back to article Apple will throw forensics cops off the iPhone Lightning port every hour

Apple isn't backing down from a move to lock down the iPhone’s data port to increase security for users, even though it means thwarting some of the password-cracking tools used by forensics experts. In the latest beta versions of iOS, Apple includes a feature called USB Restricted Mode, which disables the data connection of …

Page:

  1. msknight

    Tim Cook...

    Playing a brave game, or a dangerous one? Answers on an encrypted post card to....

    1. karlkarl Silver badge

      Re: Tim Cook...

      Nope, they are just playing a childish one.

      "I want to be in control mummy!!!"

      Oh well. I am hoping this kind of behavior will help create new laws against locking down shitty hardware in the future.

      1. Joe Gurman

        Re: Tim Cook...

        Rather decent hardware, actually, and it's the FBI and local police departments who are throwing the hissy fits. Despite all the bad-mouthing here, Americans actually do have civil liberties, one of which has repeatedly been defined by the courts as privacy.

        1. Anonymous Coward
          Anonymous Coward

          Re: Tim Cook...

          >Americans actually do have civil liberties, one of which has repeatedly been defined by the courts as privacy.

          Americans only have civil liberties for Americans, if you're not American you don't have any in their view.

          1. eldakka

            Re: Tim Cook...

            Americans only have civil liberties for Americans, if you're not American you don't have any in their view.

            That is legally incorrect, although that might be the view of most Americans, it is not the caselaw.

            1. Alan Brown Silver badge

              Re: Tim Cook...

              "That is legally incorrect"

              Perhaps, but it's the de-facto state of things.

        2. Anonymous Coward
          Anonymous Coward

          Re: Tim Cook...

          Americans actually do have civil liberties, one of which has repeatedly been defined by the courts as privacy.

          So why's GDPR such a worry to US data slurpers?

  2. hplasm
    Pint

    Kudos!

    I must tip my hat to Apple, for Atomic Level awkwardness security-mindedness!!

    1. Stu Mac

      Re: Kudos!

      Totally gets my support!! mass surveillance is a sop to targeting the minorities who are really of concern. IMHO fork them up as much as you like but leave me TF alone.

  3. frank ly

    Just wondering

    "Since cracking the six-digit passcode may take up to 22 hours (or longer for a passphrase), then brute-force methods used by the cracking tools are likely to cease to work."

    Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts? Or did they and the hackers have found a way to bypass it?

    1. msknight

      Re: Just wondering

      There may possibly be a way around this. If the phone gets its time signal from the network, simply put it next to a stingray and feed it the same time and date. Might work... depending on how they are counting the hour duration.

      1. Waseem Alkurdi

        Re: Just wondering

        You could also "hack" the RTC chip (theoretically).

        Another attack is done using NAND flashing - in which the chip is backed-up at zero passcode attempts, then the iPhone is bruteforced until it gets locked out, at which the NAND is restored ... Sort of like savestates in an emulator.

        1. detuur

          Re: Just wondering

          I can't imagine that the RTC or NAND being relied on by the Secure Enclave Processor would be vulnerable to external hardware attacks. They are most likely part of the same die as the processor which means it's impossible to access them directly.

    2. Anonymous Coward
      Anonymous Coward

      Re: Just wondering

      It isn't clear how Cellbrite et al's PIN finder works, though presumably Apple got their hands on one at some point so you would think they should have been able to fix whatever they were doing to brute force the passcodes.

      This fix is more elegant though, since 99% of the time you haven't entered your password within the last hour even if the cops get your phone while it is unlocked (or force to finger/face unlock it) the USB port will be disabled.

      I have to think that the FBI is going to have a hissy fit about this - but they're going to play it coy and wait for a headline terrorist incident or school shooting investigation that is hampered by this before they do to try again to get the public on their side like they failed to do with San Bernadino.

    3. Anonymous Coward
      Anonymous Coward

      Re: Just wondering

      The whole point of these devices is that do exploit a "hole" in the security and they do get around the 10 tries - and most users probably don't have the nuclear delete option turned on anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just wondering

        You don't have to turn on the 'nuclear' option, just use a password instead of a passcode. They wouldn't even try to brute force that, it would take forever.

      2. Anonymous Coward
        Anonymous Coward

        Re: Onanism

        > most users probably don't have the nuclear delete option turned on anyway

        Most users store and back up everything on iCloud, which is easily subpoenaed.

        https://www.linkedin.com/pulse/how-when-apple-discloses-your-data-law-enforcement-matt-washchuk/

    4. eldakka

      Re: Just wondering

      @frank ly

      Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts? Or did they and the hackers have found a way to bypass it?

