“What?
No Swordmaker comment yet?
All hail the Mothership of Apple©!! d;^)”
Please trust me when I say I cannot stand Apple and some of the articles Swordmaker posts make me want to projectile vomit :-). I’m an Android fanboy (though I am growing completely sick and tired of Google too).
I suspect the FBI’s way of accessing these phones isn’t something someone can do via software. I think they need to take possession of the phone before they can decrypt it. It has to involve some kind of hardware hack. I don’t think iPhone users need to worry about some random exploit that anyone can use.
I saw someone mention that they might be using the fingerprint reader as a way in, but I don’t think the FBI would have overlooked something like that. There wouldn’t have been a need to call in 3rd party consultants to provide that information :-).
My guess is that they identified where the decryption key resides on the die of the CPU ... they can figure out the zeros and ones they need using a focused ion beam setup that’s used for integrated circuit debugging and decrypt storage that way.
I used a focused ion beam machine about 15 years ago to debug an integrated circuit my company was working on. They are frigging neat to say the least (and NOT cheap). While the silicon process we were using was only two metal layers, I saw someone probing a 4 metal layer design and you could easily see straight down to the substrate. You can even see transistors/metal interconnect toggling by watching the metal kind of “pulse” (i.e. there is a glow around the metal when there is no charge, and a lack of glow w. some charge). There was also a means of probing a net to measure a voltage as well as a means to cut metal and deposit it to rework the IC.
This was over 15 years ago ... I’m sure the technology has become jaw dropping since then.
At any rate, identifying a decryption key wouldn’t be too difficult if you know where to look on the die. Depending on the “glow” around the net, you could determine the 1 or 0s. You also need to determine the order ... some snooping around and reverse engineering will let you know that order in relatively little time.
They never did. All of that was Apple FearMongering just to get their own way.
“I suspect the FBI’s way of accessing these phones isn’t something someone can do via software. I think they need to take possession of the phone before they can decrypt it.”
And bear in mind, this was on a 5c phone. Not on the latest version with the 6 digit code and much tougher encryption. The simpleton likely had a very easy code to guess.
A tough password, on the latest system would have probably put it out of reach for millions of years. Actually more that that by far. But let the fads spike the publicity ball and pretend they won.
This was actually a big win for apple, and this was the governments face saving measure.
Interesting. Well above my pay grade, but interesting none-the-less. d:^)
Laying aside your mild ad hominem, which I will choose to ignore, let's look at your very good comment.
First of all the iPhone 5C does not have a fingerprint reader, so that was not a method that could have worked. . . and even if it had one, the iPhone had been turned off when they found it. Any time an iPhone with a fingerprint reader has been turned off, the system's passcode is required to be input before the fingerprint reader will again be useable. Other lockouts are the passage of 48 hours between fingerprint or passcode access or any upgrade to the OS or change in anything in the Secure Boot chain.
My guess is that they identified where the decryption key resides on the die of the CPU ... they can figure out the zeros and ones they need using a focused ion beam setup that’s used for integrated circuit debugging and decrypt storage that way.
You are correct, except for one thing. There is no Encryption Key kept on the iPhone. Apple does not make it so simple.
Several weeks ago on FreeRepublic I described a technique that could possibly work to hack into an A6 iOS device.
This was an Apple iPhone 5C, which uses an A6 processor which is nowhere as secure as the later A7, A8, and A9 series of processor which use a Secure Element sub-processor system for securing the devices. Instead, the A6 has a location located inside the processor chip which also has a sub-processor in it called the Encryption Engine. This area of the processor is inaccessible by the A6's data processor or RAM. Inside the Encryption Engine there are several algorithms dedicated to the security of the iOS device and to encryption/Decryption of the data. Also there is a EEPROM area which can only be written to or read by the limited function sub-processor inside the Encryption Engine.
This area of the A6 was designed to be unreadable by anything running in RAM or by an external hardware probe to make it as opaque as possible to any hacker.
Stored inside the Encryption Engine from the time of manufacture of the A6 chip are a Unique Device ID (UDID) which is not recorded anywhere and a Group Device ID (GID) which is the same for all devices of that model.
One of the algorithms kept inside the Encryption Engine uses the User's passcode, of what ever number of digits or alphanumeric characters, to create a unique one-way hash which is then stored on the EEPROM. Another, algorithm creates a truly entropic random number by reading the camera, microphone, and accelerometer (and perhaps a fourth sensor), at the moment the user inputs his/her passcode for the first time, using those data as a seed, and stores that result on the EEPROM.
This results in four discrete pieces of data being stored inside the Encryption Engine:
The way the system works is that the one-way hash is calculated anew every time a user inputs his/her passcode. That newly created one-way hash is compared to the one inside the Encryption Engine by the sub-processor. If the match is made, then another algorithm in the Encryption Engine reconstructs the Encryption Key by entangling the user's passcode with items 2, 3, and 4 stored in the Encryption Engine to make a large, complex 256 bit AES encryption KEY which will allow the data on the FLASH storage to be encrypted/decrypted as needed. Thus, the
For the purposes of breaking into the subject iPhone, we need to learn just two things:
The rest of the data inside the Encryption Engine is irrelevant for our purposes, but we have to be extremely careful to not damage ANY of the data because without all of it, the iPhone is just a brick.
Focussed Ion beam and Electron Microscopy techniques have been used to read data from ICs in the past. However, their accuracy is suspect and at the small scale of these more modern chips, problematic. The other problem is that these techniques are a one shot deal. They are destructive of volatile memory. Bathing volatile memory with an electron beam or ionic stream of energetic charged particles WILL effect the charged nature of the target, altering that target's data.
That cannot be allowed happen when you have to use that target to unlock the device.
I suggested that a reflective optical laser method of some kind of could work to non-destructively read the EEPROM and trace the silicon of the Encryption Engine inside the A6. This would allow them to reverse engineer the one-way hash algorithm and also read the specific one-way hash that exists on this particular iPhone 5C.
Since they know that the iPhone requests a four digit passcode, there are only 10,000 possible combinations from 0,0,0,0, to 9,9,9,9, running the algorithm it is a easy task to construct a data base of all possible passcodes and their matching one-way hashes. Compare the database to the one found in the subject iPhone 5C from the Terrorists, and you have the passcode. Violá!
Input that four digit passcode, and Farouk's iPhone 5C Work phone is unlocked. Done.
I have no doubt that this, or a slight modification of this, was the way that Cellebrite hardware hacked into the iPhone. It is neither easy, nor cheap to do, and requires a specialized set of equipment and skills.