[Cryptography] The FBI can (almost certainly) crack the San Bernardino iPhone without Apple's help
Jerry Leichter
leichter at lrw.com
Wed Mar 2 14:56:38 EST 2016
>> Sigh. This has become a meme so quickly, and it's just wrong.
>>
>> You can clone the memory chip of an iPhone. But even in the iPhone 5C in question, that doesn't give you the chip UUID, which is embedded in the processor - which provides no way to read it. Without the UUID, knowing the lock code doesn't tell you the encryption key....
>
> Yes, I know this, and I specifically addressed it. The attack is not a brute force attack on the AES key, it’s a brute force attack on the PIN. It works like this:
>
> 1. De-solder the flash chip and read its contents
>
> 2. Replace the flash chip with a ZIF socket (probably connected to a short ribbon cable).
>
> 3. Re-install the flash chip and make five guesses at the PIN.
>
> 4. Power down, replace the flash chip with a fresh copy of the original, and go to Step 3.
You are, of course, correct. I should have read your page rather than just doing a quick skim. An attack based on cloning the phone has become a quick meme - but in most cases, those repeating it don't understand what's involved and promptly suggest that once you have a clone, you can run a large number of copies - someone even suggested doing it in AWS, ignoring the difference between ARM and x86 code among many other issues - and get the passcode quickly.
I will point out that this attack assumes that the external flash is the only form of non-volatile storage in the phone. Counting to 10 retries only requires 4 bits of such storage on the CPU chip. If Apple actually implemented it that way (obviously there would be many details - it's not just a matter of storing the count there), the cloning attack would fail. However, I don't know one way or another.
-- Jerry
More information about the cryptography
mailing list