Four Theories About How The FBI Is Cracking The San Bernardino Shooter’s iPhone

Four Theories About How The FBI Is Cracking The San Bernardino Shooter’s iPhone

An anticipated courtroom showdown between Apple and the FBI was scheduled for yesterday — but that didn’t happen. The hearing was postponed following an FBI court filing claiming a “third party” had shown the government an alternate method to unlock the San Bernardino shooter’s iPhone, one that doesn’t require Apple’s assistance.

The timing of the FBI’s filing could not be more suspicious. This is the legal equivalent of calling in sick on a Friday before a long weekend. All we know is that the FBI wants to hold off until it can test this mysterious new method.

We don’t know who this “third party” is, and we don’t know what method it’s offered to FBI. But here are some possibilities:

1) NAND Mirroring

This involves fiddling with hardware, but it’s not nearly as destructive as other options. Forensics expert Jonathan Zdziarski has a great description on his blog:

Most of the tech experts I’ve heard from believe the same as I do — that NAND mirroring is likely being used to some degree to brute force the pin on the device. This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying. Only instead of playing a game, they’re trying different pin combinations. It’s possible they have also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.

And here’s a video of the NAND desoldering process:

Why it could work: This method would allow the FBI to try an infinite number of guesses for the passcode. It also doesn’t risk permanently destroying the phone.

Why it probably won’t work: Well, it actually might. This is, by far, the most believable scenario, as the FBI could have worked with forensics teams with background in NAND mirroring. Johns Hopkins cryptography expert Matthew D. Green, who recently discovered a flaw in Apple’s iMessage encryption, says this is “almost certainly correct”. But whenever you’re poking around at hardware, there’s always the possibility something will go wrong.

2) Fiddling with the microprocessor

One way the FBI could extract the data it wants from the iPhone is manually taking the phone apart and using something like a focused ion beam to access its UID key on the phone’s microprocessor. The UID is critical for brute-forcing the phone’s password, since the unlock code is enmeshed in the identifier data. This is a method Edward Snowden suggested at a recent talk.

Why it could work: We know this could work in theory, and this sort of chip-hacking has been done in the past to access data.

Why it probably won’t work: The FBI would need to remove the chip’s encapsulation with acid before it even attempted to search the chip. This method carries an extremely high risk: A tiny mistake — a drop too much acid, or a laser pointed a smidge in the wrong direction — could destroy the phone, rending the data inaccessible.

As security researcher Jonathan Zdziarski noted, the FBI won’t be able to continue the court case against Apple if it uses this method and ruins the phone.

3) The NSA is unlocking the phone

The FBI hasn’t directly answered an obvious question during this fight: Why didn’t it just ask the NSA? FBI Director James Comey told Congress the NSA was not helping. But he’s also a clown and didn’t specify why the NSA wasn’t helping.

There’s a good reason why the FBI might not ask the NSA: It is advantageous to the FBI to set a legal precedent here by forcing Apple to cooperate. If the FBI had won this fight, it would have had a strong precedent for conscripting tech companies to assist in dismantling their security in the future. That said — what if the NSA did help?

Why it could work: The National Security Agency has a long history of investigating workarounds for Apple’s security measures, and has the most sophisticated and aggressive tactics for intercepting data of any agency in the world. Even former White House officials have argued that it could probably get the data off the phone.

Why it probably won’t work: As I mentioned, this route isn’t as appealing to the FBI. Also, the court brief reference to a “third party” indicates that it’s not a government agency providing the method.

4) John McAfee is unlocking the phone

Antivirus entrepreneur and libertarian goon John McAfee offered to unlock the phone with his team by using “social engineering”. He estimated that it would take three weeks.

Why it could work: lol

Why it probably won’t work: John McAfee is an addled, attention-starved wash-up who spouts nonsense frequently, and there is no evidence that he has anything remotely resembling a viable method for retrieving the data from a locked iPhone.

Of course, we don’t know which route the FBI is taking. These are all hypotheses — some ridiculous, some less-so. Another hypothesis is that the FBI realised it had a dud case for precedent and accepted a flimsy offer so it could back out of a losing battle. Then again, if that were the case, why ask for a postponement instead of dropping it outright? This is still a mess of a situation, and we may have to wait until the hearing actually happens to find out what’s on the US government’s roadmap.

Image: AP