Securing Phones and Securing Us (Revisited)

By Susan Landau
Thursday, September 15, 2016, 9:05 AM

Readers will recall last spring's battle over the San Bernardino iPhone. The FBI had Syed Farook's work phone, but it was locked, with security protections including a ten-tries-and-you're-out on PIN attempts. The FBI wanted Apple to write a phone update that would override that protection (among other things that would make it easier to search other iPhones). During the height of the battle over accessing the iPhone's data, the FBI claimed that an Apple rewrite was the only way to access the phone's data.

The controversy was resolved when the FBI found a different solution (actually it was only partially resolved; the vulnerabilities equities process remains problematic). That hack into the phone ended the legal battle, but not the overriding fight over securing phones. There, the battle is really over securing all of us versus making investigations easier. Now there is a new aspect here, one that even more strongly makes the case that the FBI needs to do the unlocking—and not go to the courts for help.

Last spring, a technique called "mirroring" the phone's flash chip was suggested as a possible solution. This involves desoldering the chip from the phone, copying it, and retrying the PIN until the correct one is found. But the FBI said this approach wouldn't work.

As it turns out, the FBI was wrong. The technique does work and a University of Cambridge researcher, Sergei Skorobogatov, has just shown how to do so. The effort took him a number of months and some practice along the way. But his results show that with adequate preparation, an iPhone's 4-digit passcode can be found in forty hours (six-digit passcodes would take one hundred times longer under this technique).

This work involved one researcher in a lab buying used iPhone 5cs from eBay (Skorobogatov bought the phones from eBay because they are no longer manufactured). Skorobogatov was able to do what the FBI said was impossible.

The moral of the story? The solution is not, as the FBI has been saying, a bill to make it easier to access encrypted communications, as in the proposed revised Burr-Feinstein bill. Such "solutions" would make us less secure, not more so. Instead we need to increase law enforcement's capabilities to handle encrypted communications and devices. This will also take more funding as well as redirection of efforts. Increased security of our devices and simultaneous increased capabilities of law enforcement are the only sensible approach to a world where securing the bits, whether of health data, financial information, or private emails, has become of paramount importance.