3 other hacks FBI could use on killer's iPhone besides an Apple key
563
35Share This Story!
Let friends in your social network know what you are reading about
3 other hacks FBI could use on killer's iPhone besides an Apple key
There are at least three ways the FBI could extract information from the phone of terrorist Syed Rizwan Farook without having to ask Apple for help, hardware security experts say.
Try Another
Audio CAPTCHA
Image CAPTCHA
Help
CancelSend
Sent!
A link has been sent to your friend's email address.
Posted!
A link has been posted to your Facebook feed.
UP NEXT
03
The FBI is now asking for more iPhones to be unlocked which may support Apple CEO Tim Cook's objections to unlocking the phones. Google and Facebook are backing Apple. Time
An anti-government protester holds up his iPhone with a sign "No Entry" during a demonstration near the Apple store on Fifth Avenue in New York on February 23, 2016. Apple is battling the US government over unlocking devices in at least 10 cases in addition to its high-profile dispute involving the iPhone of one of the San Bernardino attackers, court documents show. Apple has been locked in a legal and public relations battle with the US government in the California case, where the FBI is seeking technical assistance in hacking the iPhone of Syed Farook, a US citizen, who with his Pakistani wife Tashfeen Malik in December gunned down 14 people.(Photo: JEWEL SAMAD, AFP/Getty Images)
SAN FRANCISCO – There are at least three ways the FBI could attempt to extract information from the phone of San Bernardino killer Syed Rizwan Farook without having to ask Apple for help, hardware-security experts say.
None are easy, all are expensive and time consuming, and at least two run the risk of physically destroying the phone and everything on it. But they are possible, and one is commonly used by companies that reverse-engineer computer chips in search of patent infringements.
Given the resources, "it’s almost always technically possible to reverse-engineer a product,” said Julia Elvidge, president of Chipworks, a Canadian company that does patent analytics and forensics.
THREE HACKS
One method uses minute changes in power consumption and radio frequency as a phone is powered on and off. This aids in guessing the passcode.
A second resets the phone's counter so that after each attempt to unlock it, the security feature's internal counter is turned back to 1, fooling the phone into believing multiple attempts to unlock it have not been made.
The most invasive involves taking apart the chip where the cryptographic keys are stored so they can be read with an electronic scanning microscope.
All are much easier said than done, say experts. The main limitations are their cost and time, "and if you mess up, you destroy the chip," said Paul Kocher, president of Cryptography Research, a division of security firm Rambus which works on security for semiconductors, chips and IP products
COURT FIGHT
Law enforcement could find these alternatives necessary if courts eventually rule that Apple is not required to create a new operating system, or what it terms a back door, to get around a security feature in recent iPhones that automatically erases the data on the device if someone tries to hack its ID passcode.
The FBI, in a case that's playing out in public as well as the legal system, argues that it has no other alternative to access the information on the iPhone 5C used by Farook.
Apple has said such software would be "too dangerous to create"[1] and that the existence of such software would expose its customers to greater risk of attack. Apple would not comment on other methods but in an open letter[2] to customers did say it has made Apple engineers available to advise the FBI and "offered our best ideas on a number of investigative options at their disposal."
The alternatives all focus on breaching the physical phone, a risky tactic that nonetheless has been deployed in multiple cases. For example, Chipworks helped the Canadian Transportation Safety Board read a chip from the flight control computer recovered from Swiss Air 111 crash, Elvidge said.
Because the work is so precise and difficult, the absolute first step would be to go on eBay and buy dozens of the exact same phone to practice on, said Kocher. That would allow security workers to hone their techniques before actually beginning work on Farook’s phone.
DELAYERING
The chip attack is the most physically challenging. It involves actually shaving down the computer chips within the phone to get at the layer where the cryptographic key is stored.
First the chip where the key is stored has to be found. Kocher suggests this could be done by reviewing the configuration on similar phones, probably destroying them in the process. Or the FBI might reach out to other national security agencies that likely have this expertise.
Another option would be to talk with companies that specialize in reverse-engineering chips to check for patent infringement. These companies would likely know where, in general, to look on an iPhone 5C for the codes, said Sergei Skorobogatov, a senior researcher and expert on hardware security analysis at Cambridge University in the United Kingdom.
Once a chip was chosen, it would be removed from the phone and polished down, micrometer by micrometer layer, in a procedure called de-processing. The device that does this is called a lapping machine.
