A security researcher from the University of Cambridge, has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute force attack against the passcode lock of an iPhone 5C. This is the same lock which stymied the FBI as part of the highly publicized privacy case where they demanded Apple create a workaround so they could assess the phone of the San Bernardino shooter. Apple refused on ethical grounds and a media frenzy ensued. Ultimately, the FBI dropped the legal case against Apple and reportedly paid $1 million to an unknown security company which successfully unlocked the phone.
Recently a security researcher wrote a paper and then built a hacking rig to do the same, for about $100. The iPhone 5C security control in question is one which limits the number of attempts to enter in an unlock pin. After so many attempts, the phone will wait for a long period of time before another attempt is allowed. After 10 attempts the device permanently deletes the encryption keys and therefore all the data on the phone will become irretrievable. This is controlled in the firmware and hardware of the device. It prevents a brute-force attack, which is designed to try all combinations. A four-digit pin has 10000 possible combinations, from 0000 to 9999. Attempts to try even a small number will result in the phone being quickly locked and ultimately the data rendered unrecoverable.
What the researcher did was to create a cloned NAND memory chip under his control, to replace the one embedded in the iPhone. It would reset the counter after every pin attempt. Automating the process, a brute force attack was successfully conducted. Even with such a rudimentary system, a four-digit code was cracked in about 40 hours. With a more powerful system, it could be done much faster.
Let there be no doubt, hardware is the final frontier in cybersecurity. Hacking hardware can bypass all software based controls. On the other hand, leveraging hardware for security makes every attack visible and presents the toughest barriers for attackers to overcome. It is the final battlefield.
In this case, it took a savvy security researcher and very little money to prove that the manipulation of hardware is a powerful force in unlocking even the most secure smartphones. Moving forward, it is in the best interest of manufacturers, businesses, consumers, and agencies to better understand the nuances of how hardware, firmware, and software security controls work.
Hardware based security and hacking is the future of cybersecurity. The only question is who will take the high ground first, the attackers or defenders?
More exploration is being done by hackers, nation states, and ethical researchers to find exploitable vulnerabilities in both firmware and hardware. On the other hand, hardware designers and manufacturers are also now adding new features to make devices more resistant to compromise and give security software better capabilities. Apple specifically is updating their hardware, firmware, and operating system architectures to be more secure. The race is on!