back to article FBI overpaid $999,900 to crack San Bernardino iPhone 5c password

University of Cambridge senior research associate Sergei Skorobogatov has laid waste to United States Federal Bureau of Intelligence (FBI) assertions about iPhone security by demonstrating password bypassing using a $100 NAND mirroring rig. FBI director James Comey made the claim during the agency's bid to defeat the password …

  1. Voland's right hand Silver badge

    You are missing the point

    The 1M was paid not because it costs that much and not because it was needed. It was paid for political reasons - so that the figure can be waved in front of conservative politicos as a part of James Comey private war on encryption. See, it costs us this much for just one phone.

    1. MrDamage Silver badge

      Re: You are missing the point

      But at least now the politicians with enough neurons to rub together to form a synapse can counter that claim.

      James Conmanmey will have to reach even further up his cloaca and extract a scary figure.

      1. Jamie Jones Silver badge
        Happy

        Re: You are missing the point

        But at least now the politicians with enough neurons to rub together to form a synapse can counter that claim.

        Do you realise what you're saying there?

    2. Ian Michael Gumby
      Boffin

      @Voland ...Re: You are missing the point

      No. Sorry. Not true... Use Occam's Razor...

      1) You remember the joke/story about the old engineer who charged 10K to fix an assembly line?

      2) If you don't know the solution and you can assess the value of the solution... if the price to solve the problem is less than the value, you pay it.

      Occam's Razor, this is the simplest solution. The FBI didn't have a clue on what to do, and the options... were too risky... they paid the $$$ because the potential value found on the phone was worth more.

      The other issue... there is a lot of risk in desoldering the chip, especially since you only have one chip to work with. You have to balance that risk against alternatives... like software hacking.

      1. nepenthe

        Re: @Voland ...You are missing the point

        Except your simple solution assumes the FBI has no in-house expertise on digital storage forensics, nor has any external connections to whom they could go to for advice. This is not logical or reasonable for the FBI.

        1. Robert Helpmann??
          Childcatcher

          Re: @Voland ...You are missing the point

          Except your simple solution assumes the FBI has no in-house expertise on digital storage forensics...

          As to this, the FBI has been having a difficult time hiring and retaining people who do this exact sort of work. This has been well covered, both here on El Reg and in other media outlets. They seem to want to get people with the skill set needed to do this kind of work to do so at government worker wages instead of the much high amounts they can get working as contractors or in private industry.

        2. Ian Michael Gumby
          Boffin

          @Nepenthe Re: @Voland ...You are missing the point

          Sorry, no.

          The in house 'expertise' is limited.

          Unlike TV in house expertise tend to be more 'Jack of all trades, and master of some'. When you need deeper technical expertise in a specific area, you hire outside staff.

          Going for unpaid advice is one thing. Going for advice where you have a high risk and a short time period is another. That's why they went to that company.

          While at client sites, I routinely am asked to look over the shoulders of their in house expertise (software architects). I either bless their design, or I tweak it. Sometimes I tell them to start from scratch and give them a high level view of a solution that fits. I am that paid voice who gives them the expert opinion.

      2. GrapeBunch

        Re: @Voland ...You are missing the point

        'they paid the $$$ because the potential value found on the phone was worth more.'

        We need an acronym for that. May I suggest SWSSNSS

        Sure wuz some 'spensive naked sleb shots

        being what we dream they found-but-will-never-tell-us.

        That's pronounced 'Swiss Niss'.

      3. rtb61

        Re: @Voland ...You are missing the point

        Dude seriously, dangerous to desolder chip, WTF?, oh my God, we can not make any electronics the danger of soldering chips. No current, no change in chip, don't even need to desolder it, just cut the tracks on the board on the chip connections and hook in, in place, oh gees, if you are a really worry wart, practice on a couple of phones first.

        So not only did they purposefully ramp up the cost, but why did that particular company get a million dollars for fuck all, why and what was the payback.

        1. FIA Silver badge

          Re: @Voland ...You are missing the point

          Dude seriously, dangerous to desolder chip, WTF?, oh my God, we can not make any electronics the danger of soldering chips. No current, no change in chip, don't even need to desolder it, just cut the tracks on the board on the chip connections and hook in, in place, oh gees, if you are a really worry wart, practice on a couple of phones first.

          Most surface mount components aren't designed to be removed once installed, and can quite easily be damaged by too much heat. Whilst it's well within the skills of any decent electronics engineer it's not something that an unskilled person should be attempting.

          It's not really a case of being a 'worry wart', this is a piece of evidence in an ongoing investigation; presumably of high enough focus that this level of effort is warranted, you really don't want to screw it up.

          Also, given that this was a 'suspects' phone what's the procedure assuming they're found innocent? "...oh... yeah... we destroyed your phone with all your personal info and photo's on... erm... sorry about that...."?

          1. Bob Dole (tm)

            Re: @FIA...You are missing the point

            >>Also, given that this was a 'suspects' phone what's the procedure assuming they're found innocent?

            The suspect in that case was already dead. I don't think loss of photos was high on the priority list of the recently deceased.

          2. Alan Brown Silver badge

            Re: @Voland ...You are missing the point

            > Also, given that this was a 'suspects' phone what's the procedure assuming they're found innocent? "...oh... yeah... we destroyed your phone with all your personal info and photo's on... erm... sorry about that...."?

