Eccentric software tycoon John McAfee says he knows the one way a non-Apple employee could unlock the iPhone used by the San Bernardino shooter, and it’s a process that would give the FBI what it wants without requiring Apple to build a backdoor.
Initially, McAfee had joked he would do it with social engineering — i.e., tricking people into helping. “That was all bullshit,” he told Tech Insider in a phone interview. “Of course I’m going to say social engineering, but think about it: How in the hell are you going to social engineer a dead guy’s phone. Get real.”
The real way to hack into the iPhone? At first, McAfee was reluctant to say. “We’re treading a very sensitive line here, my friend,” he said. He called the mobile phone the greatest potential spy device in the world and said he’d never write the absolute truth about how to crack it. “I said I could do it. That’s true. Absolutely, I can do it.” FBI James ComeyAssociated PressFBI Director James Comey is sworn in on Capitol Hill in Washington, Tuesday, March 1, 2016, prior to testifying before the House Judiciary Committee hearing on ‘The Encryption Tightrope: Balancing Americans’ Security and Privacy.’
McAfee said he would tell me how it can be done as long as I didn’t publish it, otherwise he’d “probably get popped by the FBI, or Apple would take out a contract on me.” I wasn’t sure if he was joking or serious, but maybe it was a bit of both. At 70 years old, McAfee is among the old school hackers who worked on computers in the 1960s and 70s long before they were mainstream and miniaturized. After programming stints with NASA, Xerox, Lockheed, and others, he became a multi-millionaire once he sold his shares in the world’s first antivirus software company, which he founded, named McAfee Associates.
And that’s about where his back story goes off the rails, as the software legend later moved to Belize, surrounded himself with guns and drugs, and then fled after being suspected as a “person of interest” in the murder of one of his neighbors (He denied any involvement and accused Belize of wanting to kill him).
Though he is known for his paranoia and despite an almost-unbelievable back story, his technical credentials are well-established. So I heard him out, as he told me about taking apart the hardware in the shooter’s iPhone 5C and working with supercomputers to crack it. After our conversation, I searched within the technical community and noticed others talking about this method. Then I asked if he’d let me publish his comments. “Go ahead,” McAfee wrote to me. “You have my permission.”
‘There is only one way’ “There is only one way for a non-Apple employee to do this, without the help of Apple,” McAfee said. “That is to decap the A6 chip, which is the processor chip inside the iPhone.” McAfee said that if the FBI wanted, it could literally strip the iPhone hardware apart and access the phone’s chip. On this chip is a unique identifier, called a UID, which pairs up with the passcode to create the phone’s encryption key.
If the FBI tried running a supercomputer right now to guess the unlock code, it would be up against a nearly-infinite number of possibilities. But if they had the UID, that number would come down to something more manageable. “Then we’ve got it down to, I don’t know, four or five trillion possibilities,” McAfee said. “Good God, a supercomputer will give us an answer in five minutes.”
Edward SnowdenREUTERS/Mark Blinch
It’s a solution that others in the technical community have been discussing recently. One of the top answers on Stack Exchange details how one could use an electronic microscope and laser drilling to get the UID bit by bit, and even Edward Snowden believes it’s a plausible method that’s being ignored by the FBI because the agency wants a court precedent. “The FBI has other means … they told the courts they didn’t, but they do,” Snowden said in a virtual talk hosted by Johns Hopkins University, according to 9to5 Mac.
“Other means” are exactly what McAfee describes, though it’s extremely risky. If at any point in de-capping the chip and probing it an error is made, the chip could be destroyed and access to the phone’s memory would be completely lost. But at least one cybersecurity researcher who spoke with ABC News says he has successfully used this method on other targets in the past, while another assumes the NSA has the technical capability and experience to pull it off. “You decap the chip. You get a probe machine. I don’t know if the FBI has got a probe machine. If not, we’ll rent one from the Chinese,” McAfee said.
Also, McAfee said, this method wouldn’t come up against Apple’s built-in security feature that would wipe data off the phone if the passcode is entered incorrectly 10 times, because there wouldn’t be any power to the actual phone itself. “We’re not going to enter the passcode until we find the passcode.”
The method only applies to the shooter’s version of the iPhone, the 5C. Apple implemented a major update to 5S and newer iPhones with its A7 chip featuring a “secure enclave” that theoretically can’t be cracked into even if Apple wanted to. (Although there’s still some debate on that, and Apple has not responded to requests for clarification.) “That’s some seriously tight architecture inside the A7,” McAfee said. “[But] the A6, absolutely, it’s been done. The Chinese have done it.”