So NAND mirroring doesn’t work to crack into Syed Farook's work iPhone and grab the contents, huh? Tell that to the security researcher’s proof-of-concept demonstration.
iPhone forensics expert Jonathan Zdziarski previously suggested the FBI could use NAND mirroring to get information off the locked San Bernadino shooter’s iPhone; yet FBI Director James Comey claimed that making a copy of the phone’s chip to get around the passcode “doesn’t work” and the solution would be “software-based.”
Yet Zdziarski responded by cooking up a NAND mirroring proof-of-concept to prove that “copying the back disk content could allow for unlimited passcode attempts.” He posted two video demonstrations of a “simple ‘concept’ simulation of a NAND mirroring attack on an iOS 9.0 device.”
Although he did it with a jailbreak, Zdziarski noted, “NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.” He noted, “For Farook’s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.”
I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I’m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.
If he is correct and Comey is not, it wouldn’t be the first time the government lied to us. The Justice Department swore it was “impossible” without having Apple create a backdoor. Last week, The Wall Street Journal claimed the FBI and Justice Department “fibbed.” As Daring Fireball’s John Gruber put it: “When the FBI lies it’s a ‘fib’. When you lie to the FBI it’s a ‘felony’.”
FBI Director Comey was not pleased about the WSJ piece and fired back:
You are simply wrong to assert that the FBI and the Justice Department lied about our ability to access the San Bernardino killer’s phone. I would have thought that you, as advocates of market forces, would realize the impact of the San Bernardino litigation. It stimulated creative people around the world to see what they might be able to do. And I’m not embarrassed to admit that all technical creativity does not reside in government. Lots of folks came to us with ideas. It looks like one of those ideas may work and that is a very good thing, because the San Bernardino case was not about trying to send a message or set a precedent; it was and is about fully investigating a terrorist attack.
Whatever method of cracking into the iPhone is used – if it is done – it’s not likely the public will be told.