            "Perhaps you should have given us the password after all - and here are some charges for interfering with an investigation"

        2. razorfishsl

          Re: @Voland ...You are missing the point

          Seriously you know FA about this sort of electronics........

          " just cut the tracks on the board on the chip connections and hook in, in place"

          The fact that this is a multi layer board with many of the device tracks unavailable precludes this option.

          I built my own kit from Ebay scrap, to handle nand-flash extraction going so far as to be able to "emulate" a nand chip interface and internal workings (research on write blockers), but this apple chip is something special and is not a true "Nand-flash" device.

          I have also seen "secret" undocumented operational modes even on "standard" Nand-flash chips.

      4. I am the liquor

        @ Ian Michael Gumby

        The last point you made about soldering is a bit of an irrelevance, but your first two points are accurate I think. $1m not for pressing a button, but for knowing which button to press; and because $1m is less than the cost of a legal battle with Apple.

        To say this new method is a $100 attack rather undervalues Mr Skorobogatov's 4 months of work to achieve it, not to mention the level of prior expertise he must have achieved to even embark on it.

      5. Anonymous Coward
        Anonymous Coward

        Re: @Voland ...You are missing the point

        Just out of interest, what is the old joke/story about the engineer?

      6. kbro

        Re: @Voland ...You are missing the point

        Only one chip to work with? Go to the Apple Store and get some kit to experiment on. Or eBay.

  2. John Smith 19 Gold badge
    Big Brother

    So probably known to TLA's within a week of it's launch?

    For the conspiracy minded the load leveling "bug" isn't a design flaw.

    1. Dave 126

      Re: So probably known to TLA's within a week of it's launch?

      Eh? Wouldn't the possible bug in the wear levelling algorithm be a reliability issue, not a security issue?

      I know that it isn't in the nature of conspiracy-minded folk to read the source material closely, but still...

      1. Anonymous Coward
        Anonymous Coward

        Re: So probably known to TLA's within a week of it's launch?

        The conspiracy minded may think the wear levelling issue isnt a bug...they may think this is a part of the planned obsolesence strategy.

  3. tom dial Silver badge

    The drift of the article seems to be that the cost of developing the attack, which evidently took Skorobogatov quite a few man hours of what seems to be highly skilled analysis and electronic technician work should be ignored because the result can be replicated for a small amount going forward. That is somewhat like saying the design, development, engineering, and testing investment in a SOC should be ignored when setting a sale price for the end product, even if the projected demand is for only a few thousand units.

    1. Anonymous Coward
      Anonymous Coward

      That is somewhat like saying the design, development, engineering, and testing investment in a SOC should be ignored when setting a sale price for the end product, even if the projected demand is for only a few thousand units.

      Definitely, and it also attempts to ignore the actual reasons for the costs (as @Volant's right hand has already pointed out): jacking up next year's budget and the cost of defying the FBI (because you can count on that number appearing in Court again as soon as a supplier does the same as Apple and says "no" to attempts to pressure to get Yet Another Backdoor in place).

      However, the extrapolation The attacks could also work against iPhone 6 with more sophisticated hardware, Skorobogatov says. is IMHO not yet proven. By cloning the NAND it allowed the bypass of a keyspace that was only 9999 spaces deep (standard PINcode), which then gave access to the main encrypted space, but as far as I understand from the details that have been floating around, later iDevices don't have external NAND to store that data, it's held in-chip.

      It depends on the chip how safe later devices are against such an attack. I know that all chips had to succumb to the weird thinness fetish that also makes batteries only last for a few phone calls, so I suspect they won't have the top wire cage embedded that some Atmel chips have to prevent access through chip shaving, but maybe this attack may make that worth implementing (and give me an extra mm worth of battery, much appreciated, ta). You could even go fully evil here and make it power dependent: you pull the power, it dies. That stops removal from the phone, but at the same time you could implement a self destruct if you detect anything funny with the cage or incoming connections.

      It's all a matter of balance of costs/effort versus perceived risk - I still think that a mobile phone is a pretty poor bit of evidence. If you need to convict people because of the contents of their phone you really ought to shore up your evidence gathering IMHO. It's too fragile.

      1. John H Woods Silver badge

        Fragile evidence...

        IANALBIPOOTI and think that evidence obtained by cracking my client's device is clearly proof that its security can be bypassed. And, therefore, there must be at least the possibility that material could have been placed on the device (before it became protected evidence) by someone other than my client...

        1. Anonymous Coward
          Anonymous Coward

          Re: Fragile evidence...

          OK, I'll bite: IANALBIPOOTI?

          I got as far as I Am Not A Lawyer But I ..

          1. Tom 38

            Re: Fragile evidence...

            OK, I'll bite: IANALBIPOOTI?

            I got as far as I Am Not A Lawyer But I

            Play One On TV

            Although I'm not sure about the final I..

            1. Pascal

              Re: Fragile evidence...

              ... but I play one on the internet.

          2. Prst. V.Jeltz Silver badge

            "OK, I'll bite: IANALBIPOOTI?"

            sounds like one of the aliens from

            "The Adventures of Buckaroo Banzai Across the 8th Dimension "

          3. Just Enough

            Re: Fragile evidence...

            I Am Not A Lawyer But I Play One On The Internet.

