Again, it only applies to iPhone 5 and below. No one has yet proved to being able to clone the secure enclave and attempt this on a newer iPhone.

Still - that's enough to make it interesting that the FBI rejected this approach and then paid for an outsider's solution to accessing the phone.

No, it's not. Previous discussion https://news.ycombinator.com/item?id=12510586.

Interesting, I missed this discussion.

For people who don't want to scroll through the unrelated comments there: NAND mirroring has non-zero risk of being a destructive technique due to memory damage. This potentially disqualified it from use for the FBI's purposes, explaining the purchase of another tool.

You are wrong. The San Bernardino attacker's iPhone was an iPhone 5C, completely vulnerable to this NAND cloning attack.

>You are wrong. The San Bernardino attacker's iPhone was an iPhone 5C, completely vulnerable to this NAND cloning attack. reply

No one claimed it wasn't, no one was even talking about the secure enclave protected phones.

That doesn't mean that NAND mirroring is a forensically acceptable method, hence it "doesn't work".

Read the paper, and read the discussion.

You're right.

But the question is, did the FBI read that image and seek a court order anyway?

The FBI is slow, but not incompetent by any means. This was a terrorist's cell phone, a crucial link to determining whether this was a lone act or a coordinated plan.

Even if they couldn't introduce it in court, wouldn't they do it anyway? In fact, it seems very suspicious that the FBI suddenly found an exploit vendor after Apple refused to bow to governmental pressure.

So the question is becomes, "If they had the data anyway, why seek a court order?"

To examine the problem, consider that to the FBI, accessing a single phone is a win in a single battle. That is not what the FBI is after.

What they are after is total victory. They believe only an ironclad legal precedent can win their war. They may be right. They may be wrong. I strong suspect that they are wrong.

Encryption is like the tide. It can be pushed back, but in the end it will win.

Water always finds the cracks.

Yes they were after a precedent because regardless of how "easy" this is it's not a turnkey solution and it doesn't scale well.

The FBI were looking for an easy solution that every law enforcement can use and that is to force Apple and other device makers to unlock the devices or undermine their security sufficiently for traditional mobile forensic approaches to be viable.

The FBI didn't find an exploit they found a vendor with an exploit, likely a vendor with an exploit that did not involve doing irreversible damage to a phone to extract the data from it. Forensics and even digital forensics have pretty strict rules to what counts for a forensically secure data extraction and what doesn't. When in doubt you simply wait for a better method to come around, you preserve evidence this is why we can go back and reexamine evidence with new techniques, the first question of any new forensic process is "does it alter the state of the evidence".

i loved my 5c :-(

You're probably safe. I doubt you're interesting enough for someone to take your phone part and desolder the NAND.

It also doesn't really scale with complex passwords due to the amount of writes required, you'll be going through NAND chips like crazy.

Can you explain how the new architecture makes the more recent phones more secure to this sort of attack?

Press again fails to understand the topic, how this applies only to 5c and how phone vendors (Apple) defeat this with safe hardware data storage and keys (see previous HN discussion).

In theory it's probably possible to modify this to work on newer iPhones, it's just that no-one's done the work yet. The Secure Enclave has no onboard flash memory and its anti-replay protection seems to be entirely reliant on an external Flash chip that can itself be removed and its contents replayed. The BBC are right, assuming what's publicly known about the Secure Enclave is correct.

The BBC stands well ahead of the pack in terms of chasing tabloid-level inaccurate clickbait crap, especially in terms of oversimplified pop-science.

Well, you're making a claim for which contrary evidence exists in the form of the very article you're commenting on. Do you have any evidence to back what you're saying?

> Finding a four-digit code took about 40 hours of work, Dr Skorobogatov said.

> And finding a six-digit code could potentially take hundreds of hours

If it takes 40 hours to brute force 4 digit pin, it would take 4000 hours to brute force 6 digit one.

I am guessing this includes the work required to set up the ability to do this in the first place.

Some portion of the work could be comstant-time.

Every time Apple iterates on a phone they move the security forward. The biggest leap was with the 6 and the introduction of the secure enclave. And they are getting better still.

Minor correction: The secure enclave was introduced in the A7 chip on the iPhone 5s

Are there any hardware improvements related to security in the 7? A quick Google search turned up nothing.

I'm probably missing something here, but without a secure enclave, why can't the PIN be bruteforced "offline", i.e. not via the iPhone?

I believe the device data is encrypted with a built-in hardware key and the passcode, so you'd need some way to read the key out of the CPU.

Ah, right. How is that different from the secure enclave? Less isolated, perhaps?

Old news on old phones. Headline should be updated.

Thanks, we've updated the title.