Other than an Apple backdoor hack, FBI could use 3 other hacks on killer’s iPhone
According to hardware-security experts, there are at least three ways the FBI could try to remove information from the phone of San Bernardino killer Syed Rizwan Farook without asking Apple for assistance.
While neither of them are easy, as they are all time consuming and expensive, and at least two of them have the danger of physically damaging the phone and everything on it. However, one is commonly used by companies that reverse-engineer computer chips in search of patent infringements, as they are possible.
Julia Elvidge, president of Chipworks, a Canadian company that does patent analytics and forensics said that given the resources “it’s almost always technically possible to reverse-engineer a product.”
The first method uses tiny changes in radio frequency and power consumption as a phone is powered on and off. This helps in guessing the passcode.
The second method rearranges the phone’s counter so that after each attempt to unlock it, the security feature’s internal counter is turned back to 1, tricking the phone into believing multiple attempts to unlock it have not been made.
However, the third method, which is the most aggressive, involves taking apart the chip where the cryptographic keys are stored so they can be read with an electronic scanning microscope.
Experts say that all are much easier said than done. Paul Kocher, president of Cryptography Research, a division of security firm Rambus which works on security for semiconductors, chips and IP products said that the main restrictions are their cost and time, “and if you mess up, you destroy the chip.”
If courts ultimately makes the decision in favour of Apple wherein it is not required to create a back door or in other words a new operating system to get around a security feature in recent iPhones that automatically wipes out the data on the device if someone tries to hack its ID passcode, then law enforcement in such cases could find these alternatives necessary.
In a case that the FBI is playing out in public as well as the legal system, disputes that it has no other alternative to obtain information on the iPhone 5C used by Farook.
Apple has said such software would be “too dangerous to create” and that the presence of such software would pose a great threat of attack on the customers. In an open letter to customers, Apple said that it has made Apple engineers available to advise the FBI and “offered our best ideas on a number of investigative options at their disposal,” while choosing to not comment on other methods.
All the alternatives concentrate on breaching the physical phone, which is a risky method that nevertheless has been used in multiple cases. Elvidge said, for example, Chipworks helped the Canadian Transportation Safety Board read a chip from the flight control computer recovered from Swiss Air 111 crash.
Kocher said that the complete first step would be to go on eBay and buy dozens of the exact same phone to practice on, as the work is so accurate and difficult. This would let security workers to improve their methods before actually starting work on Farook’s phone.
The most physically challenging method is the chip attack. It involves getting to the layer where the cryptographic key is stored by actually shredding down the computer chips within the phone.
The first step is to find the key where it is stored. This could be done by going through the configuration on similar phones, perhaps by wiping them off in the process, recommends Kocher. Or the FBI may get in touch with other national security agencies that possibly have this expertise.
Another option would be to check for patent infringement by talking with companies that expertise in reverse-engineering chips. In general, these companies would mostly know where to look on an iPhone 5C for the codes, said Sergei Skorobogatov, a senior researcher and expert on hardware security analysis at Cambridge University in the United Kingdom.
Once a chip was chosen, it would then in a procedure called de-processing be removed from the phone and polished down, micrometer by micrometer layer. The device that carries out the process is called a lapping machine.
Skorobogatov said that as the layers of silicon are detached, the chip’s transistors, as many as ten layers of them, are disclosed.
The transistors would then be read with a scanning electron microscope once in sight. At times, at this juncture possible to basically view which transistors are burned on or off, then use software to rebuild the binary data those on and off’s signify, to locate the key, Skorobogatov said.
Or the circuitry itself could be altered using a focused ion beam to either persuade the chip to go into test mode or get it to dump its memory, giving up any codes that might be on it, Elvidge said.
This form of data extraction has been done by Skorobogatov himself.
“Some time ago we helped one of E.U. government agencies develop a way for accessing on-chip data. They needed that for a car theft investigation but the car manufacturer refused to cooperate,” he said.
Even though his team at Cambridge couldn’t remove the actual data as they didn’t have permission to do so, “we performed the security research and provided full training for their engineers so that they could repeat the technique themselves.”
It is not known if the FBI has tried any of these alternate techniques. The agency has refused to provide detailed information to the public on what measures the examiners have taken, short of demanding Apple’s assistance.
Last week, court documents supporting the Justice Department’s request were filed, Christopher Pluhar, an FBI computer forensic examiner who is involved in the investigation, said only that he had “explored other means of obtaining this information with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the…device.’’
The FBI would not basically want to take the chips apart to find code keys stored on them some argue, as it would also wipe off the proof. Stanley Goldman, a law professor and expert on criminal evidence at Loyola Law School in Los Angeles said that there is no legal reason to discard a method of data recovery since it would culminate in the destruction of the chip, as long as it did not harm the data on the chip.
“It happens all the time when blood or DNA samples are destroyed during testing. There are tons of cases out there in which the government has been forced to use up evidence,” Goldman said.
Given that there’s a simpler way to get the information from Apple that wouldn’t be putting the national security at risk, in such a scenario, a stronger argument would be that any recovery method, however small, has the capability of putting an end to all the data on the chip is too dangerous to the government’s case, said Goldman.