          4. Professor Clifton Shallot

            Re: Fragile evidence...

            Play One On The Internet?

          5. This post has been deleted by its author

          6. Frumious Bandersnatch

            Re: Fragile evidence...

            ... but I play one on the Internet

            trivial change to "but I play one on TV"

            1. GrapeBunch

              Re: Fragile evidence...

              ----- ... but I play one on the Internet

              trivial change to "but I play one on TV" -----

              That trivial change is worth almost a million bux. HIHWW.

              Hyperbole Is How the World Works, y'all.

          7. Jeffrey Nonken

            Re: Fragile evidence...

            "OK, I'll bite: IANALBIPOOTI?

            I got as far as I Am Not A Lawyer But I .."

            ...stayed at a Holiday Inn last night?

            ...Damn. No, but close!

        2. Uffish

          Re: Fragile evidence...

          ... hence the 'price' of $1M on the FBI crack. "No-one else could have cracked the phone m'lud, it cost the FBI $1M to get a solution ..." Now of course the defence lawyer will say "Anyone could have cracked the phone m'lud, the solution only costs about $100".

          The FBI has about $999,900 worth of egg on its face.

      2. Tom_

        I think in this case they weren't looking to use evidence on the phone to convict people so much as to identify other connected suspects. Presumably in order to prevent further crime. If they could determine who else was involved then they could probably use other evidence to get convictions, through searching those other suspect's homes etc.

    2. Dave 126

      >The drift of the article seems to be that the cost of developing the attack, which evidently took Skorobogatov quite a few man hours of what seems to be highly skilled analysis and electronic technician work should be ignored

      Nah, the gist of the article wasn't that the cost be ignored, but that it wasn't $1,000,000. Four months of part time work by the skilled technician would be in the tens of thousands of dollars, not hundreds of thousands.

      1. Phil Koenig

        Except the little fact that the article author claims that the FBI overpaid by "$999,900" - valuing the amateur hacker's work at exactly $100. (In fact, valuing their labor at "zero", and only accounting for their out of pocket cost for hardware. Which is uhh, rather sensationalist.)

        All that said: I'm no apologist for the FBI, or Comey in particular who I think is a lying/deceptive piece of sh.... But the premise of the article doesn't "prove" that the FBI overpaid "$999,900". (See my previous comment)

        They probably overpaid, and overpaid by a lot, and trumped-up the figure to make headlines. But they could not have done it in a proper way for $100, either.

        It's also telling that we never heard a peep from the FBI later about what they had actually found on the device - which likely corroborates the opinion of various people who said prior to the hack being announced that it was highly unlikely that there was anything of value on the phone anyway. (It was his work phone, he already destroyed his personal phone.)

        1. Ian Michael Gumby
          Boffin

          @Phil Koenig

          "

          They probably overpaid, and overpaid by a lot, and trumped-up the figure to make headlines. But they could not have done it in a proper way for $100, either.

          "

          What exactly did the FBI pay for when they hired this company to crack the phone?

          I mean how many PhDs helped design the tool set used. (This was an in house developed system)

          How much for the guy who's using it and doing the work?

          Compute time on hardware that is custom designed? (Even with COTS hardware there is always some tweaking)

          All of this is part of the cost.

          And again, there is a time value to the solution. Could the FBI and NSA build a comparable solution?

          Sure, but it would take N months of X man years of resources, plus the hardware...

          And that's why you see the $$$$ being charged. Because they can do the following:

          1) Show value

          2) Cheaper than the alternative

          3) Have a solution in place

          4) If they failed, there was always a riskier plan B of pulling the chip.

      2. Only me!

        True, but then you have to pay the FBI lot for handing the phone over, management, the PR team, the management of the consultancy firm, the mangers, directors, coffee makers.....then finally some who knows some stuff, but knows more people that know more stuff, the people to review what was found (or not) and after more stuff someone went to purchase some electronics, which the people that know what they are doing can use to crack it.

        Must be somewhere between £100 and $1,000,000 project!

        Lawyers...fees are also added, to all of the above, because they are as cheap as chips....

      3. tom dial Silver badge

        I think we can assume that Skorobogatov was not represented in the market as seen by US federal agencies, and that those who were charged a good deal. $1MM still seems high, but four months of part time work clearly understated the overall cost to him, as it skips by the fact that as a senior research associate he undoubtedly had considerable relevant background knowledge before starting. And in any case, four months of part time work for hire by anyone certainly would be much costlier than the $100 stated in the article as the cost of the hardware Skorobogatov used.

      4. Roland6 Silver badge

        Nah, the gist of the article wasn't that the cost be ignored, but that it wasn't $1,000,000.

        I would expect the cost to be less than the sale price - basic principle of business; the only question is just how much less than the final sale price...

    3. Just Enough

      raw material cost != final market price

      The suggestion that raw material cost = final market price is, of course, utter nonsense.

      The developers of this hack are free to price their service at whatever level they think people will pay for it. The costs in research, development time, specialist knowledge and raw material is only your starting point, not your final price.

