A security researcher from the University of Cambridge has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute-force attack against the passcode lock of an iPhone 5C. This is the same lock that stymied the FBI as part of the highly publicized privacy case in which they demanded Apple create a workaround to access the phone of the San Bernardino, Calif., shooter. Apple refused on ethical grounds and a media frenzy ensued. Ultimately, the FBI dropped the legal case against Apple and reportedly paid $1 million to an unknown security company to unlock the phone.
Recently a security researcher wrote a paper and then built a hacking rig to do the same, for about $100. The iPhone 5C security control in question is one that limits the number of attempts to enter an unlocking PIN. After a certain number of attempts, the phone will wait for a long period before allowing another attempt. After 10 attempts the device permanently deletes the encryption keys, making all the data on the phone irretrievable. This check is controlled in the firmware and hardware of the device to prevent a brute-force attack, which is designed to try all combinations. A four-digit pin has 10,000 possible combinations, from 0000 to 9999. Attempts to try even a small number of them will result in the phone quickly being locked and ultimately the data rendered unrecoverable.
The researcher created a cloned NAND memory chip under his control, to replace the one embedded in the iPhone. It reset the counter after every pin attempt. Thus automating the process, a brute-force attack succeeded. Even with such a rudimentary system, a four-digit code was cracked in about 40 hours. With a more powerful system, a crack could occur much faster.
There is no doubt hardware is the final frontier in cybersecurity. Hacking hardware can bypass all software-based controls. On the other hand, leveraging hardware for security makes every attack visible and presents the toughest barriers for attackers to overcome.
In this case a savvy security researcher and very little money proved that the manipulation of hardware is a powerful force in unlocking even the most secure smartphones. It is in the interest of manufacturers, businesses, consumers, and agencies to better understand the nuances of how hardware, firmware, and software security controls work.
Hardware based security and hacking is the future of cybersecurity. The only question is who will take the high ground first, the attackers or defenders? Hackers, nation-states, and ethical researchers are exploring exploitable vulnerabilities in both firmware and hardware. At the same time, hardware designers and manufacturers are adding features to make devices more resistant to compromise and give security software better capabilities. Apple in particular is updating its hardware, firmware, and operating system architectures to be more secure. The race is on!
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity