NAND mirroring was outright dismissed by FBI director James Comey as a means of breaking into San Bernardino terrorist Syed Farook’s iPhone 5c during the government’s spat with Apple earlier this year.
“It doesn’t work,” Comey said.
Well, turns out, it does.
Sergei Skorobogatov of the University of Cambridge Computer Laboratory in the U.K., published a paper called “The bumpy road towards iPhone 5c NAND mirroring” in which he describes how he used this technique to bypass the authentication restrictions protecting the phone.
“The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors,” Skorobogatov wrote. “By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts.”
NAND mirroring involves the physical removal of the NAND chip on the device and copying the data stored on it. In the FBI’s case, it could have used this technique to conduct offline brute-force attacks against the phone’s four-digit passcode without causing it to automatically wipe itself after 10 missed tries.
Forensics expert Jonathan Zdziarski was among the first to suggest NAND mirroring as a viable means of getting access to data stored on the device, and said at the time that he was able do so against a jailbroken iPhone 5c.
Skorobogatov said a scan of all possible four-digit passcodes using his technique would take about 40 hours. In the paper, he describes the delicate surgery required to remove the NAND chip without damaging it, which included precise cutting and high temperatures (700 degrees Celsius) to soften the epoxy enough to safely remove the chip.
That chip was then connected to a test board and backed up to a new chip. The original chip was then re-attached to the iPhone and six passcode attempts were made. He then removed it and re-attached it to the test board again, essentially resetting the passcode counter.
“Once the phone is powered up and the screen is slid the passcode can be entered six times until the delay of one minute is introduced again. Then the process of mirroring from backup can be repeated again and again until the correct passcode is found,” Skorobogatov said. “On average each cycle of mirroring for six passcode attempts takes 90 seconds. Hence, a full scan of all possible 4-digit passcodes will take about 40 hours or less than two days.”
Skorobogatov also noted that during cloning of the chip, he ran into an issue where some pages were hidden and impeded the process. He was forced to modify his mirroring software to include the pages.
“As a result the newly created clone of the original NAND chip was fully functional in the iPhone 5c,” Skorobogatov said. “It was then tested with six incorrect passcode attempts before replacing it with the original chip. After the boot process it was possible to enter the incorrect passcodes again six times until the one-minute delay was introduced. This fully proved the correctness of the hardware NAND mirroring attack on iPhone 5c.”
Cloning also improved the time required to guess all possible passcodes, Skorobogatov said.
“Because there is no limitation on the number of such NAND clones, they can be created in advance and restored in parallel when one of them is being used for passcode testing,” Skorobogatov said. “This way it only requires 45 seconds per six passcode attempts. For 4-digit passcode the maximum attack time would be (10000/6) × 45 = 75000 seconds or about 20 hours. For 6-digit passcode this time will increase to about 3 months which in some cases might be acceptable.”