John McAfee the Barney Fife of Cyber Security Gurus’

This article is a response to the video where John McAfee claimed he could crack iPhone used by the San
Bernardino terrorist in 30 minutes.

Below is an exert of the steps John McAfee would take to complete the task:

“The hardware engineer takes the phone apart and it [sic] copies the instruction set, which is the iOS and
applications [sic] and your memory, and then you run a piece, a program called a disassembler which takes all the
ones and zeroes and gives you readable instructions. Then, the coder sits down and he reads through, and what
he's looking for is the first access to the keypad, because that's the first thing you're doing when you input your
pad. It'll take half an hour. When you see that, then you reads the instruction for where in memory this secret code
is stored. It is that trivial. A half an hour.” – John McAfee – RT (Russia Today) interview on the Neil Cavuto show – found at
https://www.rt.com/op-edge/334092-mcafee-iphone-fbi-apple/

If wish to watch the entire video you can watch it on YouTube: https://www.youtube.com/watch?v=MG0bAaK7p9s

The Facts:

The model in question is: iPhone 5C with iOS version 9 installed

The FBI asked Apple to build a new version of the operating system that bypasses iPhone security
features. Then install this new OS on the iPhone 5c used by the terrorist. The goal of the request is to
remove the built-in 10 tries auto wipe security feature built into the current iOS, which is intended to
defeat brute force methods of cracking the PIN code or passcode and add the capability of entering
passcode tries electronically. Thus allowing the FBI unlimited tries to gain access to the iPhone using a
computer system that can make thousands of attempts to enter the correct code to unlock the phone.

(What is Brute Force cracking: https://en.wikipedia.org/wiki/Brute-force_attack )

iOS 8 or lower allowed that with a lawful court order data could be extracted from an iPhone.

Apple provided a copy of the iPhone data to the FBI

While the iPhone was in FBI custody the Apple ID password was changed. Making it impossible access
iCloud services, removing the best option for the FBI

Let’s take a look at his boastful suggestion in detail and why it fails in such obvious manner.
The first problem is the PIN code is not stored in any area of the iPhone (flash storage, RAM, or memory)
of the iPhone. The second problem is all items that are stored saved are encrypted at rest including the
boot-up process, software updates, and Secure Enclave.

The method that Mr.McAfee suggests requires that the PIN is saved on the phone and that it is not
encrypted.

https://www.rt.com/op-edge/334092-mcafee-iphone-fbi-apple/

Due to criticism Mr. McAfee now suggests the process below:

“I hope everyone knows that the Apple explanation was VASTLY dumbed down for the press. I know the A7 system
chip well, including its secure enclave with separate coprocessor that stores the encrypted fingerprint, the
ephemeral key generated by the co-processor that even Apple doesn't know, the secure enclave memory isolated
from the rest of the processes on the chip, etc. Doesn't matter. The main ARM processor has its own memory and
that's what I'm interested in. I will simply sidestep calling the secure enclave and pretend it doesn't exist. I'm not
trying to get encrypted data, merely trying to force a complete boot of IOS. Trivial, given the fact that the entire A7
system chip has been expanded into a board with separate components for every subfunction of the chip. on the
board, the secure enclave processor and it's memory are fully accessible, even though we won't need it. made in
China.” – John McAfee – YouTube message 3/1/2016 – found at https://www.youtube.com/watch?v=MG0bAaK7p9s

To be clear the process Mr.McAfee is suggesting a completely different process than the one he
suggested during his interview with RT. This suggestion doesn’t use a disassembler, which was the focus
of his first suggestion.

Saying that the explanation was dumbed down for the press seems disingenuous.

The iPhone 5C uses A6X chip, not A7, it doesn’t have a Touch ID fingerprint scanner. The Secure Enclave
was fabricated within the A7, not in the A6X. It is hard to take someone seriously if they can’t get the
basic components correct, for the device he is claiming he can circumvent. It’s like a Neurosurgeon
operating without mapping your Brian saying “I have done hundreds of similar Brain surgeries and things
are pretty much located all in the same spot” … scary.