      Raw materials - $100

      Knowing what to do - $199,900

      Being the only ones who won't mess it up - $300,000

      Profit mark up just because we know you'll pay it - $500,000

      1. Anonymous Coward
        Anonymous Coward

        Re: raw material cost != final market price

        Raw materials - $100

        Knowing what to do - $199,900

        Being the only ones who won't mess it up - $300,000

        Profit mark up just because we know you'll pay it - $500,00

        ... telling Apple you no longer need their help - priceless

    4. Chris Evans

      Now there is no need to reinvent the wheel.

      1st Phone expensive to do. 2nd and subsequent much cheaper.

      Yes there was significant time and equipment used to get to the point of being able get at the NAND chip outside of the phone, but now that he has done it. Another phone could similarly have its NAND removed and read comparative easily and I'm sure there are companies who regularly remove such chips without damaging them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Now there is no need to reinvent the wheel.

        "and I'm sure there are companies who regularly remove such chips without damaging them."

        I am told there are plenty of little shops in China who will upgrade your iPhone by swapping out the NAND for a bigger one and simply reflashing the image. Probably not as fast as the original but with no SD card and expensive data the increased capacity may be worth the effort.

        1. Ian Michael Gumby

          Re: Now there is no need to reinvent the wheel.

          Sorry, but when you have a single phone, and if you burn out the chip the data is lost then you are screwed.

          In your example, you removed the old NAND, but is it still functioning 100% of the time? Can you then put it back in too? 100% of the time?

          If not 100% of the time, then you have risk and if you have only one shot... you would want to seek other options.

    5. Anonymous Coward
      Anonymous Coward

      Yeah and it wasn't clear how much time was actually spent. They referenced time and being part time, but didn't give an indication of man hours.

      It wasn't really development though, the guy was just reading about the documented ways to do such a thing. The NAND attack is well known. Just hadn't been tried with this phone, possibly.

  4. Phil Koenig

    Not really comparable

    You can't compare the work of some amateur that values their time and expertise at 'zero' - and who spends months working on the hack, along with probably destroying dozens of phones in the process, to an actual forensic investigation of a highly valuable piece of evidence.

    When you desolder the chip that holds all the memory of the device from the board, there is a huge risk that you damage the chip beyond repair and then everything that might have been on it is lost, whether or not you eventually figure out how to extract data from similar chips.

    1. jzl

      Re: Not really comparable

      "You can't compare the work of some amateur"

      "University of Cambridge senior research associate Sergei Skorobogatov"

      Not so amateur. Besides, the headline was clearly classic Register. Don't take the headlines seriously round here.

      1. Dave 126

        Re: Not really comparable

        He wasn't an amateur. However, his own PDF does note that removing the NAND still carries a risk of data loss (Presumably a risk that can be made smaller by practice and refinement of technique):

        "It would be beneficial to develop a safer way of removing the NAND Flash chip from the main board, or a

        way of reading out the NAND Flash contents without the need to physically remove it."

      2. Phil Koenig

        Re: Not really comparable

        Re: "Not so amateur"

        What you offer as 'proof' says that he's an academic, not a professional forensic technician.

        As I wrote previously, the constraints of an actual, high-profile forensic investigation of a very high-profile, high-value piece of evidence are vastly different than what a guy tinkering in his home lab (while probably destroying many phones in the process) are under. Has nothing to do with his smarts or abilities, has everything to do with A) being able to guarantee success within a certain timeframe, and B) being able to guarantee that even if he doesn't succeed, he doesn't destroy the evidence in the process.

        For every Skorobogatov that proudly announces he's come up with a successful hack, there are probably at least 100 people that tried and failed. Which one of those 100 should the FBI have hired instead of Cellebrite or whoever they did hire? John McAfee? :D

        And how much was it worth it for them to have an answer in March, rather than waiting 6 months for the tinkerer to come up with a successful hack?

        Skorobogatov claims it took him 4 months, but it's nearly 10 months since the FBI got their hands on Farook's iphone.

        1. John Smith 19 Gold badge
          Meh

          "Skorobogatov claims it took him 4 months, "

          For the first go at the problem.

          Future ones would be a couple of days once he has his technique and tools down.

          1. Fred Flintstone Gold badge

            Re: "Skorobogatov claims it took him 4 months, "

            For the first go at the problem.

            Future ones would be a couple of days once he has his technique and tools down.

            Ah, you may have managed to justify the $1M price tag after all: it's taking into account the number of ruined iPhones in the process to perfection, and even in bulk they don't come cheap.

            :)

            1. MrZoolook

              Re: "Skorobogatov claims it took him 4 months, "

              "Ah, you may have managed to justify the $1M price tag after all: it's taking into account the number of ruined iPhones in the process to perfection, and even in bulk they don't come cheap."

              Indeed, if it wasn't for the 1 damaged iPhone, it really would have cost $100.

              And of course, even manure has its uses.

        2. art guerrilla

          Re: Not really comparable

          *sniff* from my olfactory sampling, you, sir, have the whiff of an authoritarian...

          if the mainstream media won't remind you (and they won't) the feebs (and prosecutors in general) have a piss-poor record of being 'trustworthy' at EVERY STEP of the evidentiary process, from 'losing' evidence, to fraudulent lab results, to voodoo forensic 'science', to withholding exculpatory evidence, to fabricating evidence, to prosecutor-friendly 'experts', etc, etc, etc...

          'question authority' should be the default mode of EVERY concerned citizen...

          1. Phil Koenig

            Re: Not really comparable

            Then you may want to have that olfactory sampler of yours examined for proper function.

