Four Theories About How The FBI Is Cracking The San Bernardino Shooter's iPhone

4 Theories About How the FBI Is Cracking the San Bernardino Shooter's iPhone

An anticipated courtroom showdown between Apple and the FBI was scheduled for yesterday — but that didn't happen. The hearing was postponed following an FBI court filing claiming a "third party" had shown the government an alternate method to unlock the San Bernardino shooter's iPhone, one that doesn't require Apple's assistance. The timing of the FBI's filing could not be more suspicious. This is the legal equivalent of calling in sick on a Friday before a long weekend. All we know is that the FBI wants to hold off until it can test this mysterious new method.

We don't know who this "third party" is, and we don't know what method it's offered to FBI. But here are some possibilities:


1) NAND Mirroring

This involves fiddling with hardware, but it's not nearly as destructive as other options. Forensics expert Jonathan Zdziarski has a great description on his blog:

Most of the tech experts I've heard from believe the same as I do — that NAND mirroring is likely being used to some degree to brute force the pin on the device. This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they're trying different pin combinations. It's possible they have also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they're using hardware to simulate this chip so that they don't have to.

And here's a video of the NAND desoldering process:

Why it could work: This method would allow the FBI to try an infinite number of guesses for the passcode. It also doesn't risk permanently destroying the phone.

Why it probably won't work: Well, it actually might. This is, by far, the most believable scenario, as the FBI could have worked with forensics teams with background in NAND mirroring. Johns Hopkins cryptography expert Matthew D. Green, who recently discovered a flaw in Apple's iMessage encryption, says this is "almost certainly correct". But whenever you're poking around at hardware, there's always the possibility something will go wrong.


2) Fiddling with the microprocessor

One way the FBI could extract the data it wants from the iPhone is manually taking the phone apart and using something like a focused ion beam to access its UID key on the phone's microprocessor. The UID is critical for brute-forcing the phone's password, since the unlock code is enmeshed in the identifier data. This is a method Edward Snowden suggested at a recent talk.

Why it could work: We know this could work in theory, and this sort of chip-hacking has been done in the past to access data.

Why it probably won't work: The FBI would need to remove the chip's encapsulation with acid before it even attempted to search the chip. This method carries an extremely high risk: A tiny mistake — a drop too much acid, or a laser pointed a smidge in the wrong direction — could destroy the phone, rending the data inaccessible.

As security researcher Jonathan Zdziarski noted, the FBI won't be able to continue the court case against Apple if it uses this method and ruins the phone.


3) The NSA is unlocking the phone

The FBI hasn't directly answered an obvious question during this fight: Why didn't it just ask the NSA? FBI Director James Comey told Congress the NSA was not helping. But he's also a clown and didn't specify why the NSA wasn't helping.

There's a good reason why the FBI might not ask the NSA: It is advantageous to the FBI to set a legal precedent here by forcing Apple to cooperate. If the FBI had won this fight, it would have had a strong precedent for conscripting tech companies to assist in dismantling their security in the future. That said — what if the NSA did help?

Why it could work: The National Security Agency has a long history of investigating workarounds for Apple's security measures, and has the most sophisticated and aggressive tactics for intercepting data of any agency in the world. Even former White House officials have argued that it could probably get the data off the phone.

Why it probably won't work: As I mentioned, this route isn't as appealing to the FBI. Also, the court brief reference to a "third party" indicates that it's not a government agency providing the method.


4) John McAfee is unlocking the phone

Antivirus entrepreneur and libertarian goon John McAfee offered to unlock the phone with his team by using "social engineering". He estimated that it would take three weeks.

Why it could work: lol

Why it probably won't work: John McAfee is an addled, attention-starved wash-up who spouts nonsense frequently, and there is no evidence that he has anything remotely resembling a viable method for retrieving the data from a locked iPhone.

Of course, we don't know which route the FBI is taking. These are all hypotheses — some ridiculous, some less-so. Another hypothesis is that the FBI realised it had a dud case for precedent and accepted a flimsy offer so it could back out of a losing battle. Then again, if that were the case, why ask for a postponement instead of dropping it outright? This is still a mess of a situation, and we may have to wait until the hearing actually happens to find out what's on the US government's roadmap.

Image: AP


Comments

    Or maybe Apple is doing it on the low low, you know, as a once off so the court case doesn't go any further. The FBI get an unlocked phone and Apple get's to keep it's "secure" technology.

    My vote goes to john mcafee, because with his help, the whole situation could be even more of a farce.

      That would be awesome. He could run off to Belize use his shotgun and powers of yoga to trick the phone into unlocking. A psychological game of cat and mouse in the jungle.

    Oh please they already know how to do it. This is just about getting a legal precedent.

      If they can already access the information they want why do they want to set a precedent? What would be the purpose of having a Court force a company to help do a thing the FBI can already do for themselves?

      Besides, lower Courts don't set precedents.

        I meant as in, opening up their ability to legally open phones. That kind of precedent.

        They probably can do it, but can't get it into evidence. Without revealing they can and dealing with all the issues that'd come from that. This is a way of basically saying tech companies can't make devices they can't get into. As opposed to them always having to crack the latest encryption. Something that'd be on going, getting harder. It's a way of stopping that.

          With a search warrant, the Police can use any evidence gathered. If they have a lawfully seized phone then if they can extract information from the device it can be used as evidence at Court. This empowers Police to employ any means necessary to access the data. If they don't want to detail the process of how they extracted the data they can claim whatever the US equivalent is of "public interest immunity" which means that the information is divulged to the Court, but is not made public. That's the whole point of getting a search warrant rather than just illegally breaking into someone's house and stealing the phone. In that case, the evidence wouldn't be admissible.

          So if the FBI can already access the phone's data (as you say) then it's already admissible in Court. And no 'precedent' is required to make it legal.

          I understand that the FBI would like to have easier access to encrypted data, and they've openly lobbied the US federal government to change legislation to assist them, however as they were doing this Snowden broke the NSA stories, and as you can imagine no-one in the US government was interested in listening to the FBI's request at the time and the FBI hasn't made any obviously overt attempts since.

          The FBI's been boxed back into a corner in regards to this issue which is why you're now seeing them utilise the All Writs Act in this particular way in Court.

          If the NSA could already access the data for the FBI, then the FBI would never have had to ask Apple for anything, or started a law suit or drawn any attention to the case whatsoever. I find it hard to accept the logic that if the FBI wanted to keep something secret, that instead of saying or doing nothing, they instead start a highly public and controversial lawsuit with the largest company on Earth.

          Last edited 26/03/16 6:50 pm

Join the discussion!

Trending Stories Right Now