      I think that "found a way to bypass it" is implicit in this sentence from the article:

      An analysis was undertaken by Malwarebytes in March that suggested it took advantage of undisclosed flaws in iOS.

  4. R 11

    Poor DJs. If only there was a technology that could safely allow the output of audio data to speakers and which doesn't require two-way exchange of data exposing the inner workings of the phone?

    1. Dave 126 Silver badge

      In this context the iPhone is usually a control device - iPhones have always had MIDI baked in.

    2. Waseem Alkurdi

      You mean the 3.5mm headphone jack?

      1. graeme leggett Silver badge

        Or the Line Out on the 30pin connector.

    3. Sgt_Oddball
      Headmaster

      Bluetooth then?

      1. Dave 126 Silver badge

        So there's three of you who think that DJs use audio out from an iPhone instead of balanced output from a FireWire/Thunderbolt soundcard? Okaaaay

        Some DJs will use an iPhone as an XY control surface (ersatz Kaos Pad) in conjunction with with other devices. Some will even take advantage of its gyros and accelerometers. Either way, its just a control device.

        1. R 11

          I think you misunderstand. A professional DJ can likely afford a dedicated device. Indeed if they're smart, that's exactly what they'd do in case some app gone rogue destroys their set.

          The amateur DJs, be they playing music for themselves, their friends, or another small gathering probably don't have a separate balanced output system. They have an iDevice and speakers.

          1. Inspector71
            Trollface

            A "real" professional DJ drops the needle on those SL-1200 MkII's.

            1. Anonymous Coward
              Anonymous Coward

              Yes, but those using the classic SL1200s (ah, I remember them well from my club DJ days...) will have time coded 12" 45 rpm records for when they want to use a digital source, whether that's off an iDevice, computer, or what have you. Very very few DJs are still 100% analog.

              1. Inspector71

                Agreed but nostalgia apart, there is/was a greater sense of theatre with a box of 12's, a pair of SL-1200s and working the crossfader on an SH-DJ1200. I was a very poor amateur but when you saw DJ Shadow or Z-Trip or DJ Hype do a vinyl set live (as I have several times over the years) it was some experience.

                It's all too perfect today where you can fade in the breakdown to the thousandth of a millisecond and you can pretty much pre program your set. Even the old school DJs who have embraced the digital age still have a little xtra something to my mind as a lot of them still use it in an analog way with all the imperfections that implies.

                I know, I know, rose-tinted.

                1. Anonymous Coward
                  Anonymous Coward

                  Ah well I knew the days of being good with the turntables were numbered when a friend who ran a mobile DJ company showed me his latest toy - a Numark board that had two CD players with pitch control and a "mix" button. It was only a matter of time before the million monkeys took over all but the priciest venues because few patrons can tell a live performance from a computerized or pre-staged one - they might notice a blown mix but 1) not realize it means the DJ is performing live and 2) prefer the "perfect" pre-staged one anyway.

                  I never liked re-using the same mixes very often unless they were really something, so I was always doing something different. I'd make cassette recordings for people for $20 for whatever I happened to play during that 90 minutes. It was always fun to listen to the next day, since I was usually so drunk by the time things got really hopping I couldn't remember what I'd played. I learned some of my favorite mix combinations listening to what I'd drunkenly come up with the night before :)

                  1. Inspector71
                    Coat

                    Doug S

                    Then came Traktor and then you didn’t even need hardware. Nowadays you literally can “phone in” a set.

                    Mine’s the one with a pair of Sennheiser HD25s in the pocket.

                    1. Anonymous Coward
                      Anonymous Coward

                      Yep, it got easier and easier as technology continued to progress. I downloaded a DJ app for my iPhone a while back intending to fool around and see what it can do but never got around to it. Maybe this weekend I'll check it out now that its top of mind again.

                      The ironic thing is that while I correctly assessed that being a skilled DJ would matter much less when computers could do the job for you, I totally missed that a small number of DJs would be able to make millions of dollars a year in the future. Not that it would have helped me had I chosen that as a career path - it isn't about skill it is about star power. Unless Paris Hilton really is such an amazing DJ that she's worth $300,000 for a night's work!

