The FBI made headlines when it paid security contractors an estimated $1.3 million to unlock an iPhone 5C last year, but as it turns out, bypassing the security on Apple’s top-of-the-line headset doesn’t necessarily require a truckload of money — or the expertise of one of the world’s largest law enforcement agencies. A U.K.-based computer scientist demonstrated an exploit that requires no more than $100 worth of off-the-shelf equipment… and plenty of patience.
In a YouTube video posted Monday morning, Cambridge University’s Dr. Sergei Skorobogatov, a Russian senior research associate, said he’d successfully designed a hardware backdoor that allows any user to bypass the iPhone’s PIN security. Normally, iOS limits the number of incorrect PIN entries to six before locking for incrementally longer periods of time, but Skorobogatov’s solution allows a theoretically unlimited number of attempts. “I can repeat the process many many times until the passcode is found,” he said.
Related: India says it has a mobile forensics tool that can ‘handle’ iPhone encryption
The exploit leverages vulnerabilities within the iPhone’s Nand, the chip responsible for the phone’s internal storage. Dr. Skorobogatov modified a target iPhone to accept chips from an external motherboard. He then detached the old Nand module, used off-the-shelf hardware components to digitally mirror the files it contained, and copied the resulting “clone” to a fresh chip. The iPhone couldn’t tell the difference — and after Skorobogatov seated and rewired the new chip in the phone’s board, the PIN attempt attempt counter reset to zero.
From that point, guessing the PIN is a trivial, albeit arduous, process. Dr. Skorobogatov said that a four-digit PIN took about 40 hours, and that a six-digit pin could potentially take hundreds of hours.
It’s not a holistic exploit. Dr. Skorobogatov said that iPhones newer than the iPhone 6 Plus would require a “more sophisticated” set-up — newer methods of encryption could make it “more challenging to analyse and copy,” he said. And Dr. Skorobagatov said that in fringe cases, the process could require “an advanced team of researchers” to undertake successfully. But other iOS devices are likely vulnerable. “iPads use very similar hardware, hence models which are based on A6 SoC or previous generations should be possible to attack,” Dr. Skorobogatov said. “Newer versions will require further testing.”
Related: FBI can still hack other iPhone 5C models on iOS 9, paid under $1 million for technique
Dr. Skorobogatov’s work seems to contradict statements made by FBI Director James Comey. In March, he told press that Nand vulnerabilities “[wouldn’t] work” on the iPhone 5C the bureau was targeting.
But it’s not the first time the veracity of the FBI’s claim has come into question. In May, the Los Angeles Police Department managed to break into a locked iPhone 5S. And the Indian government claims it has a mobile forensics tool that can “[handle] smartphones including Apple phones.”
The FBI’s analysis of an iPhone 5C owned by Syed Farook, one of two shooters who perpetrated an attack in San Bernardino, California that left 14 people dead, made global headlines when the agency mounted legal action against Apple. It sought a court order requiring the Cupertino company to create a tool to bypass the iPhone 5C’s PIN protection.
Related: WhatsApp Encryption is affecting FBI’s work in “huge ways”
Apple argued that such a backdoor would pose an omnipresent threat to the “privacy” and “security” of its customers — a sentiment echoed by hundreds of tech companies, privacy advocates, and human rights groups, as well as legal, tech, cryptology, and cybersecurity experts.
The FBI dropped its case after a team of anonymous hackers demonstrated a successful bypass of the phone’s security, but not before publicly condemning encryption technologies like those employed on Apple’s iOS devices. “[It’s the] essential tradecraft” of terrorists like the Islamic State, Comey told Reuters in July. He singled out WhatsApp, a messaging platform that enabled secured messaging and calling by default, as a platform “affecting the criminal work (of the FBI) in huge ways.”
In September, a group of publishers including the Associated Press, Vice Media, and Gannett Media, filed a freedom of information lawsuit against the FBI for failing to disclose the vulnerability — and consultants — it used in bypassing the iPhone 5C’s security. The case is currently pending before a circuit court judge.