
iPhone 5C passcode bypassed with NAND mirroring attack - xoa
https://arstechnica.com/security/2016/09/iphone-5c-nand-mirroring-passcode-attack/
======
xoa
I made the title match the URL by adding "5C" specifically. Ars sometimes
changes titles around after publishing and in this case I think having "5C"
specified is important as that appears to be the only model that was actually
tested. In the arxiv paper, Section VI. "Future Work", the author writes:

> _The iPhone 5c device being analyzed in this research project was far from
> the latest Apple phones. Since then several new models were introduced such
> as iPhone 5s, iPhone 6 and 6s, iPhone SE and iPhone 7. However, iPhone 5s
> and 6 use the same type of NAND Flash memory devices. It would be logical to
> test them against mirroring._

Which seems to me to show that only the 5C has been tried, and the 5C lacks
the Secure Enclave. Somewhat to my surprise the SE isn't mentioned in the
paper at all, so I'm not sure this actually is applicable to later model
iPhones as the author assets based purely on NAND type. The replay counter is
stored within the SE itself [1], so mirroring the Flash should be useless in
terms of gaining additional manual input attempts, and thus of rapidly
diminishing importance as older iPhones cycle out of working use.

If this applies only to older devices it's still worth a bit of notice though
as it contradicts what the FBI said earlier in the year, and as there are
plenty of older devices still around. The iPhone 5C itself was only completely
discontinued worldwide this past February (in India, discontinued elsewhere
Sept 2015), and iPads tend to be held onto longer then iPhones, so anyone
using those in a situation where they may face significant threat of physical
attack should keep in mind that they should use an alphanumeric full passcode,
even though since the 5C lacks Touch ID it's less convenient and can't cover
the same gamut of threat profiles.

1:
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