While the idea that Mr.McAfee is putting forward goes further than the first one the fundamentals are
missing.

Mr.McAfee is essentially saying that he would bypass the secure boot chain skipping past the security to
access the 1 GB memory that the A6X and boot the iOS. The result of Mr.McAfee’s actions would be the
iPhone 5C entering recovery mode or DFU (Device Firmware Upgrade) mode if the Boot ROM is not able
to load or verify the LLB (Low-Level Bootloader). This means the data is wiped and lost forever…

Unfortunately due to mishandling the iPhone the FBI has two options to try.

Option 1: Decapping – a risky option takes months of work by a hacker to learn the iPhone’s UID, that
requires using acid, and a focused ion beam to a specific area to find the matching UID then use small
probes on the target location to read bit by bit until they get the algorithm used to generate the user’s
passkey. Once that is complete than they have 9 tries to unlock…

Option 2: Use a microscopic drill bit to pierce the chip then use an infrared laser to access the UID
algorithm.

Option 2 is considered the less risky; it has been successfully used by a hardware hacker named Chris
Tarnovsky on Xbox 360 game console. It required the use of an electron microscope focused ion beam, 4
months and fried 50 chips. So you can see while it is possible it is extremely risky.

(for more information on the Hack Chris Tarnovsky executed on the Xbox 360 game console see:
http://www.independent.co.uk/life-style/gadgets-and-tech/news/supergeek-pulls-off-near-impossible-crypto-chip-hack-
1894052.html )

I hope you found this article interesting and provided deeper insight into the issue’s.

Info on the A6X:

The A6 is custom made for Apple it is not a simple license of an ARM Cortex-A9 or ARM Cortex-A15.
Apple designed its own chip based on the ARMv7 technology called the Apple A6X. The A6X has 1 GB
system “processor on package” memory from Elpida DDR2 1066 MHz memory ( for more details on the
custom A6 processor used in the iPhone 5C: https://www.ifixit.com/Teardown/Apple+A6+Teardown/10528 )

Since

considered an expert and he dosent even know what processor is being used nor that Which makes it
hard to take Mr.McAfee seriously since he can’t get the basic details right. It stands to reason that
anything said about a specific processor or security feature that doesn’t live in the model of iPhone is
irrelevant… It so happens in this case that regardless either way his basic premise is wrong and has
nothing to do with the processor used or the security features of the Apple model.

When the iOS device is turned on, its application processor immediately executes code from read-only
memory called “Boot ROM”
Meaning if everything Mr.McAfee said works perfectly, the hardware engineer uses the disassembler
software creates an exact copy of the data turns it over to the software engineer will comb the output
looking for the “first access” and find no actionable data.

The iPhone unlocks by proving a combined encrypted key not by comparing a PIN.

PIN code is correct by combining the input with the hardware ID to generate an encryption key, NOT by
comparing the keyed PIN to a valid PIN code saved on the flash storage.

No technology has yet to be invented that can recover data from flash storage if that data was never
saved to it.

Mr. McAfee has since claimed

“I hope everyone knows that the Apple explanation was VASTLY dumbed down for the press. I know the
A7 system chip well, including its secure enclave with separate coprocessor that stores the encrypted
fingerprint, the ephemeral key generated by the co-processor that even Apple doesn't know, the secure
enclave memory isolated from the rest of the processes on the chip, etc. Doesn't matter. The main ARM
processor has its own memory and that's what I'm interested in. I will simply sidestep calling the secure
enclave and pretend it doesn't exist. I'm not trying to get encrypted data, merely trying to force a
complete boot of IOS. Trivial, given the fact that the entire A7 system chip has been expanded into a
board with separate components for every subfunction of the chip. on the board, the secure enclave
processor and it's memory are fully accessible, even though we won't need it. made in China.”

To be clear the process Mr.McAfee is suggesting is completely different than process he suggested in his
interview.