            All it would take is a casual look at my comments here over the years (including other ones right here in this thread for you to figure out just how wrong you are about that.

    2. DropBear

      Re: Not really comparable

      "When you desolder the chip that holds all the memory of the device from the board, there is a huge risk that you damage the chip beyond repair"

      HAHAHAHAHAHAHAHA... You're not much into electronics, are you... wait, don't bother answering that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not really comparable

        You're not much into electronics, are you...

        I am, and he's not that wrong. You may have overlooked that it's not just about removing the chip, it's about removing it with its data intact which is quite a few degrees more complicated.

      2. Dave 126

        Re: Not really comparable

        >"When you desolder the chip that holds all the memory of the device from the board, there is a huge risk that you damage the chip beyond repair"

        >>HAHAHAHAHAHAHAHA... You're not much into electronics, are you... wait, don't bother answering that.

        @DropBear The researcher himself acknowledges the risk of damaging the chip when desoldering it. He mentions this under 'Future Work' in his PDF. The magnitude of 'risk' is a function of the consequences, as well as probability.

        1. Jeffrey Nonken

          Re: Not really comparable

          Probability of damaging the chip will go down precipitously with practice and a proper reflow station, but will never reach zero.

        2. DropBear
          WTF?

          Re: Not really comparable

          "The researcher himself acknowledges the risk of damaging the chip when desoldering it."

          Then he's not much into electronics himself either, and I'm fine telling this straight to his face if need be. No, the actual risk is not strictly zero, but it's indistinguishable from it as long as de-soldering is done by a halfway decent technician - and ANY three-letter agency should have people that can do it blindfolded, with their hand tied behind their back, in their sleep, at negligible risk, so future official attempts would be even safer. Same goes for accessing the contents of the flash. As long as you have half a clue of what you're doing (and you have the _datasheet_ of the chip - may or may not be the case here) there should be no risk to speak of. How you decrypt it and what risks exist if you place that memory or a clone of it back into a live phone is an entirely different matter - but woo-wooing up an operation simply called "rework" and routinely performed all the time is a massively pompous hyperbole.

          1. Doctor Syntax Silver badge

            Re: Not really comparable

            "No, the actual risk is not strictly zero"

            And in any case forensic examiners are not miracle workers whatever TV fiction might say. It's the art of the practical. In fact a test which is intended to be non-destructive is by no means the norm. e.g. "I can't show you that particular fibre. It was squashed between two diamond anvils but here's its IR spectrum."

      3. Phil Koenig

        Re: Not really comparable

        I'd say there's a good chance I started soldering electronic things together before you were born, given the demographics of this website.

        So yeah, I'm a total beginner at this stuff.

        The statistical risk of damage to a $10 surface-mount component when attempting to de-solder it from a circuit board is exactly the same whether it's one of a dozen junk phones you are casually tinkering-with in your garage or a key piece of potential evidence in a massive and highly time-sensitive international terrorism investigation where failure is not an option. (Which for some reason you have also been asked to perform in that garage lab of yours)

        But the stakes in the latter are about 1,000,000 times higher. Which is why you don't send such high-value evidence to tinkerers to play around on in their garage lab for 6 months. And the price of such an operation varies accordingly.

  5. Steve Todd

    I'm not sure how he thinks this will work on an iPhone 6

    With the iPhone 5 and earlier the AES key and try count are stored on the flash chip. Reloading that chip with a copy will reset the count of tries. On the iPhone 5S and higher (anything with an A7 or newer) the key information and count are stored on a secure area of the CPU chip. Taking an image of the flash memory will have no effect on retry counts or prevent the key from being erased.

    1. jzl

      Re: I'm not sure how he thinks this will work on an iPhone 6

      I think the point is that he was physically isolating the flash. By doing so, he was able to construct a brute force attack that did not require the rest of the iPhone, so lock-out counts and things were irrelevant.

      1. Steve Todd

        Re: I'm not sure how he thinks this will work on an iPhone 6

        But the key to the data on the flash is maintained in the secure section of the A7 and higher. Once the secure section decides that the maximum number of attempts are reached (it is a separate CPU with limited connection to the main system) it destroys the key and the data is rendered useless. It doesn't matter how many copies of the data you have, the copies still need the AES key in order to read them.

        1. Pseu Donyme

          Re: I'm not sure how he thinks this will work on an iPhone 6

          Um ... as I seem to recall (from the time this was last an issue), the A6 already has the arrangement where a 256-bit constant is baked in the SoC only wired to the internal AES circuits (i.e. no direct software access). This means that cloning the flash and running the firmware in a VM won't work, but cloning the flash and running that with the actual hardware does (assuming that the only mutable storage in the device is the flash): this way at least the retry counter can be defeated by restoring the flash contents.

          Unlike the A6, the A7 (and later) has the 'secure enclave'. However, rather than a physically separate processor with a dedicated mutable storage this appears* to be a virtual one sharing the system's flash chips as its only mutable storage. This is primarily geared at keeping someone with remote access (say, an exploit delivered via browser) at bay rather than someone with physical access (i.e. it keeps the iOS user and even kernel space isolated from the key storage, which is a worthy thing to have, of course). It seems Apple has not actually managed the latter; this would take your assumed separate tamperproof security processor with its dedicated mutable storage to keep the keys. This - afaik - Apple don't currently have. Hence, my impression is that there is no fundamental reason the technique (i.e. using a cloned flash with the original HW) wouldn't work on a iPhone 6 (or later).

