How the FBI might hack into an iPhone without Apple's help

March 22, 2016 by Bree Fowler And Brandon Bailey
How the FBI might hack into an iPhone without Apple's help
In this Friday, Sept. 25, 2015, file photo, a customer tries out a new Apple iPhone 6S at an Apple store in Chicago. The FBI now says that it may have a way to crack into an iPhone used by one of the San Bernardino shooters, despite previous claims that it could only achieve that with Apple's help, but it remains unclear exactly how it plans to do that. (AP Photo/Kiichiro Sato, File)

For more than a month, federal investigators have insisted they have no alternative but to force Apple to help them open up a phone used by one of the San Bernardino shooters.

That changed Monday when the Justice Department said an "outside party" recently showed the FBI a different way to access the data on the used by Syed Farook, who with his wife killed 14 people in the Dec. 2 attack.

The magistrate judge in the case postponed a hearing scheduled for Tuesday and gave the government two weeks to test its method. But federal officials have been mum about who came forward and what method they've proposed. Here are some of the leading options outside experts think the FBI might be exploring.



One likely scenario involves making multiple copies of the iPhone's flash memory, which investigators could use to restore the phone's data should they inadvertently trigger the phone's "self-destruct" feature by making too many wrong guesses at the passcode.

That feature doesn't actually erase all the files on the iPhone. Instead, it erases a section of the iPhone's memory that contains one of the keys necessary to unlock the data on the phone. This section, known as the "effaceable storage," sits in a memory chip that theoretically could be removed and plugged into a reader device that's capable of electronically copying what's stored on the chip—and then replacing the data if it's been erased.

While the technique hasn't been proven for this purpose, forensic expert Jonathan Zdziarski said it was demonstrated in a widely circulated video that shows a Chinese smartphone vendor using a similar procedure to install more memory capacity on an iPhone. FBI Director James Comey was asked about the technique during a congressional hearing on March 1, but Comey didn't say directly whether the FBI had considered the approach.



A more nuanced approach would involve isolating the portion of the phone's memory where the count of how many passcode attempts have been made is stored, said Ajay Arora, CEO and co-founder of Vera, an encryption software company.

In theory, the person working on the phone would then be able to reset the count each time it approached 10, allowing investigators to make an infinite number of guesses.

"This is more technical and a little more difficult, because you'd have to isolate the section," he said. Apple hasn't provided any maps to show where that data is stored. The main problem: The FBI would run the risk of losing information if something went wrong.

Shane McGee, at the FireEye cybersecurity firm, agreed that this kind of approach could potentially work. "All the government really needs is the opportunity to do a very simple, ," he said.



Another approach, sometimes known as "chip de-capping," calls for physically removing the casing of the iPhone's processor chip, using acid or a laser drill. In theory, investigators could then connect electronic probes capable of reading the phone's unique identification code bit by bit from the location where it is "fused" into the phone's hardware. This method would also have to read the algorithm that combines that code with the user passcode to unlock the phone.

Once they get that information, investigators could then load it onto another computer, where they can run thousands of attempts at guessing the passcode without worrying about triggering the auto-erase function on the phone itself.

Forensic investigators have used similar procedures to read other kinds of data from computer chips, according to McGee. But experts say the process of physically dismantling a chip is technically demanding and has a high risk of causing damage that would make the data unreadable.



Even a tiny flaw unknown to the software's creator—known as a zero-day vulnerability—could potentially give the government, or someone else, a way in, said Jay Kaplan, CEO of Synack and an a former NSA counterterrorism researcher.

Those exploits are considered valuable to hackers, who often sell them to others, and to intelligence agencies that use them for gathering data. It isn't clear if the government would share the information with Apple—which might then try to fix the vulnerability—or if the government would try to keep the information "in its back pocket" so it can be used for future cases, Kaplan said.

While in theory it's possible that could go with some kind of brute-force attack, Kaplan thinks it's more likely that the FBI's mystery assistant found a zero day instead.

"There's plenty of them out there that vendors don't know about," Kaplan said. "Regardless of the method, it's going to be a pretty complex process, whether it involves a zero day or not. I'm sure a lot of really smart people are working on the problem."

Explore further: FBI: Attacker's phone possibly accessible without Apple help (Update)

Related Stories

Apple to fight order to help FBI unlock shooter's iPhone

February 17, 2016

Apple Inc. CEO Tim Cook says his company will fight a federal magistrate's order to help the FBI hack into an encrypted iPhone belonging to one of the San Bernardino, California shooters. The company said that could potentially ...

Experts: The FBI's iPhone-unlocking plan for Apple is risky

February 22, 2016

In its battle with Apple over an extremist's iPhone, the FBI says neither the company nor anyone else has anything to fear. Although they want to compel assistance from Apple to unlock a phone used by San Bernardino mass ...

