The FBI missed a trick to hack the San Bernardino iPhone

A researcher proved he can bypass the protection chip.

The FBI told Congress it couldn't hack the San Bernardino shooter's phone without Apple's aid, but a researcher has proved that claim was inaccurate. "The process does not require any expensive and sophisticated equipment," wrote University of Cambridge researcher Sergei Skorobogatov. "All needed parts are low cost and were obtained from local electronics distributors."

Security firm Trail of Bits argued earlier this year that it would be possible to replace the iPhone firmware with a chip that doesn't block multiple password attempts. You could then try every single one until you're in, a process that would take less than a day with a four-digit code, and a few weeks with a six-digit one.

Despite government comments about feasibility of the NAND mirroring for iPhone 5c it was now proved to be fully working.

That's not to say it didn't require some know-how. It's dead easy to brute-force a password using special devices that tap every single possible code. The problem is that the iPhone firmware blocks any attempts to enter more than four codes, and can wipe the entire phone after 10 failed attempts.

The FBI claimed that Trail of Bits' system wouldn't work, but Skorobogatov proved otherwise. Removing the NAND is the trickiest part -- a thin-blade knife and temperature over 300 degrees Celcius (572 degrees F) is needed to loosen the epoxy holding the chip in place. Special care must be taken to not damage it permanently.

From there, he created an exact backup of the NAND's virgin state and copied it to a special test board. After six password attempts (which sets off a one minute delay) the NAND backup is restored. That allows six fresh passwords to be tried every 90 seconds, so it takes about 40 hours to try all 1,667 combinations and crack a four-digit code.

Skorobogatov's system is just a proof of concept, but it wouldn't be difficult to build a fully automatic emulator that could reliably crack a passcode. "Despite government comments about feasibility of the NAND mirroring for iPhone 5c it was now proved to be fully working," the paper says.

That again lends credence to FBI critics who said that the FBI was only pushing for Apple's assistance to create a precedent in court. A magistrate judge ruled against Apple, so law enforcement could use that decision to make other companies cooperate in encryption cases. After withering criticism from Congress, however, it eventually dropped the case, saying it had figured out how to hack the iPhone itself. It's now believed the FBI was aided by Israel's Cellebrite, according to Tel Aviv daily Yedioth Ahronoth.

Researcher Matthew Green told Wired that the FBI may have had legitimate concerns about frying the NAND chip when removing it. However, Skorobogatov maintains that even an experienced iPhone repair tech could do what he did. "The more chips you de-solder, the more experienced you become," he says. "If one researcher can accomplish this relatively quickly, I would think a team of FBI forensics experts with the right hardware and resources could do it even faster."