                      1. Inspector71

                        It's less DJing now and more live "producing" now that you can essentailly have a complete recording studio on your MacBook. Layering not just effects but actual instruments over the tracks and then doing the mixdown live as you go. Be it automated or manually tweaking it with a controller. The next step is no doubt going to be an AI DJ. (shudders)

                        In the end the real skill of a DJ is not being able to put together a seamless mix or knowing where exactly to place the drop or being able to scratch 3 decks at once, it's simply about choosing good music to create a mood as it always has been. Be it in a hip club at 2.00am or your cousin's wedding.

                        Right I'm off to Discogs....

        2. jaywin

          So there's three of you who think that DJs use audio out from an iPhone instead of balanced output from a FireWire/Thunderbolt soundcard? Okaaaay

          And here's another, except in my case I've worked with world class DJs and plugged up the 3.5mm jack to phono cable into the mixer for them. Besides, using a balanced out when going into an unbalanced input on a DJ mixer is a bit pointless dontyathink?

    4. Anonymous Coward
      Anonymous Coward

      Lightning isn't USB

      It can act as USB, but it can also act as Lightning. That is, disabling the USB functionality doesn't have to disable the Lightning functionality, so any sort of digital audio Lightning connection wouldn't be impacted by this change.

  5. Anonymous Coward
    Anonymous Coward

    Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts?

    Because the tool works by replacing a JLE with a NOP - so you can't count failed attempts.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts?

      Would that prevent the option of incrementally increasing the delay between incorrect password attempts?

      1. Milton

        Re: Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts?

        I still think there is nothing better than a 10—12-character alphasymbonumeric passcode. The Adversary can try a million times a second for half a billion years and see where it gets him.

        I won't rehearse the passwords again because I've said it here before. To summarise:

        • Make up something ridiculous, non-dictionary and memorable because you can say it—like "sq8-Ed2ph01e" (squat-ed-to-foal)

        • Make up a nemonic if you need to, e.g. a short fat guy called Ed having a baby horse: hard to forget that image once you've pictured it

        • The Adversary has 12 random (to him) characters, each from among about 70 possibilities if you include upper/lower alpha, numeric and a few symbols

        • That's 13,841,287,201,000,000,000,000 combinations

        • To go through half of those at 1 million/sec would take just under 439 million years

        I agree the system should introduce progressive latency after X failed attempts, but even if it doesn't, you can easily create a passcode which is (a) unbruteforceable and (b) resistant to errors by Apple and weaknesses in its hardware.

        And Reg: FFS get a less hopelessly incompetent Captcha system.

        1. Charles 9

          Re: Why didn't they operate a 1 hour lock-out after five (or whatever) failed attempts?

          Now repeat it over and over and you start asking, "Now was it correcthorsebatterystaple or donkeyenginepaperclipwrong?" Even with mnemonics you can get mixed up, especially if you start mixing up mnemonics.

          1. Tikimon
            Thumb Up

            Easy good passwords, here I go again...

            Apologies if you've seen me bang on about this before. I figure every time it's new to a few more people. It just WORKS! My most clueless users do this with no problem.

            Start with a sentence you can remember. SAY IT to yourself silently, and type every first or second letter (depends on length). Capitalize the first letter, add punctuation at the end. This method means it's not necessary to actually remember the password itself! There's no need to remember which letters were changed to what. It's stupid easy.

            Example: "What we've got here is failure to communicate" (Cool Hand Luke) becomes

            "Whwegoheisfatoco..."

            There are no numbers and limited symbols. However it's a random string of letters that real people can actually remember and use. If there's an easier way to remember random-ish passwords, please share!

            1. Lee D Silver badge

              Re: Easy good passwords, here I go again...

              Quite.

              Choose a password that isn't brute-forceable. You then never have to worry about someone brute-forcing it, or changing it either (it's now considered BAD advice to enforce regular password changes on users ).

              To paraphrase the XKCD that we all know, after 20 years of effort we've trained everybody to use passwords that are easy for computers to guess and difficult for people to remember.

              The only thing that matters in a password in length. That's it. Not even complexity. A long a-z-only password beats out a short, complex password basically EVERY TIME, sometimes by factors of millions or billions.

              M to the power of N is much more heavily influenced by N (the number of characters in the password) than by M (the number of possibilities for each character). You don't need to get far out of stupid-password territory (8-10 characters or so) for it to always be true, even if someone decides to use the entire Unicode space as possible characters.

              And if you have a password that's not brute-forceable, you don't have to worry about someone attacking your number of password attempts per second (whether time-outs are incorporated or not) past the fact that they would DoS you in even trying a million combinations a second.

