Forensics , Mobility , Technology

Researcher Demonstrates Technique, Acknowledges It Could Have Destroyed Device's Data Jeremy Kirk (jeremy_kirk) • September 20, 2016     Sergei Skorobogatov demonstrates his "chip off" procedure. (Source: Youtube)

A U.K.-based security researcher has taken the FBI to task after demonstrating how the law enforcement agency could have cracked the San Bernardino terrorist's iPhone using a delicate, $100 operation that enables unlimited passcode guesses.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

Sergei Skorobogatov, a senior research associate in the security group at the University of Cambridge's computer laboratory, released an academic paper and video showing how he accomplished what's called NAND mirroring. The technique, also referred to as "chip off," allows all four-digit passcodes to be guessed in around 40 hours.

The procedure can be used against older iPhones that have enabled a security feature that erases the device's data after 10 incorrect passcode guesses. But it's a technically difficult operation, and one that could easily destroy a device's data if not flawlessly executed.

FBI vs. Apple

In March, FBI Director James Comey contended that such a procedure would not work to unlock an iPhone 5c belonging to Syed Rizwan Farook, who with his wife shot and killed 14 people in San Bernardino, Calif., in December 2015. Skorobogatov's work, the first public demonstration of such a technique, shows that while Comey's contention is not true technically, there are plenty of reasons why the FBI likely brushed it off.

NAND mirroring had been suggested as a possibility after the FBI in February launched a controversial legal battle against Apple. The agency sought to force Apple to create a special version of its iOS mobile software to circumvent security controls on Farook's iPhone. Apple argued that such software - essentially a government-ordered backdoor - would put millions of users at risk (see The Crypto Debate: Apple vs. the FBI).

While many experts said that NAND mirroring would be an option, they also advised that it was risky. The FBI eventually paid less than $1 million to a contractor for a technique - which presumably exploited a chain of software vulnerabilities in iOS - to unlock the device. At the same time, it dropped the related challenge against Apple.

Skorobogatov, who says his research required less than $100 worth of off-the-shelf components, generally agrees that his technique is risky. "Although it does not require expensive equipment there were several unexpected traps, pitfalls and obstacles on the way to full success," his paper reads.

Heat It Up

Skorobogatov's paper and YouTube video show why the FBI probably decided not to go the NAND mirroring route: It involves a lot of heat, delicate iPhone surgery and perseverance in the face of numerous other software glitches.

Video from Sergei Skorobogatov demonstrating an Apple iPhone 5c hardware NAND mirroring as well as a successful attack on the limit for passcode retry counter.

The encryption key that scrambles data on the iPhone is stored on a NAND flash chip. If the security feature is enabled, that key is erased after 10 incorrect passcode guesses. The way around the problem is to copy the data, including the key, and restore it once 10 guesses have expired.

To copy it, the NAND flash chip has to be removed from the phone. The chip is soldered into the main printed circuit board (PCB) and also held in place with a strong epoxy. It's a tight space to work: There's only a .05mm (0.02 inch) gap between the bottom of the NAND chip and the PCB.

"Unless properly planned and supported by special thin blade knife tools, this could damage both the NAND and the main PCB," Skorobogatov writes.

Softening the epoxy requires a temperature of more than 572 degrees Fahrenheit. But if the whole area is heated to that temperature, the epoxy sticks to other small circuit board components, risking damage. Skorobogatov says he used a Nichrome wire heated with an electric current to 1,292 degrees to carefully weaken the epoxy. Then, he heated the printed circuit board to 302 degrees before further heating up the NAND flash chip. Once at the right temperature, he used a thin-blade knife to remove it.

Some Potential for Memory Damage

Even if the chip is successfully removed, repeatedly restoring its data could cause damage to the flash chip. Skorobogatov notes that NAND chips can be rewritten a few thousand times, but there's no way of knowing how many times the chip may have already be rewritten before starting a NAND mirroring operation.

That's where a longer passcode offers a better defense. A four-digit passcode would only require a maximum of 1,667 rewrites of the chip. But for a six-digit passcode, guessing could require as many as 160,000 rewrites, which would "very likely damage the flash memory storage," the paper states.

A report on a new self-assessment tool that's intended to show whether an enterprise's cyber-risk initiative aligns with its goals and strategy leads the latest edition of the ISMG Security Report.

In this episode, you'll also hear:

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Sept. 13 and Sept. 16 reports, which respectively analyze U.S. Sen. Elizabeth Warren's push to get Congress to investigate Wells Fargo for violating the privacy of bank customers and the ISMG Fraud and Breach Prevention Summit in Toronto. The next ISMG Security Report will be Friday, Sept. 23.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

How qualified is law enforcement to investigate today's cybercrimes? While many big-city police departments have all the necessary skills, those in smaller markets often do not, according to a panel of experts.

