The U.S. Department of Justice has officially moved to end legal action to compel Apple (NASDAQ:AAPL) to assist in unlocking the iPhone of Syed Rizwan Farook. Apple won this round against the DOJ because the government had found an alternate route into the iPhone's encrypted data that didn't require Apple's help. Apple's much vaunted security wasn't quite a match for the government after all.
Mirror, Mirror. . .
In defense of Apple, the method probably used by the government would be well beyond the means of an ordinary criminal. Ars Technica published a description of what I consider the most likely technique on March 23, called NAND mirroring. The non-volatile memory of the iPhone, including the iPhone 5c in question, is provided by so-called NAND flash memory.
In a blog post, iOS forensics expert Jonathan Zdziarski pointed out that it might be feasible to remove the flash memory chip from the iPhone and copy its contents. Removing the chip is difficult and there was a question whether this could be done without damaging the chip or its contents.
Once this chip is removed, its contents can be read and transferred to other storage, even though the data is still encrypted. Zdziarski believes that the chip could then be emulated by a device that would be substituted for the original flash memory. This device would "mirror" the contents of the flash, but be impervious to erasure commands sent by iOS.
This would defeat the main security mechanism that stood in the way of the DOJ. The iPhone can be set to erase the flash memory contents in the case of 10 repeated failed attempts to guess the unlock code of the phone. In this way, the USG could simply brute force the password by repeated guesses without concern about losing the contents of the flash.
This method does point to specialized equipment and expertise that wouldn't normally be available in the criminal underworld. Does this point to a vulnerability in iOS security? Probably not in the near term. However, I can see this becoming a cottage industry in the not-too-distant future. The equipment needed for NAND mirroring would not be that difficult or expensive to obtain.
Universal iPhone Vulnerability
In my first article on this subject, I pointed out that Apple really needed to enhance certain elements of iOS security in order to make brute force password guessing ineffective. I received a comment to the effect that Apple's Secure Enclave feature, which is included in iPhone 5s and newer iPhones, would make the government's request for a modified iOS system ineffective for use on other iPhones.
Strictly speaking, this was true. Only Apple itself would have been able to use its modified iOS in any future unlocking attempts that the government might request. One of the jobs of Secure Enclave is to ensure that only authentic Apple provided versions of iOS are installed in iOS devices. Secure Enclave is a processor within the larger system on chip (SOC) specialized to perform security and encryption functions. Secure Enclave is for all practical purposes, tamper proof.
But it does have limits. Zdziarski and I believe that Secure Enclave could not prevent the NAND mirroring exploit, so NAND mirroring appears to be a vulnerability for virtually any iPhone, even the newest.
As I pointed out in my second article on this subject, the DOJ accused Apple of deliberately creating a "warrant proof" security system intended to frustrate the government's lawful investigations. I doubt that was the intention of Apple at all. But in the case of NAND mirroring, Apple clearly has a responsibility to its customers to close this particular vulnerability. This may lead to future confrontations with the DOJ regarding iPhone unlocking.
The best way to close the vulnerability is simply to make password guessing impractical by requiring longer alphanumeric passcodes. Then it's really the responsibility of the user to devise a non-guessable passcode. Although this may be inconvenient, there's always Touch ID for newer iPhones.
Use of Touch ID will probably become the predominant unlocking mechanism for iPhones if Apple elects to enforce more complex passcodes on users. This might, ironically, head off most potential conflicts with the government in the future. Although it may be a little macabre to think about, if Farook's iPhone had Touch ID, the government would probably have had little difficulty unlocking it, even after his death.
The government also could use its extensive database of fingerprints to construct a fingerprint to be used to unlock an iPhone with Touch ID. Fingerprints also can be lifted from the phone itself and used to created a readable fingerprint that can spoof Touch ID.
I think Apple comes away from its clash with the DOJ looking pretty good. Apple stood up for privacy rights, and the government backed down. In backing down, the government was made to look like it had been lying all along, even if it wasn't.
The DOJ had predicated its demand for a warrant on the assertion that it had no other means of unlocking the iPhone. At the very least, it appears that the DOJ didn't thoroughly investigate its other options.
The vulnerability exposed in NAND mirroring is relatively difficult to exploit, but fairly easy to remedy. I doubt that customers will hold the vulnerability against Apple. Depending on the remedy, customers may be inconvenienced to a greater degree, but there's always Touch ID to fall back on.
I think the ability to claim that Apple's security is so good that even the USG can't penetrate it is absolutely golden. And the more the government complains, the better it makes Apple look, better than BlackBerry (NASDAQ:BBRY), better than Microsoft (NASDAQ:MSFT), better than Google (NASDAQ:GOOG) (NASDAQ:GOOGL). For this reason alone, Apple should close the NAND mirroring vulnerability. I remain long Apple and recommend it as a buy.
Disclosure: I am/we are long AAPL.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.