PINDROP BLOG

Comey: NAND Mirroring Doesn’t Work

The FBI director says the prevailing theory about the alternative method the bureau is testing for unlocking the iPhone in the San Bernardino case, a technique called NAND mirroring, “doesn’t work”.

Speaking at a press conference Thursday with the United States Attorney General Loretta Lynch regarding the terror attacks in Brussels, FBI Director James Comey said he had heard much of the speculation in the media about the method the bureau is testing, but disputed that it was NAND mirroring.

“I heard that a lot. It doesn’t work,” Comey said in response to a reporter’s question about the technique.

When the government filed a brief earlier this week asking the court to cancel a hearing on whether Apple should be compelled to help the FBI unlock the iPhone used used by one of the shooters in the San Bernardino massacre, it said that an outside party had approached the bureau with a technique that could unlock the phone without Apple’s assistance.

“On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone. Testing is required to determine whether it is aviable method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc. (“Apple”) set forthin the All Writs Act Order in this case,” the government’s brief says.

That paragraph set off a storm of speculation in the security and forensics communities about the nature of the technique. Many experts said that the most likely candidate was NAND mirroring, a technique that would allow the FBI to try as many passcode combinations as it wanted without erasing the phone’s data.

“Most of the tech experts I’ve heard from believe the same as I do – that NAND mirroring is likely being used to some degree to brute force the pin on the device. This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip,” Jonathan Zdziarski, a forensics expert, wrote in an analysis of what techniques the FBI might be using.

But Comey said the speculation was incorrect, without giving any further details about what the new tactic might be.

“We now have one that looks like it will work. We tried it on Sunday it looked like it might work,” Comey said.

The FBI originally sought a court order to force Apple to write a backdoored version of iOS to load onto the iPhone involved in the case because the phone was locked and trying to brute force the passcode would result in the data on the device being erased. The FBI said Apple was the only entity with the ability to perform the task because iPhones are designed to load and run only software signed by the company. But the emergence of an unnamed third party with a technique that could accomplish the task has left to questions about whether the FBI could’ve avoided the court drama altogether.

“We tried everything we could think of, asked everybody we thought could help, inside and outside the government, before bringing the litigation,” Comey said. “The notion that we didn’t exhaust all alternatives is silly.”