The bumpy road towards iPhone 5c NAND mirroring

📝 Abstract

This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-of-concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised.

💡 Analysis

This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-of-concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised.

📄 Content

Sergei Skorobogatov: The bumpy road towards iPhone 5C NAND mirroring Page 1 The bumpy road towards iPhone 5c NAND mirroring Sergei Skorobogatov University of Cambridge Computer Laboratory Cambridge, UK e-mail: sps32@cam.ac.uk

Abstract—This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-of- concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised. Keywords: Apple iPhone 5c; NAND Flash memory; mirroring attack; hardware security I. INTRODUCTION Mobile phones, and in particular smart phones, can contain a large amount of personal information: contact history, text messages, location history, access-credentials to online services, financial details, etc. It is therefore hardly surprising that the forensic examination of mobile- device storage has become a significant line of enquiry in many police investigations, and forces around the world operate large laboratories to routinely retrieve and analyze data from the phones of both suspects and victims. At the same time, smartphones are evolving into personal security devices used for financial transactions, with associated user expectations about their physical security. Mobile phone vendors, most notably Apple Inc., have responded by encrypting data stored in non-volatile memory, in order to protect personal data and access credentials against unauthorized recovery of from lost or stolen devices. Data mirroring is widely used in computer storage when higher reliability of data storage is required. This is a process of copying data from one location to a storage device in real time. As a result the information stored from the original location is always an exact copy of the original data. Data mirroring is useful in recovery of critical data after a disaster. In computer systems mirroring can be implemented as a part of standard RAID (redundant array of independent disks) levels [1]. From the hardware security prospective the process of mirroring could pose a threat as it creates a backup copy of the data that might allow restoring the previous state of the system, for example, with a higher value of password retry counter. The Apple iPhone 5c went under the spotlight soon after FBI recovered one from a terrorist suspect in December 2015 [2]. In February 2016 the FBI announced that it was unable to unlock the recovered phone due to its advanced security features, including encryption of user data [3]. The FBI first asked the NSA to break into the phone, but they were unable to [4]. As a result, the FBI asked Apple Inc. to create a new version of the phone’s iOS operating system that could be installed and run in the phone’s random access memory to disable certain security features. Apple refers to this as “GovtOS”. Apple declined due to its policy to never undermine the security features of its products. The FBI responded by successfully applying to a United States magistrate judge, Sherri Pym, to issue a court order, mandating Apple to create and provide the requested software [5]. Less than 24 hours before a highly anticipated hearing over access to the phone was set to begin, Justice Department lawyers requested a delay [6]. Later in March the Justice Department has abandoned its bid to force Apple to help it unlock the iPhone saying that they had “now successfully accessed the data” stored on the iPhone in question [7]. At a press conference on 24 March 2016 FBI Director James Comey told reporters that “NAND mirroring” will not be used to get into the terrorist’s iPhone 5c, saying “It doesn’t work” [8,9]. NAND mirroring was suggested by several technology experts as the most likely way to gain unlimited passcode attempts in iPhone 5c. iPhone forensics expert Jonathan Zdziarski has demonstrated a software-based proof-of- concept of mirroring attack using jailbroken iPhone 5c. Although he did it w

This content is AI-processed based on ArXiv data.