±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32098
New Yesterday: 0 Visitors: 130

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

IPhone 5c NAND mirroring

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

IPhone 5c NAND mirroring

Post Posted: Thu Sep 15, 2016 1:44 pm

Article by Sergei Skorobogatov:
arxiv.org/abs/1609.04327

This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-of-concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised.


Smile

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: IPhone 5c NAND mirroring

Post Posted: Thu Sep 15, 2016 1:53 pm

Thanks
_________________
Computer, Cell Phone & Chip-Off Forensics

linkedin.com/in/igormikhaylovcf 

Igor_Michailov
Senior Member
 
 
  

Re: IPhone 5c NAND mirroring

Post Posted: Tue Sep 20, 2016 8:23 am

I have read the PDF ,so long and so exciting Very Happy ,impossible
but why the author Sergei Skorobogatov choice iPhone 5c to test not iPhone 5s or 6,
Is 64 bit Cpu iphone impossible to wiring or mirroring NAND chip?
Any idea?Thank you.  

LANGWONDE
Member
 
 
  

Re: IPhone 5c NAND mirroring

Post Posted: Tue Sep 20, 2016 8:54 am

- LANGWONDE
I have read the PDF ,so long and so exciting Very Happy ,impossible
but why the author Sergei Skorobogatov choice iPhone 5c to test not iPhone 5s or 6,
Is 64 bit Cpu iphone impossible to wiring or mirroring NAND chip?
Any idea?Thank you.

The 5c is the model made famous by the San Bernardino and specifically said (by the FBI) to be impossible to unlock via NAND mirroring.
It uses an A6, later models use an A7 and have the "secure enclave" that may well prove to be actually impossible to unlock with NAND mirroring methods, unless much further understanding of the way the data is stored (and encoded and checksummed) is achieved.
As a matter of fact the Author was not able to have the experiment work with a "full" NAND mirroring, he was able to identify a specific area of the NAND that could be mirrored and restored without issues.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: IPhone 5c NAND mirroring

Post Posted: Tue Sep 20, 2016 3:28 pm

If my knowledge of iPhone forensics is clear, then performing this type of attack on a newer device with a secure enclave will be a completely different story and perhaps not even applicable.

This is a great but too late discovery - 6 months after the FBI paid 7 figures to another company, and 3 years after Apple started releasing intrinsically different models with a secure enclave.  

wotsits
Senior Member
 
 
  

Re: IPhone 5c NAND mirroring

Post Posted: Wed Sep 21, 2016 7:16 pm

- wotsits
This is a great but too late discovery - 6 months after the FBI paid 7 figures to another company, and 3 years after Apple started releasing intrinsically different models with a secure enclave.


LE is commonly seeing old devices, so even research on old devices/os's/software etc is still quite useful
Investigations can taken several years, so imagine a suspect was picked up a couple of years ago and his 5c was locked, now with some work (provided you have the understanding) you can get access to the data.  

randomaccess
Senior Member
 
 
  

Re: IPhone 5c NAND mirroring

Post Posted: Thu Sep 22, 2016 5:29 am

I've read the article, technically it is possible the mirror some of the NAND content. Still, I have a question (also based on jaclaz's previous comment):

Is it possible to use this technology for creating a copy of non-"secure-enclave" iPhones and bruteforce the passcode of it, or not ?!
_________________
Passcodeunlock - mobile/tablet screen unlocking
passcodeunlock.com 

passcodeunlock
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 2
Go to page 1, 2  Next