San Bernardino iPhone Technically Can Be Hacked Without Apple, Researchers Say

High-risk technique can bypass Apple security and go straight for the chip.

ByABC News
February 21, 2016, 4:35 PM

— -- Using acid, lasers and other very delicate instruments, it should be technically possible -- if painstakingly slow and extremely risky -- for the government to hack into the iPhone belonging to San Bernardino shooter Syed Rizwan Farook without Apple’s assistance, cyber security researchers told ABC News.

In court filings last week in which the Department of Justice requested a judge compel Apple to assist them in opening the phone, the government said, “The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple.”

But Wednesday former NSA contractor Edward Snowden said the third statement is not totally true and mentioned one technique in particular that he said could be used to hack the device unilaterally.

“The problem is, the FBI has other means... They told the courts they didn’t, but they do,” Snowden said during a virtual talk hosted by Johns Hopkins University. “The FBI does not want to do this.”

Called "de-capping," the method involves removing and de-capsulating the phone’s memory chip to expose it to direct, microscopic scrutiny and exploitation.

A normal chip (right) and a chip after being de-capped (left).
Andrew Zonenberg, IOActive

Four cyber security researchers told ABC News that it technically should be possible to crack the phone that way. One of the researchers went further, saying, “If you have physical possession of a device, there are any number of ways to extract its secrets."

Another one of the researchers, Senior Security Consultant at IOActive and hardware reverse engineering specialist Andrew Zonenberg, explained the complex and delicate process of de-capping followed by an invasive microchip attack, a hack he suspects is known to and used by some U.S. government intelligence agencies, if probably not the FBI. It could be used on the iPhone 5c, he said, though he's never attempted it on that particular device. The process could be a months-long endeavor and carries a real risk of destroying the chip completely.

"Invasive attacks are inherently risky and if they try something like this and it fails, then that's their last resort," Zonenberg said.

In the simplest terms, Zonenberg said the idea is to take the chip from the iPhone, use a strong acid to remove the chip’s encapsulation, and then physically, very carefully drill down into the chip itself using a focused ion beam. Assuming that the hacker has already poured months and tens of thousands of dollars into research and development to know ahead of time exactly where to look on the chip for the target data -- in this case the iPhone's unique ID (UID) -- the hacker would, micron by micron, attempt to expose the portion of the chip containing exactly that data.

The hacker would then place infinitesimally small "probes" at the target spot on the chip and read out, literally bit by bit, the UID data. The same process would then be used to extract data for the algorithm that the phone normally uses to "tangle" the UID and the user's passkey to create the key that actually unlocks the phone.

A probe lands on a pad on the microchip. The pads, the small white squares, are approximately half the width of a human hair.
Andrew Zonenberg, IOActive

From there the hacker would load the UID, the algorithm and some of the iPhone's encrypted data onto a supercomputer and let it "brute force" attack the missing user passkey by simply trying all possible combinations until one decrypts the iPhone data. Since the guessing is being done outside the iPhone's operating system, there's no 10-try limit or self-destruct mechanism that would otherwise wipe the phone.

But that’s if everything goes exactly right. If at any point there's even a slight accident in the de-capping or attack process, the chip could be destroyed and all access to the phone's memory lost forever.

It is, as one military intelligence official described it, some "super risky cyber-level s***."

“It’s definitely a non-trivial attack,” Zonenberg said, but it’s not hypothetical either. The technology, while expensive, already exists and he’s personally conducted invasive hardware attacks through de-capping on other targets in the course of his research.

IOActive Senior Security Consultant Andrew Zonenberg demonstrates an invasive hardware attack during a class in 2014.
Andrew Zonenberg, IOActive

Dan Guido, co-founder of the cyber security firm Trail of Bits, said he thinks the cost "doesn't even matter" in the face of the risk the hack poses.

"What matters is the fact that if they screw up, if that laser or that X-ray is a couple of nanometers in the wrong direction, the whole chip is fried and they'll never get any data off the phone," he said, speculating that the evidence-reliant FBI would be unlikely to try something so risky. "This isn't a cakewalk," he said.

Dmitry Nedospasov, another hardware security specialist based in Berlin who like Zonenberg holds a Ph.D. in this specific area of study, said that de-capping the microchip set up that Apple uses is even more difficult than it has been described here and it’s “extremely likely” that the hacker would accidentally “destroy everything.” But Zonenberg and Nedospasov also described other less risky, cheaper techniques that could extract data from the chip, including what’s known as infrared laser glitching. To do that, the hacker drills through the bottom of the chip and then uses an infrared laser to manipulate and exploit data on the device including the UID.

Zonenberg said he’s unfamiliar with the FBI’s cyber-related forensic capabilities -- whether they have the technical expertise to pull off the moves of which he thinks only a few people on the planet are capable -- but he said he assumes Snowden’s former employer, the NSA, has done its share of de-capping.

A spokesperson for the FBI said he could not comment beyond what the Department of Justice has said in court filings, which includes a sworn statement from a veteran FBI forensic investigator saying he has "explored other means of obtaining this information [on the phone] with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the subject device."

Representatives for the DOJ and Apple declined to comment for this report. A spokesperson for the NSA did not respond to an off-hours request for comment.

ABC News' Carly Roman, Zunaira Zaki and Annie Shi contributed to this report.