The FBI’s motion for a continuance in its case against Apple has opened a new avenue in this debate as to the identity and means by which the mystery “outside party” could unlock terrorist Syed Farook’s iPhone.
Late yesterday afternoon, the FBI filed a motion to vacate a hearing scheduled for today in a Riverside, Calif., courtroom. The filing indicates that the FBI could have a way onto the phone without Apple’s help and that it will file a status report with the courts by April 5, which is two weeks from today.
The Department of Justice, in a statement provided to Threatpost, said that it has continued its efforts to crack the encryption and access data stored on Farook’s phone during the litigation against Apple, which became public Feb. 16.
“As a result of these efforts, an outside party demonstrated to the FBI this past weekend a possible method for unlocking the phone. We must first test this method to ensure that it doesn’t destroy the data on the phone, but we remain cautiously optimistic,” DOJ spokewoman Melanie Newman said in a statement. “That is why we asked the court to give us some time to explore this option. If this solution works, it will allow us to search the phone and continue our investigation into the terrorist attack that killed 14 people and wounded 22 people.”
If the DOJ is not able to crack the phone on its own, it can always revisit the case in court, but for now, the case against Apple and this one phone is on hold. In the meantime, it would seem that the FBI’s decision to stay the case reinforces the theory of legal and privacy experts, that this case was never solely about accessing what’s on Farook’s phone, but more so about setting a legal precedent that would allow the government to use this decision to crack other phones. It also confirms that Apple’s expertise is not the only means by which the data can be accessed. In fact, experts have made this case on many fronts, including extreme cases using silicon-based hardware attacks.
Forensics expert Jonathan Zdziarski wrote yesterday that the outside party is likely a forensics or data recovery firm outside the U.S. government, while ruling out independent security researchers or a jailbreak. Rather than attempting potentially destructive hardware-based attacks, Zdziarski wrote that a NAND mirroring technique is much more likely the means by which this outside party could get onto the phone. NAND is a type of flash memory that stores data even without power to a device or the chip. By mirroring the chip, Zdziarski said the FBI and its outside party could perform offline brute-force attacks against the four-digit passcode without causing the phone to wipe itself.
I assume the FBI has found someone to clone and reflash the NVRAM of the San Bernardino iPhone. They should have done it a month ago.
— Matthew Green (@matthew_d_green) March 22, 2016
Zdziarski describes NAND mirroring in his post:
“This is where the NAND chip is desoldered (usually), dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations. It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”
Zdziarski also described other methods that can possibly used against older iPhones, including invasive techniques that prevent writing of incorrect PIN guesses to the disk. Apple patched against this technique in iOS, but Zdziarski said that NAND mirroring could be a way around the fix for newer versions of the phone. On older devices such as Farook’s, this is a moot point since they’re not protected by Apple’s Secure Enclave.
“The two weeks the FBI has asked for are not to develop this technique (it’s likely already been developed), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units,” Zdziarski wrote. “This shouldn’t be a surprise to anyone, as it’s a fairly straightforward technique. It’s also a technique that wouldn’t work in an A7 or newer iPhone that has a Secure Enclave. More importantly, this technique wouldn’t work at all had Farook used a complex alphanumeric passcode. The weak link in all of this has been Farook and his poor choice of security.”
It’s also not out of the question that the FBI or the government has purchased or has access to a zero-day exploit that it could use in this case. While less likely, the FBI could postpone the case indefinitely, or drop it altogether, in order to avoid having to disclose its technique should Apple request it under discovery. Experts have also speculated about the NSA’s silence in this case in a similar vein that it would not want to give up an effective attack against iOS in open court.
In the meantime, anxious technology providers beyond Apple will have to wait a bit longer to see how this plays out.
“This may be more than just a routine extension of time. The FBI’s motion acknowledges that it may have other avenues to pursue in accessing the data on the phone, something that it must do under the law,” said Electronic Frontier Foundation director Cindy Cohn. “It could also provide a way for the FBI to get out of a very public battle it provoked over an extremely contentious issue: how and when tech companies can be forced to rewrite their software to facilitate surveillance.”