How To Hack An iPhone: ‘Decapping’ Process Is Risky And Could Destroy The San Bernadino Shooter’s iPhone Forever

At a congressional hearing this week, FBI Director James Comey answered the most intriguing question thus far in the epic battle between Apple and the FBI over cracking a terrorist's iPhone. The question came from Rep. Judy Chu, a Democrat from California: Has the FBI given the National Security Agency a whack at cracking open the phone?

“Yes is the answer,” Comey testified. “We’ve talked to anybody who will talk with us about it, and I welcome additional suggestions.”

The FBI’s argument in this case rests on the fact that the bureau has exhausted every technical option it has at its disposal to pry open the work phone of Syed Farook, one of the shooters in December's San Bernadino, California, terrorist attack. And because the FBI says it hasn’t found a solution, it wants a judge to force Apple to write new code to get “backdoor” access to it.

But even though the FBI claims it has tried everything in its power to break into this particular iPhone (including tapping the NSA for help), some have speculated that the FBI could contract with private companies to do what the NSA can't.

One technique investigators could theoretically employ is a process called “decapping,” where an engineer would physically take out the phone’s memory chip and use a combination of acid and a tiny laser drill to extract bits of data. It wouldn’t be used to get at the encrypted data directly. Instead, investigators would use it to extract the iPhone’s unique ID and the algorithm that generates the code that decrypts and unlocks the phone.

If investigators had those two pieces, they could offload the encrypted data from the iPhone onto a computer and “brute force” guess the correct code. A similar technique was used by Ottawa, Canada’s Chipworks to extract data from a damaged flight computer recovered from the wreckage of Swissair 111, which crashed near Halifax, Nova Scotia, in 1998, according to the Wall Street Journal. The difference in this case is that the chips used by an iPhone contain much smaller circuitry and would make the procedure more difficult.

The larger point is that decapping is an extraordinarily risky process that could wipe the data if the drill were off by even a couple of microns. Andrew Zonenberg, a researcher with Seattle-based security firm IOActive, recently noted: “If at any point there's even a slight accident in the decapping or attack process, the chip could be destroyed and all access to the phone's memory lost forever.”

In other words, decapping might just be way too risky in this instance. However, at least one private company in the digital forensics market, Israel-based Cellebrite, says on its website that it can perform digital extraction, decoding and analysis on “Apple devices running any iOS version!" In fact, the Department of Justice even has a sole-source contract with Cellebrite to use its tools to “quickly extract phonebook, pictures, videos, SMS messages, call histories” from mobile phones, according to federal contracting documents posted online.

However, digital forensics investigators warn these sorts of claims are likely totally bogus.

“There’s nothing that anybody can do — there’s no technology, and there’s no secret trick, that anybody’s developed yet that would bypass these security measures,” said Yaniv Schiff, director of digital forensics at Forensicon, a Chicago-based consulting firm. “There are vendors that offer password-cracking methods, but only for previous releases of the iOS platform.”

Cellebrite would not comment to International Business Times on whether the FBI asked it for help on extracting information from the shooter’s phone, but according to several experts interviewed for this story, it’s a moot point. They said the reality is that for the particular phone in question, even if the FBI used Cellebrite’s hacking software, the Feds still wouldn’t be able recover the information on the phone, no matter what Cellebrite’s marketing department would like police to believe. That’s because the shooter’s phone is an iPhone 5c, running iOS 9. It’s the latest version of the iOS mobile operating system, for which Apple developed additional security measures — purportedly unbreakable even to Cellebrite’s high-tech hacking methods.

Cellebrite’s core product used by police, called the Universal Forensic Extraction Device (UFED), extracts data from phones. If the phone has a passcode, police can use the company’s signature product, called Physical Analyzer, which “enables users to brute-force complex passcodes based on a dictionary created in advance.” In other words, the system will keep guessing passwords on the phone until it gets the right one.

However, when Apple upgraded its operating system to iOS 9, the company addressed this potential security weakness. One of the enhanced security features on the iPhone belonging to Farook, who was killed in the attack, is a “wiping” mechanism that clears all the phone’s data if a password is entered incorrectly 10 times. Because Cellebrite’s product uses a brute-force method to guess thousands of passwords over and over in order to break a phone’s passcode, the usual trick wouldn't work. In fact, even though Cellebrite claims on its website it can crack “any iOS version,” a review of more specific marketing materials reveals its extraction methods work only on iPhones running up to version 8.4.

Ryan Duquette, a former digital forensic investigator for the Peel Regional Police in Ontario, said there’s no off-the-shelf product that could be used to crack the iPhone Farook was using in the way it was configured. “It's not like you see on CSI,” said Duquette, the founder of Hexigent Consulting, a Toronto-based consulting firm specializing in digital investigations. “It's incredibly challenging. Apple's encryption makes it almost impossible to get into some of these devices.”

Other firms, like Virginia-based Oxygen Forensics, say they have the capability to unlock any iOS device running from the original iPhone to the iPhone 6 and 6 Plus. So states the Oxygen Forensics website, but again, there is no known technology available to break a device running on iOS 9. Moscow-based ElcomSoft says it has tools that can be used to extract data from an iPhone, but the caveat here is that the tools work only on a "jailbroken" device, having undergone a process that bypasses Apple’s software restrictions. Since the process use software exploits in iOS code, Apple is usually quick to patch the holes.

A representative of one of Cellebrite’s major competitors, Toronto-based Magnet Forensics, whose services were used by investigators in the 2013 Boston Marathon bombing case, declined to comment on record about whether the FBI used its software on the San Bernardino shooter's phone. However, the representative pointed to the company’s own marketing materials, which make it very clear that recent developments in Apple encryption have made it harder for it to help police when a suspect’s phone is running on iOS 9.

For instance, one of Magnet Forensics’ core products, called Magnet Acquire, offers “an approach designed to deal with the new realities and constraints brought about by enhanced security features and encryption that Apple and Google are adding to iOS and Android,” according to its website. However, the company noted that there’s an “increasingly narrow range of viable methods to acquire smartphone images regardless of the digital forensic tools that you’re using.”

In other words, some phones seemingly cannot be hacked using any company’s products. Yaniv Schiff, the forensics expert, said that while some companies may claim they be able to get into the shooter’s phone as a marketing ploy, the reality is that it’s impossible.

“From a publicity standpoint, and from a marketing standpoint, that mystique plays up your abilities as an examiner,” Schiff said. However, he said, “it sounds like [the FBI] has exhausted all their options, and all that's left is to backdoor their way into the phone. At this point, the only people that can really help them do that is Apple.”

That is, unless antivirus pioneer John McAfee can help out. Much to the amusement of many forensics experts, McAfee offered to crack the iPhone for free on national television. His plan? Crack open the phone, find “secret code,” and boom. “It is that trivial,” he said — "a half an hour.” But it’s a technique that technical experts have roundly criticized (“His plan to crack the iPhone will not even begin to work,” one wrote).