[cryptography] Commercialized Attack Hardware on SmartPhones

Tom Ritter tom at ritter.vg
Sun Mar 2 10:33:43 EST 2014

Hey all, wondering if anyone knows of any commercialized hardware
(e.g. developed into a product, not just a research paper) that
conducts attacks on powered-on, Full Disk Encrypted Android/iPhone
phones that _isn't_ PIN guessing?

So a powered-off FDE-ed iPhone or Android can be attacked by brute
force with no limiting factor.  A good example of this type of
software is Elcomsoft [0] - they brute force the passphrase.

A powered-on FDE-ed iPhone or Android can also be attacked by manual
or automated PIN entry - on the iPhone this can introduce a lockout,
but not on Android.  Assuming they can't see your smudges and guess
the PIN/Swipe/password of course.  I'm not sure if I know of a
commercialized solution to this that does it electronically, but a
friend of mine built a robot. [1]

But if you have a strong passphrase, things are looking good.  But
what about Cold Boot or DMA?

I don't believe you can do a DMA attack against most Android phones -
it's just a USB port.  But what about the HDMI-mini port?  And is the
iPhone Thunderbolt/Lightning connector hooked up to DMA?

As far as cold boot, I'm aware of the FROST paper[2], but that isn't a
commercialized offering, nor does it seem reliable or robust enough
for law enforcement needs.  Chip-off attacks are very unlikely.  AFAIK
iPhone jailbreaks require you to unlock your phone for technical
reasons, so those aren't possible without an unlocked phone (although
I'm not positive about that.)

Does anyone know about anything in this space? Where an 'ordinary' law
enforcement agency (e.g. the NYPD, not the NSA) could shortcut a
strong passphrase on a phone technically? (e.g. not beating it out of


[0] http://www.elcomsoft.com/eift.html#passcode
[1] http://boingboing.net/2013/07/26/pin-punching-200-robot-can-br.html
[2] https://www1.informatik.uni-erlangen.de/frost

More information about the cryptography mailing list