Recommended for you

Making AI systems that see the world as humans do

January 19, 2017

A Northwestern University team developed a new computational model that performs at human levels on a standard intelligence test. This work is an important step toward making artificial intelligence systems that see and understand ...

Firms push hydrogen as top green energy source

January 18, 2017

Over a dozen leading European and Asian firms have teamed up to promote the use of hydrogen as a clean fuel and cut the production of harmful gasses that lead to global warming.


Adjust slider to filter visible comments by rank

Display comments: newest first

2 / 5 (5) Mar 22, 2016
I was thinking about freedom and the part free speech and privacy plays in it. I think as adults we have to look to the future and not bury our head in the sand. Just how far and fast is terrorism accelerating? If terrorism keeps increasing, will we be forced to give up some of those freedoms to protect our loved ones?
Myself I could care less about (government) verbal privacy as long as it never negatively affects me unless I am breaking the law. But I am not speaking for anyone else.
At what point will you say ok tap all the phones, break all the encryption? Will that point come after someone has murdered your little girl in the name of religion. Or when there is a 50% chance it will happen? What about a 25% chance. There will come a point where you will blame the authorities for not doing more.
I think we should do this proactively and get a jump on it before to many people die. Don't forget those people will gladly detonate a dirty bomb killing thousands.
4.4 / 5 (7) Mar 22, 2016
And yet, a dirty bomb has never detonated, anywhere. Plenty of other bombs, but you're afraid of a dirty bomb, which has never happened.

The chances of your little girl being killed by a religious extremist are vanishingly small: Less than one in a million, world-wide, and much less than that in the United States. You would sell your privacy for a one in a million chance. What's wrong with you?

>I think we should do this proactively and get a jump on it before to many people die.

Loss of privacy doesn't hurt terrorists: it hurts decent, law-abiding minorities and citizens.

Surveillance and decryption powers by the government do not significantly contribute to terrorism prevention:

Benjamin Franklin was talking about you when he spoke about what happens to people who would trade their freedom for security.

2.8 / 5 (4) Mar 22, 2016
retrosurf, I am sorry I don't communicate better. I thought I was making it clear. I was talking about the future of terrorism not the present. Are you telling me its going to get better not worse if we don't up our game?
4.6 / 5 (5) Mar 23, 2016
We don't need to become a police state to defeat terrorism. The threat of abuse of power from my government is more likely than the threat from terrorist attacks. It's even more likely than the chance that the phone in question has useful data on it.
2 / 5 (5) Mar 23, 2016
retrosurf & odd claim
...little girl being killed by a religious extremist are vanishingly small: Less than one in a million, world-wide, and much less than that in the United States
1. Where do you get your stats from please ?

2. Anything definitive & how does it compare to troubling stats re toddlers using their parents guns to kill each other or shoot parents ?

retrosurf claims
You would sell your privacy for a one in a million chance
Not selling it, hes offering perspective & I add to that strongly suggesting we need a significant improvement in education worldwide of recognition all religions are false & thus cannot be used as means for; Status, Authority & Power over Emotionally feeble & Intellectually meek

Eg. All claimed gods in All of history proven bad communicators, conclusion they're only claim

To teach it early frees people from ingratiating to get favour from any god, thus need for religious terror declines, ie re education of intent...
5 / 5 (5) Mar 23, 2016
USA, 2014, factshetheet childrensdefense org:
- 78 children under 5 died from guns in 2014
- 2,525 children and teens died from guns

2012, NHTSA's National Center for Statistics and Analysis:
- 1168 Fatalities Among Children 14 and Younger
- More than 100 people die every single day

In fighting terrorism, the perspective is lost.
5 / 5 (2) Mar 23, 2016
Reasonin with people motivated primarily by fear (aka cowardice), requires that they perceive you as "on their team" or they won't listen. The guy wimpering about how big government is going to make it all go away and make us safe isn't listening to us. How many people in the US were killed by law enforcement last year? How many by terrorist acts? Shall we compare? Oh, wait; we can't - the government doesn't keep count of how many it kills if it, extrajudicially, "decides", the act was "justifiable". Who watches the watchers? This guy seems to be a prime example of someone who would sell his soul to anyone who would promise to keep him "safe". He'd fit right in as a supporter of Assad in Syria, Jong-un in N. Korea, Putin in Russia, or the clerics in Iran. But what does any of this have to do with hacking an iPhone with a warrant? This article stupidly mentions physical "deconstruction", copy&paste from an earlier even more irrelevant post. Lame.
5 / 5 (1) Mar 25, 2016
"For more than a month, federal investigators have insisted they have no alternative but to force Apple to help them open up a phone used by one of the San Bernardino shooters."

That's not surprising as they are lawyers, not safe crackers, I mean programmers. :)

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.