I find the suggestion that the explanation was dumbed down for the press disingenuous and it seems to
be an attempt to take further advantage of those who don’t understand the technology but due to name
recognition and the fact that he is on TV saying it then it must be true. That is what motivated me to
create this article, in an attempt to bring better understanding.

The iPhone 5C uses A6 chip not A7, it doesn’t have a Touch ID fingerprint scanner. Which makes it hard
to take Mr.McAfee seriously since he can’t get the basic details right. It stands to reason that anything
said about a specific processor or security feature that doesn’t live in the model of iPhone is irrelevant…
It so happens in this case that regardless either way his basic premise is wrong and has nothing to do
with the processor used or the security features of the Apple model.

For more details regarding iOS 9: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

I am unsure what Mr.McAfee’s motivation is but clearly it is not intended to help.

are not professionsls that he knows what he is talking about vs taking the upfront approach and admit
that his suggestion of using a disassembler would not work and is completely different than his new
suggestion.

as that suggestion was completely different than the suggestion he is making above not even in the same
ballpark.

What he is suggesting now is new

The iPhone PIN is not stored because it is not needed. At the time you manually enter a PIN the iPhone
takes the keyed info and combines it with the hardware ID to generate an encryption key. Then the
iPhone uses the generated key to unlock the encrypted files.

If the generated encryption key can’t unlock the files then the PIN entered is wrong. This idea is not
unique to Apple most encrypted storage systems don’t store the passcode on disk.

To help ensure this discussion is stays limited to what is actually possible, we should narrow the focus to
the specific iPhone model that the FBI is dealing with which is an iPhone 5C running iOS 9. This means it
has no fingerprint scanner, no Secure Enclave (the Secure Enclave is embedded in the A7 not the A6X).

The reason brute force fails is that you can’t send passcodes tries electronically to an iPhone, which is
one of the items the FBI is asking for Apple to change. This means that a Human will need to manually
key the passcode in one at a time. You have 10 attempts but remember that you only get 6 free after
that the device will lock the passcode delay starts adding additional time to the brute force… combine
that with the fact that while the iPhone was in FBI custody the Apple ID password associated with the
phone was changed. Changing that password severed the connection the phone had to iCloud services.
This means the FBI lost the ability to back up the iPhone… before that happened the FBI did get at least
one copy of the data so they essentially have 20 tries.

Brute force is not a realistic option in this case for several reasons.

1. You cant employ powerful systems since the iPhone requires the keypad to come in via the keypad,
which means manually keyed in probably by a human.

2. You only get 6 failed attempts then the iPhone locks and adds wait time.

3. FBI lost the ability to make copies due to changing the Apple ID password. associated with the iPhone.
They are limited to the copies they currently have which they would then have to actually use for brute
force. Meaning if they have 2 copies, essentially 20 attempts to enter the correct code or lose all data
for each passcode after that. Essentially making it a task that dies.

The FBI asked Apple to build a new version of the operating system that bypasses iPhone security
features. Then install this new OS on the iPhone 5c used by the terrorist. The goal of the request is to
remove the built-in 10 tries auto wipe security feature built into the current iOS, which is intended to
defeat brute force methods of cracking the PIN code or passcode and add the capability of entering
passcode tries electronically. Thus allowing the FBI unlimited tries to gain access to the iPhone using a
computer system that can make thousands of attempts to enter the correct code to unlock the phone.

If interested want more detail please see my article

Recommendation letter for Eric Means

UPDATE 3/8: John McAfee has admitted that he lied for publicity. While admitting that he lied
he claims that his lie was a "noble lie" to bring light the issues of privacy regarding the FBI
request Apple create a new iOS.

I find the notion that knowingly making false statements to build an argument is logic onl admire
3 year old would understand. Unfortunately we are dealing with something that is more
significant than getting into treats.

I simply do not believe that it was a "noble lie". I believe that Mr.McAfee was clueless and truly
believes that the options he was putting forward were real options. Mr.McAfee is now suggesting
"decapping" as his "secret solution". See below for reason to see what decapping entitles and
more importantly the risks, which in my opinion are far too great to be considered as a solution.