Hardware hack bypasses iPhone passcode security

“iPhone passcodes can be bypassed using just £75 ($100) of electronic components, research suggests,” BBC News reports. “A Cambridge computer scientist cloned iPhone memory chips, allowing him an unlimited number of attempts to guess a passcode.”

“The work contradicts a claim made by the FBI earlier this year that this approach would not work. The FBI made the claim as it sought access to San Bernardino gunman Syed Rizwan Farook’s iPhone,” The Beeb reports. “Dr Sergei Skorobogatov, from the University of Cambridge computer laboratory, has spent four months building a testing rig to bypass iPhone 5C pin codes. In a YouTube video, Dr Skorobogatov showed how he had removed a Nand chip from an iPhone 5C – the main memory storage system used on many Apple devices.”

“He then worked out how the memory system communicated with the phone so he could clone the chip,” The Beeb reports. “He then worked out how the memory system communicated with the phone so he could clone the chip. And the target phone was modified so its Nand chip sat on an external board and copied versions could be easily plugged in or removed.”

“In the video, Dr Skorobogatov demonstrated locking an iPhone 5C by trying too many incorrect combinations. He then removed the Nand chip and substituted a fresh clone, which had its pin attempt counter set at zero, to allow him to keep trying different codes,” The Beeb reports. “‘Because I can create as many clones as I want, I can repeat the process many many times until the passcode is found,'” he said. Known as NAND mirroring, the technique is one FBI director James Comey said would not work on Farook’s phone.”

Read more in the full article here.

U.S. FBI Director James Comey
U.S. FBI Director James Comey
MacDailyNews Take: Well, if Lyin’ Comey said it, it must not be true. No research required.

Dr. Skorobogatov’s research report is here.

FBI Director Comey calls for national talk over encryption vs. safety – August 8, 2016
Feckless FBI unable to unlock iPhone, even with a ‘fingerprint unlock warrant’ – May 12, 2016
FBI’s Comey says agency paid more than $1 million to access San Bernadino iPhone – April 21, 2016
Nothing significant found on San Bernardino’s terrorist’s iPhone – April 14, 2016
FBI director confirms hack only works on older iPhones that lack Apple’s Secure Enclave – April 7, 2016
Apple responds to FBI: ‘This case should have never been brought’ – March 29, 2016
Zdziarski’s take on the FBI’s ‘alternative’ method – March 23, 2016


  1. Yeah right!! Simple. Just unsolder the 100+ pins on the nand chip and plug it into a host phone modified with an external nand chip socket. So easy anyone could do it! What if the stored data is encrypted?

    1. We do it all the time. Any PCB assembly shop has the tools to re-work. Adapters are available for any footprint and therefore, yes, anybody in the electronics assembly business can do it..

      A 1 byte counter value is probably not encrypted.

  2. I suspect the next guy who tries this will emulate the Nand chip to eliminate the need to plug in a new one. Then the question is how long will it take to try 9,999 or 999,999 codes to break the target phone.

    Evidently Lyin’ Comey is technically challenged.

    1. I’m probably wrong but assuming following is true

      NAND cloning even works for this purpose…
      the NAND could be emulated so that a “restore” is instant
      the pass code takes 3 second to enter
      the iPhone takes 60 seconds to boot

      my estimated time is somewhere around 42 hours for a 4-digit passcode…

      Now… if that were a 6-digit pass code that time goes up to 173 DAYS…

      Let this be a lesson… use the 6-digit or alphanumeric pass code option!

      1. Correct. Or use an even longer passcode, with as many different types of characters as possible, in as random an order as possible.

        This of the following passcodes is going to be cracked sooner:


        Dictionaries are the first tool used to crack a passcode. They consist of a list, in most commonly used order, of well known numbers, words and phrases. After the dictionary attacks are exhausted, then the attacker is forced to throw random guesses at the machine. If your passcode is never going to show up in an attack dictionary…

        [For those concerned: I write from the point of view of someone who whole-heartedly supports the US Constitution, including the Fourth Amendment as well as the full rights they confer upon US citizens. It’s never about enabling bad guys. It’s about protecting We The People from totalitarian bastards.]

    1. Sorry. I went and actually read the article, and see that this is mainly about showing the FBI is full of s**t when they claimed they could not hack the phone. I assume that this is what the company that the FBI contracted did in the end anyway.

  3. Here’s the thing as I understand it (which could be wrong) , the headline says that the technique bypasses passcode security. And that is true in the sense that it allows the perpetrator to make as many passcode guesses as they want. But the technique does not bypass the passcode itself; it has to be guessed. So they set up a computer to guess pass codes as fast as possible. But isn’t it true that if you have a strong passcode, that they can guess for 100 years and not guess your passcode? For instance, my passcode is 14 characters long and is a mixture of uppercase, lowercase, numbers and symbols. I have it memorized, but rarely have to use it since I use touch ID. On top of that, I have my pass code stored in MSecure. So if the touch ID fails to work, and I cannot remember my passcode, I can use touch ID on one of my other devices and retrieve the passcode. It works great! And I doubt that the technique described above would result in the perpetrator gaining access to my data. Does this sound right, or am I delusional?

      1. Exactly. The big old demon the FBI needed to overcome was the ’10 guesses, you’re locked out forever’ rule on iPhones. That’s been overcome. Now the big old demon is having to bombard the iPhone’s system with passcode guesses. If one’s passcode is long enough, our contemporary computers could be bombarding the iPhone with guesses until the end of the universe. But hey, that first demon was overcome, so maybe this next one…

  4. To try all 10,000 possible combinations of a four digit passcode, using the method shown here, he’d have to rebuild his cloned chip 1667 times. . . and re-insert and restart the iPhone each time. This is not a very quick system.

  5. Q: How technologically savvy is the FBI?
    A: Obviously NOT.

    Silly Mr. Comey still wants to pretend impenetrable encryption doesn’t exist, free for any and all to use at any time for any purpose. He’s had the world’s encryption experts tell him in quite clear language that’s he’s wrong. But because he’s a technology illiterate, he hears nothing.

    So of course the FBI was wrong about hardware hacking an iPhone. I remember reading about how it could be done. Then senile McAfee barfed all over the news with his loony rantings about same, distracting everyone from serious methods of hardware hacking. Now it’s been done. Surprise.

    Will the FBI bother to learn how to do this themselves? No. They’ll waste our tax money paying others to do their job for them because they REFUSE to become technologically savvy. I think of them as pouting little children at this point, probably because of Mr. Comey’s incompetent leadership.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.