As the layers of silicon are removed, the chip's transistors, as many as ten layers of them, are revealed, Skorobogatov said.
Once in view, the transistors would then be read with a scanning electron microscope. At this level, it’s sometimes possible to actually see which transistors are burned on or off, then use software to reconstruct the binary data those on and off's represent, to find the key, Skorobogatov said.
Or the circuitry itself could be changed using a focused ion beam to either convince the chip to go into test mode or get it to dump its memory, giving up any codes that might be on it, Elvidge said.
Skorobogatov has done this form of data extraction himself.
“Some time ago we helped one of E.U. government agencies develop a way for accessing on-chip data. They needed that for a car theft investigation but the car manufacturer refused to cooperate,” he said.
Although his team at Cambridge couldn’t extract the actual data as they didn’t have clearance to do so, “we performed the security research and provided full training for their engineers so that they could repeat the technique themselves.”
FBI DOCUMENTS
It's unknown if the FBI has tried any of these alternate techniques. The agency has declined to elaborate publicly on what steps examiners have taken, short of demanding Apple's assistance.
In court documents filed last week supporting the Justice Department's request, Christopher Pluhar, an FBI computer forensic examiner who is involved in the investigation, said only that he had "explored other means of obtaining this information with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the…device.’’
Some have argued that the FBI would not want to actually take the chips apart to find code keys stored on them because it would also destroy the evidence. However there’s no legal reason to reject a method of data recovery because it would result in the destruction of the chip, as long as it didn't damage the data on the chip, said Stanley Goldman, a law professor and expert on criminal evidence at Loyola Law School in Los Angeles.
“It happens all the time when blood or DNA samples are destroyed during testing. There are tons of cases out there in which the government has been forced to use up evidence,” Goldman said.
A stronger argument would be that any recovery method which held the possibility, however small, of destroying all the data on the chip is too risky to the government's case, given that there’s a simpler way to get the information from Apple that wouldn’t be risking national security, he said.
Follow tech reporter Elizabeth Weise at @eweise. Contributing: Kevin Johnson in Washington, D.C.
Read or Share this story: http://usat.ly/1QFvmsO
0) { %> 0) { %> 0) { %>
563
35Share This Story!
Let friends in your social network know what you are reading about
3 other hacks FBI could use on killer's iPhone besides an Apple key
There are at least three ways the FBI could extract information from the phone of terrorist Syed Rizwan Farook without having to ask Apple for help, hardware security experts say.
Try Another
Audio CAPTCHA
Image CAPTCHA
Help
CancelSend
Sent!
A link has been sent to your friend's email address.
Posted!
A link has been posted to your Facebook feed.
UP NEXT
03
The FBI is now asking for more iPhones to be unlocked which may support Apple CEO Tim Cook's objections to unlocking the phones. Google and Facebook are backing Apple. Time
An anti-government protester holds up his iPhone with a sign "No Entry" during a demonstration near the Apple store on Fifth Avenue in New York on February 23, 2016. Apple is battling the US government over unlocking devices in at least 10 cases in addition to its high-profile dispute involving the iPhone of one of the San Bernardino attackers, court documents show. Apple has been locked in a legal and public relations battle with the US government in the California case, where the FBI is seeking technical assistance in hacking the iPhone of Syed Farook, a US citizen, who with his Pakistani wife Tashfeen Malik in December gunned down 14 people.(Photo: JEWEL SAMAD, AFP/Getty Images)
SAN FRANCISCO – There are at least three ways the FBI could attempt to extract information from the phone of San Bernardino killer Syed Rizwan Farook without having to ask Apple for help, hardware-security experts say.
None are easy, all are expensive and time consuming, and at least two run the risk of physically destroying the phone and everything on it. But they are possible, and one is commonly used by companies that reverse-engineer computer chips in search of patent infringements.
Given the resources, "it’s almost always technically possible to reverse-engineer a product,” said Julia Elvidge, president of Chipworks, a Canadian company that does patent analytics and forensics.
THREE HACKS
One method uses minute changes in power consumption and radio frequency as a phone is powered on and off. This aids in guessing the passcode.
A second resets the phone's counter so that after each attempt to unlock it, the security feature's internal counter is turned back to 1, fooling the phone into believing multiple attempts to unlock it have not been made.
The most invasive involves taking apart the chip where the cryptographic keys are stored so they can be read with an electronic scanning microscope.
