FBI Breaks Into San Bernardino iPhone

As expected, the FBI has succeeded in finding a method to recover the data on the San Bernardino iPhone, and now the government can see all of the cat pictures Farook was keeping on it. We don’t know what method was used, as it’s been classified. Given the time frame and the details of the case, it’s possible it could have been the hardware method (NAND mirroring) or a software method (exploitation). Many have speculated on both sides, but your guess is as good as mine. What I can tell you are the implications.

If a hardware method was used, only A6 devices would be affected; this would mean the iPhone 5c and older devices could likely be accessed using such a hardware method. Newer devices with a Secure Enclave would require a much more advanced technique than we presently have the capabilities to execute.

If a software method was used, it is possible that the technique could work on newer devices with a Secure Enclave. Many security researchers and cryptographers were surprised to find that the SEP isn’t quite as much the enforcer as we thought it was, and I’m willing to concede at this point that, given code execution, brute forcing the PIN may be possible on these devices given the current state of their firmware.

What is certain, however, is that the only reason this was possible is because Farook chose to use a weak form of security on his iOS device – namely, a numeric pin. Numeric pins, whether four digit or six digit, have an extremely limited key space, which means that your data is ultimately only protected by the processor’s security. Code execution vulnerabilities are patched by the dozens every major firmware update, and so it’s no surprise that relying on processor security isn’t a good strategy.

To protect your device against both a hardware and software attack, use an alphanumeric passcode. Apple claims, in their iOS Security guide, that a six digit alphanumeric passcode would take up to 5 1/2 years to brute force. A 16 digit alphanumeric passcode is believed to take over 100 years to brute force. No matter how exploited the operating system is, brute forcing must take place on the hardware, and the rules of math cannot be broken.

Of course, your choice of passcode is only one small component of your overall security strategy. You could have a 20 digit passcode, yet be completely exposed by typing it in front of a security camera. The security of your pair records (on your desktop machine) are equally important to protect with strong encryption. Ensuring that you’re not copying data off to external services (such as iCloud backups) prevent information leakage. Using additional layers of security, such as those in third party applications, can help to strengthen data security. Security is a lot easier when you’ve been shot dead, your iPhone has been shut off, and you no longer care about security. It’s much harder for the living (and in particular, the innocent) who still care about their day to day security.

UPDATE: On March 28, 2016, the FBI cut a purchase order to Cellebrite for $218.004.85, citing “Information Technology Supplies; this sounds like the DOD equivalent of a $50,000 toilet seat. Here is the link to the purchase order.