It’s actually pretty scary that the FBI openly acknowledged that there may be a way to hack any iPhone and throw encryption right out the window. But that’s exactly what the U.S. government did on Monday night. It told the world, and Apple, that a third-party can do what the FBI can’t and what Apple refuses: Break into an iPhone that was recovered from one of the San Bernardino shooters and is protected by a PIN.
Any iPhone is encrypted as long as it’s protected by a PIN, password or fingerprint. That’s the obstacle that’s preventing the FBI from getting into the iPhone in question, an obstacle that the NSA is suspected of being able to bypass, though the agency isn’t cooperating with the FBI on this matter.
So how will this unknown third party crack the iPhone 5c for the FBI?
There are several theories out there about how this can be done, and here are the more plausible ones.
A tale of acid and lasers
As Ars Technica pointed out a few weeks ago, the FBI could dismantle the iPhone 5c in question. Then, with the help of acid and lasers, the Bureau would remove the outer layers of the iPhone’s processor and read the embedded ID, which is unique for each chip.
Once the ID is known, you can simply copy the encrypted storage to a different computer and use a brute force attack to attempt all PIN variations until you get the right combination.
This method is dangerous, as it can physically destroy the processor. If that were to happen, the data stored on the device would be gone for good.
A monster jailbreak
The same site also proposed a different theory: jailbreaking the iPhone 5c. If a third-party company has found a secret bug inside SecureROM, the software that’s baked into the iPhone’s hardware and that is responsible for verifying that the device runs a genuine iOS version, then it could load custom software to bypass the PIN protection.
Ars notes that so far, six SecureROM bugs have been found and exploited for jailbreaks. These can’t be patched in iOS releases, as Apple has to update the hardware to prevent future jailbreaks. If a company discovered a seventh exploit, then the FBI could crack not just the San Bernardino iPhone, but also any other password-protected iPhone it wants to unlock.
If that’s the path the FBI is taking with the help of this unknown third party, then no existing iPhone is safe from similar snooping. That’s definitely scary.
A software exploit
Just the other day, security experts from Johns Hopkins revealed they can retrieve photos from encrypted iMessage chats. The security hole has existed for months and it took Apple two software updates to fix it, iOS 9 and iOS 9.3.
If a security company found a way to bypass the lock screen using a similar zero-day attack, the FBI might also use it to get into the iPhone. Even if Apple patched it in recent iOS releases, it’s likely the San Bernardino iPhone doesn’t run the latest version of iOS. So then, even if Apple patched other security holes that most people have no idea about with its iOS 9.3 release, the iPhone 5c would still be exposed.
What’s stopping the FBI from trying to guess each and every PIN combination until it gets the right one is the fact that the iPhone might be set to erase the data after the tenth wrong PIN input. Edward Snowden already suggested that the FBI has a memory mirroring technique at its disposal that could be used to beat the system.
What happens here is that the iPhone is again dismantled and the NAND memory module is removed so that it can be copied. With the help of software, the FBI can then try each and every PIN combination available. If the phone erases itself after the tenth attempt, the FBI would just restart the process. After all, it still has the original memory that can be copied over and over.
“This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying,” security researcher Jonathan Zdziarski wrote on his blog – you should read the entire post to better understand how this technique works.
The downside is that this method might be costly for the FBI, but that unspecified company willing to help out – likely for a hefty fee – could do it in a more efficient manner. This technique might also be the most reasonable way to break into an encrypted iPhone.
If that sounds too complex, just check out the following video, which explains the same technique from a different point of view. In it, intrepid “hackers” from China replace the 16GB memory chip on an iPhone with a 128GB chip for a fraction of the cost of a 128GB iPhone from Apple.
In the process, the hackers copy the entire contents of the 16GB memory module and move it over to the 128GB chip. That means that even the encryption keys are moved over, and you’d unlock that 128GB iPhone using the same PIN as before the “upgrade.”