Tuesday, March 22, 2016

The FBI's Hack On The Apple Phone Probably Won't be Described as 'Elegant'

My Take on FBI’s “Alternative” Method
FBI acknowledged today that there “appears” to be an alternative way into Farook’s iPhone 5c – something that experts have been shouting for weeks now; in fact, we’ve been saying there are several viable methods. Before I get into which method I think is being used here, here are some possibilities of other viable methods and why I don’t think they’re part of the solution being utilized:
  • A destructive method, such as de-capping or deconstruction of the microprocessor would preclude FBI from being able to come back in two weeks to continue proceedings against Apple. Once the phone is destroyed, there’s very little Apple can do with it. Apple cannot repair a destroyed processor without losing the UID key in the process. De-capping, acid and lasers, and other similar techniques are likely out. [see below]
  • We know the FBI hasn’t been reaching out to independent researchers, and so this likely isn’t some fly-by-night jailbreak exploit out of left field. If respected security researchers can’t talk to FBI, there’s no way a jailbreak crew is going to be allowed to either.
  • An NSA 0-day is likely also out, as the court briefs suggested the technique came from outside USG.
  • While it is possible that an outside firm has developed an exploit payload using a zero-day, or one of the dozens of code execution vulnerabilities published by Apple in patch releases, this likely wouldn’t take two weeks to verify, and the FBI wouldn’t stop a full court press (literally) against Apple unless the technique had been reported to have worked. A few test devices running the same firmware could easily determine such an attack would work, within perhaps hours. A software exploit would also be electronically transmittable, something that an outside firm could literally email to the FBI. Even if that two weeks accounted for travel, you still don’t need anywhere near this amount of time to demonstrate an exploit. It’s possible the two weeks could be for meetings, red tape, negotiating price, and so on, but the brief suggested that the two weeks was for verification, and not all of the other bureaucracy that comes after.
  • This likely has nothing to do with getting intel about the passcode or reviewing security camera footage to find Farook typing it in at a cafe; the FBI is uncertain about the method being used and needs to verify it. They wouldn’t go through this process if they believed they already had the passcode in their possession, unless it was for fasting and prayer to hope it worked.......MUCH MORE
See also BGR (you may know them from Boy Genius at Engadget):

Here’s how the FBI might crack the San Bernardino iPhone
It’s actually pretty scary that the FBI openly acknowledged that there may be a way to hack any iPhone and throw encryption right out the window. But that’s exactly what the U.S. government did on Monday night. It told the world, and Apple, that a third-party can do what the FBI can’t and what Apple refuses: Break into an iPhone that was recovered from one of the San Bernardino shooters and is protected by a PIN. 
Any iPhone is encrypted as long as it’s protected by a PIN, password or fingerprint. That’s the obstacle that’s preventing the FBI from getting into the iPhone in question, an obstacle that the NSA is suspected of being able to bypass, though the agency isn’t cooperating with the FBI on this matter. 
So how will this unknown third party crack the iPhone 5c for the FBI?There are several theories out there about how this can be done, and here are the more plausible ones. 
A tale of acid and lasers 
As Ars Technica pointed out a few weeks ago, the FBI could dismantle the iPhone 5c in question. Then, with the help of acid and lasers, the Bureau would remove the outer layers of the iPhone’s processor and read the embedded ID, which is unique for each chip. 
Once the ID is known, you can simply copy the encrypted storage to a different computer and use a brute force attack to attempt all PIN variations until you get the right combination. 
This method is dangerous, as it can physically destroy the processor. If that were to happen, the data stored on the device would be gone for good. 
A monster jailbreak 
The same site also proposed a different theory: jailbreaking the iPhone 5c. If a third-party company has found a secret bug inside SecureROM, the software that’s baked into the iPhone’s hardware and that is responsible for verifying that the device runs a genuine iOS version, then it could load custom software to bypass the PIN protection....MORE
Thanks to some bright young computer folks we had the ars technica piece on Feb. 22:
"How the FBI Could Use Acid and Lasers to Access Data Stored on Seized iPhone"