That's why companies that have been attacked must provide as much technical and forensic information as possible to authorities to help ensure that investigations lead to arrests and prosecutions.

In an audio interview with Information Security Media Group at the recent Fraud and Breach Prevention Summit in Toronto, four cybercrime experts review the skills law enforcement officers must have to effectively investigate evolving cyberattacks and offer tips on working with authorities.

"Because you're dealing in an area of technology that's changing weekly and daily almost, it's a challenge to stay ahead of the curve," says panelist Kenrick Bagnall, who works on the computer cybercrime intelligence services team at the Toronto Police Service.

Imran Ahmad, a Toronto-based attorney with the law firm Miller Thomson, says organizations conducting investigations of cyberattacks should "prepare the materials and the evidence in a way that would be helpful to law enforcement, because they may not necessarily have either the resources or the detailed technical know-how."

When it comes to investigating financial crimes, information sharing is even more critical, say panelists John Buzzard, a fraud expert at payments provider CO-OP Financial Services, and John Walp, managing director of forensics technology at consultancy KPMG.

While it's becoming more common for law enforcement officers to have some understanding of how financial transactions work, banking institutions and other financial services firms need to educate local authorities, they say.

"If you would have picked up a telephone in 2002 and called [local police] and said, 'Hi. I'd like to speak with somebody who specializes in financial crime,' you probably would have had some blank hold time on the telephone," Buzzard says. "Not quite so much now."

Buzzard says criminal investigations focused on identity theft also have helped get law enforcement up to speed about cybercrime and fraud, which often involves the compromise of personal financial data.

"Specifically around the financial-services space, there's a lot of learning about how the banking and payments systems work," Walp adds.

During this interview (see audio player below photo), the panel also discusses:

The FBI's focus on cybercrime; How law enforcement is working with the private sector to develop relationships in advance of a breach or incident; and Why companies should involve law enforcement in their tabletop incident response exercises.

Bagnall, detective constable at the Toronto Police Service, formerly spent 20 years working in the IT industry, primarily within financial services.

Toronto-based attorney Ahmad serves on the Canadian Advanced Technologies Alliance's cybersecurity council and is a member of the executive committee of the Ontario Bar Association's privacy and access to information law section.

At CO-OP Financial Services, the largest credit union service organization in the U.S., Buzzard provides educational and directional fraud, risk and security information to institutions in the EFT/banking industry, and works with law enforcement agencies to share information about fraud trends.

Walp of KPMG formerly was the CISO of M&T Bank, where he was responsible for IT security, data protection and privacy strategies.

Ransomware attacks are surging because attackers have perfected their techniques while enterprises in all sectors have failed to address critical security shortcomings, says Raimund Genes, CTO at Trend Micro.

"It's the rise of anonymous money transfer services using TOR, bitcoin and other means that the bad guys have perfected," Genes says in part two of an interview with Information Security Media Group. "Anonymous stuff today like Ukash, Bitcoin, iTunes gift cards and the dark web make it very difficult to trace the attacker."

In addition, cybercriminals can turn to ransomware-as-a-service to easily launch their campaigns, which Genes predicts will continue as long as enterprises pay ransoms.

Security Shortcomings

So many enterprises are vulnerable to the attacks because they've failed to take the necessary security precautions, including offline backups, he says. "Everyone moved away from offline backups with three copies in two independent places. This was the golden rule a few years ago. It seems that with cloud and online backups, people have totally forgotten about it."

Other essential security steps that are often skipped, Genes says, include network segregation and segmentation as well as a comprehensive risk management plan. This could be because they are too focused on protecting themselves against so-called "APT" attacks, he argues (see: Moving Beyond the Buzzwords).

"Companies spent so much time and effort on silver bullets against APT that ransomware seems to have caught them by surprise," he says. "Ransomware is a reminder that basic security should not be forgotten."

In this interview (see audio player below image), Genes also shares his perspective on the controversy over VirusTotal, the malware database service from Alphabet's Google. New rules set by VirusTotal will exclude security vendors for not sharing data. Genes spelled out key concerns in a recent blog (see: VirusTotal Move Stirs Conflict in Anti-Virus Market). He also addresses:

The ransomware ecosystem and its persistent nature; How defenders have fallen short (see: Targeted Attacks Becoming the Norm); Action that enterprises should be taking to battle the ransomware threat.

In part one of this interview, Genes spoke about the latest trends in the security marketplace.

Genes has more than 30 years of computer and network security experience. As CTO at Trend Micro, he is responsible for working with a team of researchers to introduce new methods to detect and eradicate threats and to predict movements in the digital underground.