Can’t the Feds exploit San Bernardino shooter iPhone’s chips to break into encrypted data?

By , Feb 22, 2016

Apple A7 chip (Secure Enclave 001)

The world’s most powerful government has locked horns with the world’s most powerful corporation in a battle that Apple implies has the potential to affect civil rights for a generation. As you know, the Justice Department gave Apple until February 26 to respond to its court order.

In it, the government is asking Apple’s engineers to create a special version of iOS that would allow brute-force passcode attacks on the shooter’s phone electronically.

Now, some people have suggested that the government’s experts could make an exact copy of the phone’s flash memory to brute-force its way into encrypted data on a powerful computer without needing to guess the passcode on the phone or demand that Apple create a version of iOS that’d remove passcode entry restrictions.

While this is technically feasible, the so-called de-capping method would be painstakingly slow and extremely risky, here’s why.

NSA whistleblower Edward Snowden said the technique described further below could be used to hack the shooter’s phone unilaterally.

“The FBI has other means,” he said during a virtual talk hosted by Johns Hopkins University on Wednesday. “They told the courts they didn’t, but they do. The FBI does not want to do this.”

The FBI doesn’t want to employ the de-capping technique because it carries a great risk of completely destroying the phones’s chip and losing access to its memory forever.

How Apple protects iPhones

When you create a new passcode to protect your device, iOS’s mixing algorithm tangles it with a 256-bit device-unique secret key, called UID, to create the so-called passcode key, which is used as an anchor to secure data on the phone (Apple does not store iPhones’ passcode keys on its servers nor can it access them on the device).

How Apple protects iPhone Bloomberg infographic 001
Infographic via Bloomberg.

As a result, brute-force passcode attempts must be performed on the device in question. The problem is, iOS has a user-selectable option to erase all data on the phone after a total of ten failed passcode attempts. In addition, the phone’s hardware imposes delays after an incorrect passcode entry to make the guessing process even harder.

After four incorrect passcode entries, you must wait one minute. This time delay increases to five minutes, 15 minutes and finally one hour. This makes brute-force passcode attacks performed on the phone using a so-called IP box an impractical process.

In addition to requiring a physical possession of the device, IP boxes take about half an hour to break a 4-digit passcode on a pre-iOS 8 device, up to months to break a 6-digit passcode and years, possibly decades, to break complex alphanumeric passcode, both of which are supported on devices running iOS 8 or later.

That being said, making an exact copy of the phone’s flash memory that could be brute-forced off-site, using the power of a supercomputer, would require the Feds to get hold of the phone’s actual UID and the mixing algorithm, both of which are incredibly well secured.

Prying the chip open

Doing so would require the agency to remove and de-capsulate the phone’s chip and expose it to invasive microscopic scrutiny in order to exploit the portion of the chip containing exactly that data.

And herein lies the rub.

Using a focused ion beam, the FBI could drill into the chip micron by micron and then use infinitesimally small probes at the precise target spot to extract both the UID and the data for the mixing algorithm.

They could then use the UID in conjunction and the mixing algorithm on some of the phone’s encrypted flash storage data and try all possible passcode combinations on a supercomputer, until one makes the data readable. As brute-forcing would be done outside iOS, there would be no 10-try limit or self-destruct mechanism that would otherwise wipe the phone’s flash storage clean.

Unfortunately, the process isn’t at all as trivial as it sounds.

“If they screw up, if that laser or that X-ray is a couple of nanometers in the wrong direction, the whole chip is fried and they’ll never get any data off the phone,” said, Dan Guido, co-founder of the cyber security firm Trail of Bits.

“This isn’t a cakewalk,” he said.

Chip probe hit

The whole process could be a months-long endeavor and “carries a real risk of destroying the chip completely,” as per Senior Security Consultant at IOActive and a hardware reverse engineering specialist Andrew Zonenberg.

According to Apple’s iOS Security Guide, each iPhone’s UID along with the mixing process (called “salt” in cryptography talk) is protected within the Secure Enclave, a special cryptographic co-processor embedded into the A7 chips and above.

Each Secure Enclave is provisioned during fabrication with its own unique ID, states the document. “The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing,” reads the document.

On pre-A7 devices, like the shooter’s iPhone 5c, the UID is fused into the main application processor. In addition, the UID itself is connected to the AES cryptographic circuitry by a dedicated path on both devices with the Secure Enclave processor and pre-A7 devices.

Making matter even more complicated, the UID “is not accessible to other parts of the system and is not known to Apple,” nor is it known to its suppliers, according to iOS Security guide. All iOS sees is the output of encrypting something with the UID, not the UID itself.

Wrapping it up

Both Apple’s company-wide memo to employees and its Q&A reiterate the company’s intention to fight the case, as made public in an open letter issued to customers on its website last week, signed by Tim Cook. The Cupertino firm is opposing the FBI’s request to create an iPhone backdoor because that one-off version of iOS could fall in the wrong hands—and with these things it’s a matter of “when”, not “if”—and then undermine the security of every iPhone user out there.

In addition, foreign governments would then be able to leverage this as an excuse to seek similar concessions from Apple for themselves.

FBI Director James Comey insists this is “about the victims and justice” and not “about trying to set a precedent or send any kind of message.”

