How could Apple help bypass an iPhone Pin?
This week BBC news reported that Apple would not help the FBI bypass the pin on one of their phones
The FBI have apparently asked Apple to create two assistive technologies :
“Firstly, it wants the company to alter Farook’s iPhone so that investigators can make unlimited attempts at the passcode without the risk of erasing the data.
Secondly, it wants Apple to help implement a way to rapidly try different passcode combinations, to save tapping in each one manually.”
Ignoring who is right or wrong in this matter – these are not uncommon requests – I’ve been asked by various governments and “three letter agencies” in the past to do exactly the same thing, which I too have politely declined.
Reading between the lines, the FBI requests would indicate an admission that the actual cryptography within the iPhone is robust and correctly implemented – and that there are no discovered back doors which would allow the FBI access to the data without Apple’s help.
So we can assume that the FBI cannot usually access data stored on iPhones. What help can Apple give?
All password systems are vulnerable to guessing attacks, and as the BBC article mentions, there are only 10000 possible combinations of a 4 digit pin, and even if you tapped them out every couple of seconds, that’s less than 6 hours of time spent to try EVERY possible code – it would take much less time if the code starts with, say number 1.
If the passcode is 8 numbers, then there are 100,000,000 combinations – that’s 578 days spent trying a different code every 2 seconds – quite a lot of tapping.
This makes the FBI’s request that Apple invent a mechanism to bypass the need to use the screen more obvious. We’re pretty sure that the touchscreen on the iPhone returns the touch coordinates to the processor over a ribbon cable so interfacing with that and inserting “fake touches” into the communication stream would not seem complex.
I would expect it’s technically possible to achieve this goal of the FBI – to enter codes without physically touching the screen.
To their other request, to disable the limited number of incorrect pin entries – most authentication systems disable themselves after a few incorrect attempts – mostly by erasing the cryptographic data to prevent further attempts. This mechanism is exactly to prevent people guessing your passwords.
Authentication systems are usually built in such a way as they don’t say “you can’t try again”, it says “there’s no point trying again“.
An analogy would be if you were trying to guess a combination bicycle lock, and after 10 tries, the bicycle disappeared. It’s that permanent. Authentication systems are usually designed to completely and irrevocably erases the data you’re asking for, to make further guessing pointless.
The FBI’s request that Apple modify the phone to disable this self-destruct feature becomes obvious then, given that after 10 attempts or so the target phone is going to erase all the data they are trying so hard to obtain.
Whether this is indeed possible depends on how Apple have implemented this feature in the 5c phones – There are two usual ways, hardware assisted, and software.
The software option involves having the lockout code simply stored somewhere accessible – on a PC system for example it might be stored on the user’s hard disk, or on a phone, in the flash memory which stores the OS.
Storing the lockout code like this means it’s technically vulnerable to attack – someone could modify that code and just disable the attempt counter. Sure – you have to reverse engineer the code, but that’s “minion work” and well within the means of experienced programmers.
If the iPhone 5c implemented the counter code in software, then if a new version of the OS can be installed on the phone, the guessing counter could be bypassed.
To stop hackers disabling the attempt counter, hardware assisted methods exist – and the most common example would be the PIN for your credit card. There’s still software running which counts the number of attempts etc but it’s running within the tiny chip on the card – Getting at the software on that chip is formidably difficult – you can’t just read and modify the software as it’s stored in a tamper-proof way. You’d have to very delicately disassemble the plastic card to get to the chip, then chemically etch the metal/epoxy case off the chip (decapping), and generally get involved at the silicon transistor level – and the creators of the chip designed it specifically to thwart you.
Chip-level reverse engineering is almost magic and there are companies who specialize in it, for investigation, or to reverse-engineer obsolete silicon so it can be recreated – but the chip manufacturers know this and design features to make this kind of reverse engineering extremely difficult, or even impossible.
And in this case, we’re not only wanting to get at the on-chip software, we need to modify it – something that I’ve never heard done.
My conclusion by the fact Apple’s defence is not “we can’t” – it’s “we won’t”, is that they are not using hardware protection in the 5c.
Given that it would appear possible that the OS on a locked iPhone can be replaced through the disaster recovery process, abit only with an OS digitally signed by Apple, it would seem entirely technically possible for Apple to create a custom version of their OS, locked to this phones hardware ID, digitally signed so it can’t be modified or used on any other physical phone, with the necessary timeout, guessing attack, and pin interface features.
The only question left, is what happens if they make it?
As other writers have suggested, if they do this for the FBI, they are really not going to be able to decline the same request from any other legal authority – world wide.
And that’s the slippery slope Tim Cook seems to be trying to avoid.
On the positive side though – I suspect the iPhone 6 models with their hardware enclave will be immune from this kind of attack.