With Apple calling on the government to withdraw its demand that the company create a tool to unlock the iPhone in the San Bernardino case, it seems the FBI does have a plan B – albeit a long-winded and highly uncertain one. Edward Snowden says that FBI claims that it cannot access the phone without Apple’s help are not quite true.
“The problem is, the FBI has other means… They told the courts they didn’t, but they do,” Snowden said during a virtual talk hosted by Johns Hopkins University. “The FBI does not want to do this.”
The technique Snowden described is known as chip de-capping, and involves physically attacking the chip in order to probe its contents. Four cyber security researchers contacted by ABC News confirmed that the technique is real, but far from certain to succeed …
IOActive Senior Security Consultant Andrew Zonenberg described how it works.
In the simplest terms, Zonenberg said the idea is to take the chip from the iPhone, use a strong acid to remove the chip’s encapsulation, and then physically, very carefully drill down into the chip itself using a focused ion beam. Assuming that the hacker has already poured months and tens of thousands of dollars into research and development to know ahead of time exactly where to look on the chip for the target data — in this case the iPhone’s unique ID (UID) — the hacker would, micron by micron, attempt to expose the portion of the chip containing exactly that data.
The hacker would then place infinitesimally small “probes” at the target spot on the chip and read out, literally bit by bit, the UID data. The same process would then be used to extract data for the algorithm that the phone normally uses to “tangle” the UID and the user’s passkey to create the key that actually unlocks the phone.
Once the FBI has both the UID and entanglement algorithm, it would be able to brute-force the password on a computer rather than on the iPhone itself.
As you’d guess from the description, the technique is extremely delicate and risky – and perhaps not ideally attempted by an agency whose explanations for an iCloud password change didn’t quite add up.
If at any point there’s even a slight accident in the de-capping or attack process, the chip could be destroyed and all access to the phone’s memory lost forever […] It’s definitely a non-trivial attack.
Zonenberg agrees with Snowden that the technique will be known to some U.S. government intelligence agencies, even if not specifically known by the FBI.
Quote of the piece is an unnamed military intelligence official describing de-capping as some “super risky cyber-level s***.”