All are much easier said than done, say experts. The main limitations are their cost and time, "and if you mess up, you destroy the chip," said Paul Kocher, president of Cryptography Research, a division of security firm Rambus which works on security for semiconductors, chips and IP products
COURT FIGHT
Law enforcement could find these alternatives necessary if courts eventually rule that Apple is not required to create a new operating system, or what it terms a back door, to get around a security feature in recent iPhones that automatically erases the data on the device if someone tries to hack its ID passcode.
The FBI, in a case that's playing out in public as well as the legal system, argues that it has no other alternative to access the information on the iPhone 5C used by Farook.
Apple has said such software would be "too dangerous to create"[3] and that the existence of such software would expose its customers to greater risk of attack. Apple would not comment on other methods but in an open letter[4] to customers did say it has made Apple engineers available to advise the FBI and "offered our best ideas on a number of investigative options at their disposal."
The alternatives all focus on breaching the physical phone, a risky tactic that nonetheless has been deployed in multiple cases. For example, Chipworks helped the Canadian Transportation Safety Board read a chip from the flight control computer recovered from Swiss Air 111 crash, Elvidge said.
Because the work is so precise and difficult, the absolute first step would be to go on eBay and buy dozens of the exact same phone to practice on, said Kocher. That would allow security workers to hone their techniques before actually beginning work on Farook’s phone.
DELAYERING
The chip attack is the most physically challenging. It involves actually shaving down the computer chips within the phone to get at the layer where the cryptographic key is stored.
First the chip where the key is stored has to be found. Kocher suggests this could be done by reviewing the configuration on similar phones, probably destroying them in the process. Or the FBI might reach out to other national security agencies that likely have this expertise.
Another option would be to talk with companies that specialize in reverse-engineering chips to check for patent infringement. These companies would likely know where, in general, to look on an iPhone 5C for the codes, said Sergei Skorobogatov, a senior researcher and expert on hardware security analysis at Cambridge University in the United Kingdom.
Once a chip was chosen, it would be removed from the phone and polished down, micrometer by micrometer layer, in a procedure called de-processing. The device that does this is called a lapping machine.
As the layers of silicon are removed, the chip's transistors, as many as ten layers of them, are revealed, Skorobogatov said.
Once in view, the transistors would then be read with a scanning electron microscope. At this level, it’s sometimes possible to actually see which transistors are burned on or off, then use software to reconstruct the binary data those on and off's represent, to find the key, Skorobogatov said.
Or the circuitry itself could be changed using a focused ion beam to either convince the chip to go into test mode or get it to dump its memory, giving up any codes that might be on it, Elvidge said.
Skorobogatov has done this form of data extraction himself.
“Some time ago we helped one of E.U. government agencies develop a way for accessing on-chip data. They needed that for a car theft investigation but the car manufacturer refused to cooperate,” he said.
Although his team at Cambridge couldn’t extract the actual data as they didn’t have clearance to do so, “we performed the security research and provided full training for their engineers so that they could repeat the technique themselves.”
FBI DOCUMENTS
It's unknown if the FBI has tried any of these alternate techniques. The agency has declined to elaborate publicly on what steps examiners have taken, short of demanding Apple's assistance.
In court documents filed last week supporting the Justice Department's request, Christopher Pluhar, an FBI computer forensic examiner who is involved in the investigation, said only that he had "explored other means of obtaining this information with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the…device.’’
Some have argued that the FBI would not want to actually take the chips apart to find code keys stored on them because it would also destroy the evidence. However there’s no legal reason to reject a method of data recovery because it would result in the destruction of the chip, as long as it didn't damage the data on the chip, said Stanley Goldman, a law professor and expert on criminal evidence at Loyola Law School in Los Angeles.
“It happens all the time when blood or DNA samples are destroyed during testing. There are tons of cases out there in which the government has been forced to use up evidence,” Goldman said.
A stronger argument would be that any recovery method which held the possibility, however small, of destroying all the data on the chip is too risky to the government's case, given that there’s a simpler way to get the information from Apple that wouldn’t be risking national security, he said.
Follow tech reporter Elizabeth Weise at @eweise. Contributing: Kevin Johnson in Washington, D.C.
Read or Share this story: http://usat.ly/1QFvmsO
0) { %> 0) { %> 0) { %>
References
- ^ software would be "too dangerous to create" (rssfeeds.usatoday.com)
- ^ letter (www.apple.com)
- ^ software would be "too dangerous to create" (rssfeeds.usatoday.com)
- ^ letter (www.apple.com)