          * Apple seems to rely on obscurity for security here, afaik this is not properly (that is, publicly) documented

          1. Steve Todd

            Re: I'm not sure how he thinks this will work on an iPhone 6

            I'm not sure where you get some of this from but :

            1) the secure enclave is a physical not a virtual processor. It has 4MB of its own flash memory directly on the SoC die and runs its own OS.

            2) the details are quite well documented, as are the APIs used to access it. See for example https://www.apple.com/business/docs/iOS_Security_Guide.pdf

            1. Pseu Donyme

              Re: I'm not sure how he thinks this will work on an iPhone 6

              @Steve Todd: Well, I'd be delighted to be wrong about this if it means that things are better documented or at least better known by now (or always were). Last time what information was around (using an hour or three to look for it with the benefit of a background as a seasoned embedded systems SW engineer) left me with the above impression (admittedly with some of my own speculation having most likely blurred to the info by now). I wouldn't mind seeing a quote from the above link attesting to the secure enclave's nature as a physically separate, tamperproof* subsystem, in particular it having its own persistent, but mutable storage, physically separate from the general purpose flash (without which it is still vulnerable to this sort of attack); this is the main point where I had to rely on speculation (i.e. Apple very likely minding the BOM / extra size / complexity from an extra chip / ... too much to implement a feature the finer points of which the general public would be unlikely to appreciate).

              * one aspect of this would be whether the secure enclave's firmware is immutable (failing which makes the kind of hack FBI was demanding of Apple possible)

              1. Steve Todd

                Re: I'm not sure how he thinks this will work on an iPhone 6

                From a hacker's point of view:

                https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf

                Does that help?

                1. Daniel B.
                  Boffin

                  Re: I'm not sure how he thinks this will work on an iPhone 6

                  Interesting read. I've been curious on how the SEP works. Looks like it's pretty secure by itself. Sure it's exploitable, but it's far harder to exploit than the rest of the phone.

  6. Gordon861

    Built in Obsolescence

    "Skorobogatov says his set up could help Apple and others find hardware security problems and reliability issues, citing his discovery that some NAND chips from broken iPhone 5c main boards had specific blocks that had failed due to excessive rewriting."

    What are the chances Apple already knew of this built in in fault and have not fixed it so that the phones have a maximum life span before you need to buy a new one?

    1. Anonymous Coward
      Anonymous Coward

      Re: Built in Obsolescence

      What are the chances Apple already knew of this built in in fault and have not fixed it so that the phones have a maximum life span before you need to buy a new one?

      Nothing evil to see here. It's a standard feature of this technology, you'll also find it in every SSD.

      1. Tridac

        Re: Built in Obsolescence

        Yes, but ssd's have their own internal processor responsible (amongst other things) for the wear levelling algorithm, which is proprietary to the manufacturer. An SSD in a heavily loaded server is probably good for billions of write cycles before the capacity is noticably degraded. If the flash in the Apple phone is standalone, then Apple system software must be responsible for the wear leveling code, which may or may not be world class. Rather, just enough to get the job done for the life of the phone.

        As for chip removal, standard run of the mill industry stuff for decades, even for ball grid array devices. The chips are designed to withstand solder reflow temperatures and are very unlikey to be damaged if the temperature and exposure time is controlled and within limits.

        Of course, the other way to do it is to probe the board directly without removing the flash, though you may have to disconnect / cut tracks to other parts of the circuit in the process. Again, run of the mill stuff for the ATE business for years...

        Chris

    2. jzl

      Re: Built in Obsolescence

      What are the chances Apple already knew of this built in in fault and have not fixed it so that the phones have a maximum life span before you need to buy a new one?

      The chances are close to zero. Phones have a maximum lifespan already, and most consumers won't ever hear about this story or care about it. There is no clear motive for Apple to do this. On the other hand, if what you're saying was true and the story got out it would be major headlines.

      Apple aren't out to put themselves in a position where their reputation could be shredded by a leak. Just look at what happened to Volkswagen.

      Furthermore, search for articles on the web about the internal culture at Apple, particularly from ex-employees. It's a strange place - secretive, authoritarian. But it's extremely focussed on pleasing the customer.

    3. Dave 126

      Re: Built in Obsolescence

      >Gordon861

      There is no motive for Apple to hobble the lifespan of the NAND to promote sales... the finite lifespan of the battery already does that.

      1. werdsmith Silver badge

        Re: Built in Obsolescence

        There is no motive for Apple to hobble the lifespan of the NAND to promote sales... the finite lifespan of the battery already does that.

        The battery replacement is a 5 minute job. At least it was before 7 came out with its waterproofing.

        1. Kiwi
          Holmes

          Re: Built in Obsolescence

          The battery replacement is a 5 minute job. At least it was before 7 came out with its waterproofing.

          You mean Apple finally invented waterproofing? How long before they try to sue Casio et al for patent abuse waaay back in the 70's (or earlier...) for having waterproof devices?

