When the FBI was still demanding Apple’s help to access a work iPhone used by one of the San Bernardino killers, security firm Trail of Bits wrote a blog post claiming that the phone could be accessed without Apple’s assistance. A Cambridge University researcher has now successfully demonstrated that the method proposed would have worked.
Essentially, it argued that you could bypass the passcode time-outs by overwriting the firmware between attempts. The FBI claimed at the time that this wouldn’t work, but Sergei Skorobogatov has proven that the method works using only commonly-available low-cost parts.
This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c.
The paper he wrote is backed by a video demonstration, seen below.
The proof of concept relies on entering passcodes manually, but this setup could be fairly easily combined with existing devices that enter sequential passcodes electronically.
A third-party company eventually proved able to access the device without cooperation from Apple, likely using a similar approach. Other law enforcement agencies were also able to access iPhones during the time the FBI had claimed that it was impossible.