30 Mar 2016

How did the FBI unlock killer's phone?

10:21 am on 30 March 2016

The FBI has finally broken into the iPhone 5C used by San Bernardino shooter Syed Rizwan Farook after getting help from an unnamed "third party".

Hack

Photo: 123RF

Farook and his wife, Tashfeen Malik, killed 14 people in San Bernardino, California, last December before police fatally shot them.

The FBI had taken legal action in an attempt to force Apple to unlock the phone. Apple had fought the FBI, raising privacy issues and saying helping authorities access the phone could "could threaten the trust between Apple and its customers and substantially tarnish the Apple brand".

Syed Farook and Tashfeen Malik, as they were going through customs in Chicago's O'Hare International Airport in July 2014

Syed Farook and Tashfeen Malik Photo: AFP / US Customs and Border Protection

There is no word on which third party helped the FBI (hint: it wasn't Apple) but Christopher Soghoian, the principal technologist with the American Civil Liberties Union, suggests they could have been paid tens or hundreds of thousands of dollars for their help.

But how did they do it?

Digital forensics expert Bradley Schatz - an Adjunct Associate Professor at the Queensland University of Technology who also runs a consulting firm - said speculation has been rife in tech circles, with two possible theories proving to be the most popular.

1. They used a bug

Dr Schatz said the FBI could have taken the exploitation route - as in they loaded some foreign software onto the phone to let them in.

Bootloader bugs were more common in the early days of the iPhone, and "allowed people to run software on the phone that Apple hadn't blessed".

Those bugs were mostly ironed out by the time the iPhone 4S hit the market, but Dr Schatz said it was possible there were still some floating around.

What's the problem with this method? The bugs are closely held secrets, Dr Schatz said.

"They are very valuable and people aren't prepared to widely advertise them."

2. They copied the chip

An iPhone 5C

The FBI risked erasing the iPhone 5C's data by entering the wrong passcode. Photo: 123RF

iPhone users can opt to erase their data after the wrong passcode is entered 10 times.

This was a big concern for the FBI, as they couldn't have been sure they would be able to try more than nine passcodes without wiping the iPhone's data.

But Dr Schatz said authorities could have copied the phone's flash storage chip so they could make as many attempts as they wanted to.

This is also known as NAND mirroring - with the NAND being the flash memory.

Tech blogger Johnathan Zdziarski - an expert in iOS forensics - likened this to "kind of like cheating at Super Mario Bros with a save-game, allowing you to play the same level over and over after you keep dying".

The problem with this method was that the chip had to be soldered off the phone's motherboard and then resoldered back on, which could cause heat damage, Dr Schatz said.

Another way to use the same method would have been to copy the chip onto a flash memory emulator - a piece of hardware that would pretend to be the memory chip.

This would remove the step of having to solder a new chip onto the motherboard every time.

FBI director James Comey appeared to dismiss this method, saying he'd heard about it but "it doesn't work" - a statement with which Mr Zdziarski disagrees.

What does this mean?

At the end of the day, even Mr Zdziarski has no idea how the FBI did it. "Your guess is as good as mine," he said.

However, there are implications for your own phone's security.

"What is certain, however, is that the only reason this was possible is because Farook chose to use a weak form of security on his iOS device - namely a numeric pin," Mr Zdziarski said.

"To protect your device against both a hardware and software attack, use an alphanumeric passcode."

But Dr Schatz said iPhone users should take some comfort in how long it has taken the FBI to resolve the San Bernardino issue.

"The fact that it's taken the FBI so long to come up with a solution to this for this particular phone reflects the degree of difficulty in breaking through the security that Apple's implemented."

- ABC

Get the new RNZ app

for ad-free news and current affairs