Monday, February 29, 2016

The FBI can (almost certainly) crack the San Bernardino iPhone without Apple's help

The title kind of says it all.  How do I know?  Because of this photo:


That's a picture of the logic board of an iPhone 5C, the same model as the San Bernardino phone.  The chip with the red outline is a Toshiba THGBX2G7B2JLA01 NAND Flash chip.  That's the phone's memory chip.  All the data on the phone is stored there.  It's encrypted, but here's the thing: the encryption key is also (almost certainly) stored in the same chip.  So all the FBI needs to do is de-solder the chip, mount it in its own hardware, and read out the data.  Unless the FBI is completely incompetent, it should be able to do this in less than a day.  And again, unless they are completely incompetent, having read out the contents of the chip they should be able to decrypt its contents in a matter of minutes if not seconds.  And even if they are completely incompetent, they could use a copy of the chip to try five different PIN codes, and then replace the chip with a fresh copy of the original and try five more.  Lather, rinse, repeat.  At worst this would take about a week or so.

How do I know that this is possible?  Because one of the highly touted features of the iPhone 6 is that it has a secure enclave where things like encryption keys can be securely stored in a way that does not make them accessible using the technique I just described.

The FBI knows this.  Everyone in the security community knows this.  But not everyone in the general public knows this, and the FBI is counting on that ignorance to cover up the fact that their lawsuit against Apple is a charade.  They are not worried about the data on the San Bernardino iPhone, because if they were they would have had it by now.

What they are worried about is the secure enclave in the iPhone 6.  That is much harder to crack than the external memory chip on the 5C, which any competent hobbyist could do.  Cracking a secure enclave requires actually getting inside the processor chip itself, a process known as decapping.  That's possible too (the NSA can probably do it) but it's much, much harder and requires very expensive and specialized (and probably classified) equipment.

What the FBI is really trying to do here is to set a legal precedent that will let them use the power of the law to do an end-run around the secure enclave, and any other security technology that any company might produce in the future.  This is not about catching some potential terrorists, this is about effectively eliminating legal access to encryption technology.  Attempts have been made in the past to regulate encryption technology through the democratic process, and they have all failed.  So now the FBI is trying to get a court to do what Congress has on multiple occasions refused to do.

If democracy is to survive in the United States they must not be allowed to succeed.

[UPDATE:] Some commenters on Hacker News are saying that my analysis is wrong because the encryption key has additional entropy in it in the form of the processor's 256-bit unique ID.  While this is true, it does not make the 5C secure.  The limiting factor on attacking the PIN is the fact that the phone only gives you 10 attempts before wiping the flash.  But if you have a copy of the flash, you can just replace the wiped flash with a copy and make another 10 attempts.

1 comment:

  1. Your assessment that the FBI is trying to set a legal precedent is spot on! Sadly, they're using the horrendous San Bernadeno shootings as a cover for why they need this for this specific phone all the while knowing they're asking for the keys to the castle.

    ReplyDelete