[Cryptography] The FBI can (almost certainly) crack the San Bernardino iPhone without Apple's help

[Jerry Leichter]

>> Sigh.  This has become a meme so quickly, and it's just wrong.
>> 
>> You can clone the memory chip of an iPhone.  But even in the iPhone 5C in question, that doesn't give you the chip UUID, which is embedded in the processor - which provides no way to read it.  Without the UUID, knowing the lock code doesn't tell you the encryption key....
> 
> Yes, I know this, and I specifically addressed it.  The attack is not a brute force attack on the AES key, it’s a brute force attack on the PIN.  It works like this:
> 
> 1.  De-solder the flash chip and read its contents
> 
> 2.  Replace the flash chip with a ZIF socket (probably connected to a short ribbon cable).
> 
> 3.  Re-install the flash chip and make five guesses at the PIN.
> 
> 4.  Power down, replace the flash chip with a fresh copy of the original, and go to Step 3.

You are, of course, correct.  I should have read your page rather than just doing a quick skim.  An attack based on cloning the phone has become a quick meme - but in most cases, those repeating it don't understand what's involved and promptly suggest that once you have a clone, you can run a large number of copies - someone even suggested doing it in AWS, ignoring the difference between ARM and x86 code among many other issues - and get the passcode quickly.

I will point out that this attack assumes that the external flash is the only form of non-volatile storage in the phone.  Counting to 10 retries only requires 4 bits of such storage on the CPU chip.  If Apple actually implemented it that way (obviously there would be many details - it's not just a matter of storing the count there), the cloning attack would fail.  However, I don't know one way or another.
                                                        -- Jerry