A security researcher has identified a process that could bypass the iOS password limit on the iPhone 5c smartphone.
The iOS Password Limit Can Be Overcome
Sergei Skorobogatov has described a method that can bypass one of iOS’s basic security features – the passcode limit. The demonstration was carried on an iPhone 5c device by modifying the NAND Flash memory of the device. The engineer accessed the connection to the SoC and partially reverse engineered the bus protocol.
Apple encrypts the stored user data in non-volatile memory to protect the contents as well as the access credentials. This is a security precaution that is used to prevent unauthorized file recovery from lost or stolen devices.
The bypass is essentially done using a NAND mirroring attack. The user’s passcode that is contained in iOS is stored together with the device’s unique ID (UID) key. The UID is hard coded into the main SoC and is part of the CPU hardware security engine.
Skorobogatov has used electronic tools to eavesdrop the NAND chip communication. By analyzing the way it worked was able to bypass the passcode limit by attaching a backup NAND chip.
The researcher notes that the sampled device, the iPhone 5c is far from the latest Apple devices. Since it’s introduction, there have been other models that different logic in their operations. However, the iPhone 5s and 6 use the same type of NAND flash devices so it is possible that the cloning attack can be performed against them. The newer devices use a higher speed chip with a PCIE interface which makes such bypasses much more difficult.
The demonstration shows how a basic attack can be conducted, and the researcher notes that several improvements can be made. This includes automated passcode entry and rebooting by using external USB controllers that emulate the necessary functions.
Apple can implement countermeasures that can prevent mirroring attacks by employing more robust authentication rather than a proprietary interface. On the software side, a challenge-response authentication can be used to prevent access to the NAND memory. Users are encouraged to use at least 6-digit passcodes. The added length of the password makes brute force attacks much more difficult for criminals.
For more information, you can download the research paper titled “The bumpy road towards iPhone 5c NAND mirroring”.