Hacking the iPhone PIN retry counter

At our security group meeting on the 19th August, Sergei Skorobogatov demonstrated a NAND backup attack on an iPhone 5c. I typed in six wrong PINs and it locked; he removed the flash chip (which he’d desoldered and led out to a socket); he erased and restored the changed pages; he put it back in the phone; and I was able to enter a further six wrong PINs.

Sergei has today released a paper describing the attack.

During the recent fight between the FBI and Apple, FBI Director Jim Comey said this kind of attack wouldn’t work.

10 thoughts on “Hacking the iPhone PIN retry counter

  1. Surely the University of Cambridge computer scientist could be doing something more useful
    Than bragging about hacking into IPhones. Do some proper work!

    1. Er… No. You would rather someone expose the flaw publicly than someone with alternative motives exploit it privately wouldn’t you?

    2. How is this not useful to anyone in the security industry, letb alone the whole issue on wherther the FBI could break the iphone in the recent case? Science is about investigating answers and many people wanted to know if this could be done. What do you define as proper work?

  2. An impressive reverse engineering, but chinese iPhone NAND programmers existed long time ago. Search AliExpress for “iphone nand programmer” – there are all kinds of tools: LGA60 sockets, programmers, even complete jigs where you put an iPhone board w/o NAND chip, then screw a pogo-pinned NAND socket on top of it.

    1. Yes that is true but they will not perform the part of mirroring the nand. These programmers are mainly used to write the needed serial numbers to a (new) nand in order to work when put back on the device, or remove the wifi number when replacing the wifi IC. Besides this there are no testpoints or contact points on iPhone 7 models and up where you program the nand without removing it.

Leave a Reply

Your email address will not be published. Required fields are marked *