          As to making it harder, I've had waterproof devices for my whole life, from (mostly) watches to a radio you could use in water (and under - with horrible sounding results), and even my current GPS unit - designed for bikers. All of these things have had replaceable batteries with seals that work easily and well. It should still be a 5 minute job, if that much. I've thought of at least 3 ways to easily do this (1 so cheap and easy to do I wonder why phone makers never did it before). Make that 4 ways to easily have a waterproof phone with removable battery, SIM and microSD (or other card). And a headphone socket, and USB. (Icon for how obvious some of this stuff is!)

  7. Anonymous Coward
    Anonymous Coward

    This is - at best - a temporary solution.

    Seems the key is being able to unsolder a chip ... I am sure it's not beyond the wit of man to circumvent this.

    In fact I would expect such circumvention to feature in the next iPhone iteration - it's more useful and exciting than the lack of a headphone jack.

    Off the top of my head:

    1) Physical protection - any attempt to unsolder the chip destroys it

    2) Device key encryption - the *correct* NAND array contains a key which generates the rigth reponse to a challenge. Something an impostor can't.

    3) Some small explosive devices with acid which trigger when the case is opened.

    (I may have made that last one up ...)

    1. Doctor_Wibble
      Angel

      Re: This is - at best - a temporary solution.

      > 3) Some small explosive devices with acid which trigger when the case is opened.

      A Law-Abiding Citizen would of course have no need to add that to make the device defend itself even before being opened...

      The simplest answer is to sneak someone into Apple labs and plug the device into their debug testbed that they use for figuring out the really hard stuff when there's some weird fault that needs analysis.

      Cloning the device was surely pretty much everybody's immediate suggestion, though credit to the guy for actually proving the concept.

    2. AndyS

      Re: This is - at best - a temporary solution.

      That last one would have the added benefit of also preventing those pesky users from trying to replace the single heaven-provided battery.

      Now for the real question. How much acid can it hold?

    3. jzl

      Re: This is - at best - a temporary solution.

      The obvious solution is to salt the passcode and store the salt in the processor's secure module.

    4. Phil Koenig

      Re: This is - at best - a temporary solution.

      Actual high-security/low-production devices such as those used in top-secret roles eg military and by national-security officials, often have just such countermeasures.

      But it would be corporate suicide for a company to build a product that sells at the scale of hundreds of millions per year, which is essentially 100% un-repairable.

      Especially since the vast majority of end-users don't give a rat's behind about security and privacy anyway. (If they did, companies like Facebook wouldn't exist)

    5. JeffyPoooh
      Pint

      Re: This is - at best - a temporary solution.

      AC "3) Some small explosive devices with acid which trigger when the case is opened."

      No need to open the case.

      We'll use the concepts of keyhole surgery, and we'll do this attack through the headphone socket.

      Oh... ...never mind.

    6. Doctor Syntax Silver badge
      Mushroom

      Re: This is - at best - a temporary solution.

      "3) Some small explosive devices "

      Maybe premature detonation explains Samsung's current problems. It's a security device gone wring.

    7. Anonymous Coward
      Anonymous Coward

      Re: This is - at best - a temporary solution.

      Seems the key is being able to unsolder a chip ... I am sure it's not beyond the wit of man to circumvent this.

      In fact I would expect such circumvention to feature in the next iPhone iteration - it's more useful and exciting than the lack of a headphone jack.

      It WAS already solved, which is why I do not buy the extrapolation to the iPhone 6. Apple can go one better and incorporate the same sort of wire mesh in the security chip that was prevalent on older security chips which prevents chip shaving to expose contact areas (the mesh messes up the chip before you get that deep) but it's costly and adds thickness to a chip they spent many man years getting slimmer. At some point you have to respect the crossover point between secure and affordable.

      Especially with the volumes Apple churns out, simple things multiply rapidly into major costs and given that the majority of users are quite happy with providing details of their life to Facebook and Twitter I'd say that the majority of users really don't care that much. It's not a real value add for Apple to make it more secure than it is already.

      We use Apple gear for a number of things, and we've modelled the risk - it's an acceptable cost for the level of security they offer. There's plenty of opportunity out there to blow silly amounts of money on "secure" gear but our research suggests you're usually buying comfort, not more security..

    8. Anonymous Coward
      Anonymous Coward

      Re: This is - at best - a temporary solution.

      "1) Physical protection - any attempt to unsolder the chip destroys it"

      It has to be soldered in the first place. A technology which means you can reflow the solder once but not twice would be of great interest to many people.

  8. Tom 7

    Four months of part time work by the skilled technician who got lucky

    I've worked with some seriously skilled geniuses who, even if they worked in the field, may nor have cracked this. One thing I've discovered is even the brightest and best cant often see the wood for the trees - and many who can would keep quiet about it anyway.

  9. Locky
    Flame

    He found Apple employed security-through-obscurity

    Well colour me shocked. Next you'll report that Apple OS can get infected by a virus....

  10. Doctor Syntax Silver badge

    I think many of recognised, at least in principle, that if you could remove and read out the contents of the NAND you could implement such an attack. Kudos for this guy for implementing it. Not that it removes the suspicion of "I couldn't find anything on it. $1,000,000 please" as being an entirely satisfactory outcome for the FBI irrespective of what "couldn't find" might represent in terms of effort.

  11. lafnlab
    Headmaster

    FBI

    FYI, FBI stands for Federal Bureau of Investigation, not Intelligence. While they do have some intelligence roles, that is not their primary raison d'être.

