NAND mirroring

NAND mirroring is a technique for breaking security on mobile devices that use NAND flash memory chips to handle encryption. The term gained national attention when it was suggested that NAND mirroring was how the U.S. Federal Bureau of Investigation (FBI) broke into the mobile phone of Syed Rizwan Farook, one of the perpetrators of a 2015 terrorist attack in San Bernardino, Calif.

NAND mirroring is most commonly associated with Apple's iPhone 5C because the encryption security is in the NAND chip itself. This makes it impossible to hack the encryption separate from the chip. When there are more than 10 failed attempts at guessing the encryption password, the device's encryption security feature makes the NAND chip useless. This is commonly described as destroying the chip, but nothing is physically damaged. The security feature simply prevents the chip from reading or writing data.

All proposed NAND mirroring techniques start with desoldering and removing the NAND flash memory chip from the device mainboard. The chip is then placed in a separate device that allows it to be cloned, or mirrored, onto another chip. This could be a series of identical but empty NAND chips, or a field programmable gate array (FPGA) chip.

In either case, the mirrored chip would typically be placed into a separate device connected to the original device's NAND chip socket so it appears that the original NAND chip is installed. Software on the external device would then run a series of password attempts until the security feature is triggered and the NAND mirroring chip is rendered useless.

A concept simulation video of a
NAND mirroring attack on an iOS 9.0
device by security expert Jonathan Zdziarski.

In the case of an identical NAND mirroring chip, the now useless mirror is discarded and a new mirror chip is put in for another 10 attempts at guessing the password. Using an FPGA, the re-programmable chip is simply mirrored again and the process of making 10 guesses begins once more. The advantage of the FPGA is that it doesn't need to be physically swapped every time the 10-guess limit is reached, it just needs to be re-mirrored. The advantage of identical-style NAND mirroring chips is that they are much less expensive than FPGA chips.

No actual use case for NAND mirroring

The FBI has not confirmed how it managed to get access to Syed Rizwan Farook's iPhone 5C, so there is no proof that NAND mirroring has worked in the field. In the wake of all the speculation after the FBI announced that it did have access to the phone, Dr. Sergei Skorobogatov, a senior research associate in the security group at the Computer Laboratory at the University of Cambridge, demonstrated that it was possible, by using brute force guessing techniques to break a four-digit password security on an iPhone 5C in 40 hours. In a research paper he published, Skorobogatov estimated that it would take hundreds of hours to break a six-digit password, but it was still possible.

This was last updated in January 2017

Continue Reading About NAND mirroring

Dig Deeper on Flash memory and storage