearing with Apple.

The hearing was to be the first courtroom arguments in a controversial "test case" that will determine whether the tech giant can be forced to write software that disables the security features of an iPhone—in this instance, an iPhone 5C belonging to the dead terrorism suspect Syed Farook.


The government asked to vacate the hearing at the eleventh hour, its lawyers claim, because it may have discovered an alternate way to break into the phone.

"An outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," according to the government's application for a continuance. "If the method is viable, it should eliminate the need for the assistance from Apple Inc. ("Apple") set forth in the All Writs Act Order in this case."

This new wrinkle is especially interesting because the government has repeatedly claimed that it exhausted all other possibilities and that compelling Apple's assistance is the only way to access the phone. It's now saying that after weeks of high-profile hullabaloo about encryption, the FBI may be able to access the phone's contents without Apple's help, potentially avoiding a dangerous legal precedent—at least for the time being.

"This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying."

Naturally, this has led many to speculate on just what, exactly, that "possible method" could be.

Some immediately assumed a government contractor approached the FBI with a zero-day vulnerability—in other words, a security flaw that is unknown to Apple—capable of bypassing the passcode lock protections. The lock protections, which erase the device's encryption key after 10 failed entry attempts and therefore make the data permanently inaccessible, are what the FBI was wanting Apple to override.


It's possible that such an exploit exists. However, zero-days are always somewhat of a gamble, and most security and forensics experts seem to agree that a more likely solution is one technologists, lawyers, and even some technically-inclined members of Congress have been suggesting for weeks.

As iPhone forensics expert Jonathan Zdziarski explains in a recent blog post, this method would involve "mirroring" the iPhone's NAND flash memory, using special hardware to clone the memory directly off the chip. This way, the FBI could make several passcode attempts, then avoid the auto-erase mechanism by simply flashing the original image back onto the chip, resetting the number of attempts the system has detected.

In other words, it would allow the government to make an infinite number of passcode guesses without worrying about the device being wiped and, crucially, without needing Apple's compelled assistance.

"This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they're trying different PIN combinations," said Zdziarski.

Variations on this same technique have been suggested before. In fact, just a few weeks ago during a surprisingly hostile Congressional hearing, Rep. Darrell Issa described to FBI director James Comey a similar method of making "10,000 copies" of the NAND memory and attacking them simultaneously, so that many guesses can be made at once without triggering the auto-erase mechanism. The ACLU has also suggested making a backup copy of the NAND—including its "Effaceable Storage," which contains the encryption key the FBI is worried about automatically erasing—and restoring the chip each time for infinite attempts.


"If the FBI doesn't have the equipment or expertise to do this, they can hire any one of dozens of data recovery firms that specialize in information extraction from digital devices," wrote ACLU technology fellow Daniel Kahn Gillmor. Given that the government's motion to dismiss the hearing specifically mentions "an outside party," meaning not a government agency such as the NSA, it's possible this is exactly what the FBI did.

To make this process even more efficient, Zdziarski says the FBI might not even have to copy the entire chip. Instead, it could identify the specific memory sector that stores info on how many password attempts have been made and overwrite that with a fresh copy each time.

It should be noted that while this method might work on the San Bernardino shooter suspect's iPhone 5C, it would be ineffective against newer iPhones sporting an A7 processor or later, all of which have a hardware-backed security feature called Secure Enclave. And of course, being able to brute-force the device and access its data ultimately depends on whether or not the owner used a weak password.

But not everyone is convinced this is the method the FBI will go for.

"NAND mirroring has a lot of downsides. It requires the development of a technique for programmatic PIN input, it doesn't remove all the delays (it's slow), it won't work on phones with the secure enclave, and no one has demonstrated that the technique even works," Dan Guido, the founder of security firm Trail of Bits, told Motherboard. "I would simply guess that there are better techniques out there that work in a single shot and remove all the delays."

Depending on how this case plays out, we may never know exactly how the government manages to unlock the shooter's phone if it is eventually successful. The FBI's solution would almost certainly be exempt from disclosure under the Freedom of Information Act, since it involves "sources and methods" and is part of a terrorism investigation.

But however the FBI plans on getting inside the phone, it will only be a temporary solution. The government's showdown with Apple may have been postponed, but the core issues at play will surely rise again as soon as the next "test case" comes around.

Additional reporting by Lorenzo Franceschi-Bicchierai