  12. Camilla Smythe

    Extradition in.. 3... 2... 1...

    Do not make the FBI look dumb.

  13. Duffaboy
    Trollface

    The should have just tried

    Password

    1. Dave 126

      Re: The should have just tried

      Hard to do when your only available inputs are: 0,1,2,3,4,5,6,7,8 or 9. :)

      1. Anonymous Coward
        Anonymous Coward

        Re: The should have just tried

        Hard to do when your only available inputs are: 0,1,2,3,4,5,6,7,8 or 9. :)

        Nah, just go old school when digits represented multiple characters (dial 0800-BOLLOCKS).

        "Password" would be 7277 9673 (and it would be 0800-2655 6257 :) ).

  14. PNGuinn
    Trollface

    OK - sso what was the REAL cost?

    "The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors."

    So - the bits cost $100 from Cambridge's local Maplin's - AND the droid behind the counter both had 'em in stock AND knew where to find 'em. (I smell bovine ...)

    I wonder how much that'd have cost - in real British Sqiud - from CPC Farnell??

    C'mon el reg - wot was the REAL cost? - No need to save the FEDS the embarrassment.

  15. Anonymous Coward
    Anonymous Coward

    He found Apple employed security-through-obscurity rather than "fully thought through" hardening in its protection against NAND mirroring attacks.

    I thought it had been known for a while that that is the entirety of Apple's 'no viruses' history. It has rarely been profitable to bother attacking an Apple device due to low marketshare.

  16. Anonymous Coward
    Anonymous Coward

    The FBI would have overpaid even if they knew about this option

    The only reason the FBI went for outside help was because the slam dunk case they thought they had to make Apple look bad backfired badly on them. They felt public opinion would be overwhelmingly on their side, because "terrorism" but it was a 50/50 split at best. That's why they originally filed the case in public, even though Apple wanted it filed under seal - because no doubt they were worried about bad publicity as well and had to be pleasantly surprised by the support they received.

    Rather than fight a battle they knew there was a good chance they would lose, the FBI decided to save face by accepting outside help which they obviously could have found before filing the case. They wanted to go to a specialist company that charged a lot because they feel it will aid their case down the road when they decide to try pressing their case for backdoors. They can tell congress "look, it cost us $1 million for one phone, maybe we can justify that for terrorism, but what about drug dealers and pedophiles, they are getting away now - THINK OF THE CHILDREN!"

  17. JaitcH
    Unhappy

    Remember JAMES COMEY ...

    is neither technical nor a cop. He was the United States Deputy Attorney General from December 2003 to August 2005 under Bush 2.

    Memory swapping has been available in ShangHai for years - and around USD$100.

  18. scrubber

    Dear commentards

    I recall a vast number of comments being down voted vigorously and repeatedly for saying this was possible and being ridiculed. Could you all go back and update your comments and votes?

    1. Solmyr ibn Wali Barad

      Re: Dear commentards

      "I recall a vast number of comments being down voted vigorously and repeatedly for saying this was possible and being ridiculed"

      Does not ring true. This particular "this" was rarely discussed. Mostly in elaborate comments with only few votes.

      But there were numerous comments along the lines "just solder memory chips off and read their contents" - which deserved every ridicule they got.

  19. Anonymous Coward
    Anonymous Coward

    Only $100? That explains his name

    > University of Cambridge senior research associate Sergei Skorobogatov

    That translates as "almost rich" :-)

    1. GrapeBunch

      Re: Only $100? That explains his name

      I was going to say his name means quickly blessed Skoro - quick; bogat - blessed, handsome; ov - of. I guess it's a question of perspective.

      1. Anonymous Coward
        Anonymous Coward

        Re: Only $100? That explains his name

        > I guess it's a question of perspective.

        Or which Slavic language one is most familiar with. It does illustrate how easily false friends and cognates with completely different meanings can get you into trouble when travelling in Slavic countries, though.

  20. bish

    24hrs? Doubtful

    The hacking behind building a safety net for brute forcing the encryption is very impressive, but we're still talking about brute forcing a four digit PIN where every six attempts takes (on the video) ninety-one seconds, from the previous chip powering down, unplugging it, hooking up a clone, starting the phone up (yawn) punching in your first four combos (and you'd want a tick list if you were really going all the way from 0000 to 9999 - which would slow you down a tiny bit more each time - or you'd definitely lose your mind) waiting on the fifth and sixth, (potentially cursing yourself for mistyping a number) then powering down again. By that measure, it would take more like forty-two hours - unless of course the passcode started with 1-8, which admittedly is a fair shot but not guaranteed), without any breaks - if that were my gig, and it included the four months part time (two months full time) R&D, I'd invoice for AT LEAST $1m, simply because it's the most boring task ever.

  21. Scott Pedigo
    Holmes

    Federal Bureau of What?

    "University of Cambridge senior research associate Sergei Skorobogatov has laid waste to United States Federal Bureau of Intelligence (FBI) ..."

    That would be the Federal Bureau of Investigation

  22. Harrow

    Why hasn't University of Cambridge senior research associate Sergei Skorobogatov been arrested and charged under 17 U.S. Code § 1201 (DMCA -- Circumvention of copyright protection systems)?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like