The ‘easiest’ option
Apple’s ongoing feud with the US government revolves around one fundamental problem: how to unlock an iPhone 5C used by one of the San Bernardino terrorists.
The FBI is demanding Apple build custom software to break into the phone, one that bypasses its security protocols so the agency can access its data without triggering the automatic erase function, due to repeated failed passcode attempts.
This software doesn’t exist, Apple says, and if it did, it would be a decryption tool with potentially devastating consequences. The company is settling in for what will likely be a protracted legal battle, while the FBI wants to move expeditiously. It’s not sure what information is on the phone, but it can’t know for sure until it gets into the device.
But is Apple really the FBI’s only option to crack the iPhone? Does it have other avenues and tools it could use to unlock the device without engaging in a legal slugfest with Apple, one it could end up losing anyway?
In other words, does it even need Apple now?
The ‘easiest’ option
I spoke with Jon Case, a mobile device security researcher who works for a security firm he couldn’t name, about what the FBI’s options are if Apple doesn’t build the custom software.
Case is not an iOS expert, though he recognizes the iPhone as “probably one of the more secure devices out there.”
As he sees it, the FBI has three options. The first is signed firmware from Apple to access the phone by brute force (trying many passcodes until one works), which is precisely what the FBI is asking for now. There’s a reason why.
“Getting Apple to create a custom image is absolutely going to be the easiest and most foolproof route,” Case says. “Third-party forensic software may or may not work, and it may or may not cause loss of data.”
Of course, an arduous legal battle that could go to the US Supreme Court is arguably not the easiest option for the FBI in the long run, but Case says assuming that no one else has built the software, it’s the easiest at the moment.
Build a bug
The second option is “a custom-made utility that can brute force without wiping” the phone, possible with a bootrom or iboot exploit.
As Case describes it, this would take advantage of a vulnerability “super early” in the boot process, but it would likely have to be done with a bug created by the FBI, or someone else.
“Say they find a bug in how the code boots, a bug that lets you enter your own code,” he says. “If you have code in one of the early boot runners, it’s very possible for them to make their own software without having Apple find it.”
Sounds easy, but again, the bug would have to be created, and it would be extremely expensive to do so, Case says – somewhere in the high six- to seven-figure range.
What’s more likely is that someone else would create it and come to the FBI with the bug, but it’s “not something that would come up every day.”
The riskiest option
Some mobile forensics suites can crack locked devices, and Case points to a company called Cellebrite and its Universal Forensics Extraction Device (UFED) as an example of a type of third-party tool that can unlock iPhones.
However, Cellebrite’s iOS UFED User Lock Code Recovery Tool, demonstrated in the video below, only works on iOS 7. It essentially exploits a bug in the software that allows the machine to unlock the phone. The iPhone 5C in the San Bernardino case runs iOS 9, which houses much stronger encryption and security measures.
YouTube : https://www.youtube.com/watch?v=AUgmnYChT48
The FBI’s riskiest option
Finally, the third option would be to physically analyze the iPhone’s memory chip and extract its UID as well as any other information needed for offline bruteforcing. However, this option is the most difficult of all and is fraught with risk.
“In theory, it’s possible to reverse engineer the device itself and get the information,” Case says. “But it’s difficult, expensive and risky. The slip of a finger, and the information is gone. ”
“I don’t believe they are going to do that, even if Apple wins and isn’t forced to make [the encryption software],” he says. “They won’t go that route.”
Speaking to the situation in general, Case says that the FBI isn’t really asking for a special version of iOS, but rather a “specialized custom part” that handles the decryption and the lockscreen. It’s “a bit of a stretch on Apple’s part” to call it a backdoor, he says, and creating it wouldn’t take a lot of work, but “it is pretty dangerous.”
“The primary reason is the precedent,” he responds when asked why it’s dangerous. “[Apple is] going to have every department in the US asking for unlocked phones. Other countries are going to ask for it, too. It’s not going to stop at one phone. It’s going to put people at risk and data at risk. We know forensic devices have been abused by law enforcement in the past. If they let it go wild, it’s going to get abused.”
“They can destroy the software they create,” he continues, “but somebody else is coming around the corner who will say, ‘We have precedent, do it again.'”
Apple and the government face off on March 22 over a motion that would force Cupertino to comply with a court order demanding it build the custom software. With the backing of the Department of Justice, the FBI may feel confident enough in its case to want to wait before it seriously explores these other, riskier iPhone unlocking options.
However, depending on how the case plays out – including whether Congress steps in – it may be forced to consider the avenues laid out above and, perhaps, even take them.