Read our recap of last week’s events in the FBI vs. Apple case.

Source: KTIC Radio

  • Share:
  • Follow:
  • Chris Wagers

    Listen… I hate terrorists but I totally agree with apple here. They should not do this and for the fbi to even ask them is ignorant. They know once they do this they are opening Pandora’s box. Weather it’s apple or Samsung or any other company they need to refuse and resist this as much as possible.

    • RedSymphony

      def agree with your statement

    • Franklin Richards

      Not only with other companies. If other Countries, ones that mean us harm demands to gains access to means to brute force devices then we’d be in far graver danger.

      • Chris Wagers

        Very true!

  • askep3

    This is a great article! Really shows how much effort has gone into the security on our devices! Most people don’t know this, and never will, but this case is showing so many people what’s in the devices they use every day.

  • Alex Wilson

    This is the same government that runs the US Post Office, Amtrack and bought us ObamaCare… do you really think they could crack a paper bag without some serious help? 😉

    • therealjjohnson

      Wait, are you saying you dont like mail? lol.

      • Alex Wilson

        I’d like it if it was delivered on time. In their infinite wisdom they shut down the local processing center and now ship it 150 miles away, amazingly my mail that used to take at tops 2 days to deliver is now pushing 5+ days. Yep that same government.

    • Harsh Sac

      There’s a reason they use the 22% budget allocated to them!
      They hire super smart people to do their dirty work…

  • sunfire7

    one of the best articles I’ve seen on this site

  • steveH

    One point of correction to the article above.

    The iPhone in question is a 5c, which does not contain the Secure Enclave hardware. That hardware currently is only part the iPhone 6 series.

    • pegger1

      Nothing to correct. You didn’t read the article properly.

      “On pre-A7 devices, like the shooter’s iPhone 5c, the UID is fused into the main application processor”

    • techfreak23

      It’s also on the 5s…

  • iPhoneWINS

    am sure it can be hacked

  • I would brute force it. All the chips have exact dimensions. So you use a different iPhone as a test to get your measurements exact. Lock another iPhone to test out the procedure. And then hack the terrorist phone.

  • rockdude094

    Or they could just ask the terrorists about what the password is ..

    • czbird

      With some serious spiritistic help, maybe… Otherwise, unless you can talk to dead people, it seems like a no-go.

      • iByron

        As you note, the original owners are dead. But I read over on Ars Technica that the passcode was changed at some point *after* the phone came into possession of law enforcement. That means some living person involved in the case or handling of evidence changed the passcode.

      • pegger1

        Pretty sure it was the Apple ID password that was changed, not the device passcode.

      • czbird

        It was business phone, owned by employer who has then changed the Apple ID password as instructed by the law enforcment units. It’s not the phone PIN, so sot hepled them. On the contrary, this effectively disabled any future iCloud backups if these were enabled on the phone.

      • iByron

        Aha. So they’re missing the phone PIN (passcode is Apple’s term), but the fact that the AppleID password was changed means that the phone won’t back up unless it’s first unlocked with the current PIN/passcode. Correct?


      • czbird

        Yes. Must be unlocked first. And to re-enable iCloud backups, new Apple ID password must be re-entered as well, although that won’t be necessary anymore if already unlocked, as in that case they can do wired backup without iCloud.

  • Dave

    FBI Director James Comey insists this is “about the victims and justice” The victims can’t be brought back and while nobody knows what info may be on this phone (maybe nothing at all), I highly doubt that any info that they do recover would bring anybody to justice

  • czbird

    Rumor has it that, FBI did not ask for any special iOS version, they only wanted Apple to disable the failed PIN counter and its retry delay, so that they could brute force the phone unlock. This is however not feasible due to the Secure Enclave chip within all new iDevices, that manages all this on its own. Wrapped up – no wonder Apple refused to comply with something that cannot be done.

    This is only a technical standpoint. Morale question is then something completely different.

    • pegger1

      Where did you hear this rumour? The device in question doesn’t have the Secure Enclave chip.

      • czbird

        True. Overlooked that. Thanks.

  • Jaba Haba

    Personally I think FBI have enough white hat and resources to help them find exploit, and access the phone with no problem. They can do this all secretly and get all the information they need. They don’t need to go through a consumer electronic company (apple), for something like this. Cause doesn’t the military/government have far more advance technology than what we use in everyday life. The only reason I could think of them forcing apple to make this so-call backdoor is they want to make this a precedent (disregarding them saying it won’t be, we know its not true). If this really happen its going to be a stepping stone for the government to monitor everything. At the point, Good Bye Privacy, Good Bye Freedom. Just like our Freedom of not getting pat down like a criminal when we board the plane.

    • pegger1

      If you think the FBI can already do this and don’t need Apple, then they wouldn’t need to make a precendent because they always have access, as you claim.

  • Digitalfeind

    “The world’s most powerful government has locked horns with the world’s most powerful corporation…”

    Highly doubt these remarks.

    • Chris Wagers

      No it’s true 😉

  • DopamineAddicted

    President McAfee can open it for the FBI hahahahaha

  • anderlan

    I find myself more and more on Apple’s side. This is impressive.