              Seriously, stop it and use real passwords. And avoid services that refuse to let you use longer passwords (HSBC banking stops at 12 characters, I believe) and/or which enforce ridiculous character sets on you (Apple iTunes accounts are terrible for this).

              1. mark l 2 Silver badge

                Re: Easy good passwords, here I go again...

                A long password with an uncommon symbols such as µ or » make it super secure as most brute forcers only tries common symbols available on the keyboard plus numbers and letter so would never crack it even if it were left running for 100s of years.

                1. doublelayer Silver badge

                  Re: Easy good passwords, here I go again...

                  Technically true, but usually it won't work. Most systems will disallow things other than plain ASCII. Unicode and in some cases extended ASCII is out. In fact, there was one system I had to use that blocked a password using the question mark (?) symbol. Actually, it sent the password in but chopped out the question mark first, such that the original password would not work but the one with the mark excised would. Great job there. Rather than allowing a system to get confused, I tend to go for length plus a few punctuation marks; that way, nobody can just brute force the alphabet to get it.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Easy good passwords, here I go again...

                    I also had experience with a system that accepted numerical characters in some fields (user name and surname) when they had a typo... but of cause refused them in the login field. I was only paid to answer the phone... so my efforts to fix that obviously broken system were to transfer the call.

                2. Mr. Flibble

                  Re: Easy good passwords, here I go again...

                  Which is fine unless you have to use foreign keyboards regularly, and then it becomes a bloody nightmare.....

              2. Anonymous Coward
                Anonymous Coward

                Re: Easy good passwords, here I go again...

                Not quite correct, if the password is alphanumeric and an actual word or combination of words, dictionary based attacks drastically shorten the time to "guess". If a single word length is possibly even a negative as the number of words at a given length reduces past beyond about 8 letters. Combinations of words are harder but still have the drawback of being drawn from a very limited subset of the possible combinations of words.

                Using first letters of words from phrases also has weaknesses as the letters are drawn from typically a very limited subset of possible combinations. If the pass phrase is long enough this may be mitigated, but only truly random combinations require random searches and are subject to the combination rules.

                And of course "truly random" combinations are very much harder to remember.

                Just FWIW

                1. eldakka

                  Re: Easy good passwords, here I go again...

                  > Combinations of words are harder but still have the drawback of being drawn from a very limited subset of the possible combinations of words.

                  If using words in a password, each word is the equivalent of a single character in a random character password. But that actually expands the set of characters when compared to an ASCII character set at least. Below is a copy-paste of a post I wrote a few weeks ago about using dictionary words, note that it was based on using 5 words (not just 1) as a password. I will preface it by saying that I think it is not practical to use, as while theoretically the set is quite large, what's the chances anyone would use the long words (say 6+ characters) in their combination of words? But in theory:

                  The Oxford English Dictionary has ~171,000 'active' words in it (it has an additional 41k obsolete words and some other types).

                  So, a 5 word phrase would have complexity of 171000^5, or a complexity of:

                  146,211,169,851,000,000,000,000,000

                  And this assumes that every letter is typed in in the same case, no mixed case.

                  A 10-character password using the printable characters usually found on an English-based QWERTY keyboard is, umm, roughly 49 keys, each with 2 characters, for 98 combinations.

                  So it'd be 98^10 which is a complexity of:

                  81,707,280,688,754,689,024

                  Which is significantly less complex than 5 random words.

                  You'd need a difficult to remember password of 14 random characters to exceed the difficulty of an easier to remember 5 random words password.

                  Of course, you may be able to increase the set of characters above 98 by using a larger UTF character set.

                  But then, you could increase the set of words by including non-english words, or using techniques others have discussed like misspellings, mixed case, replacing alphabetic characters with other characters, and so on.

                  Spanish has around 88k words, depending on how you count them (some sources say there are many more), German, again depending on how you count the words and which sources you use, has at the low end about 140,000, and another 100k or more for french.

                  So if we add those 4 dictionaries (English, Spanish, French and German) we've increased our word set to 469k, so:

                  469000^5 =

                  22,691,552,673,349,000,000,000,000,000 combinations.

                2. fidodogbreath

                  Re: Easy good passwords, here I go again...

                  Using first letters of words from phrases also has weaknesses as the letters are drawn from typically a very limited subset of possible combinations.

                  Assuming, of course, that the attacker knows you have used this method.

                  What you describe is correct for a specific known password mnemonic method. However, an attacker typically has no way to determine which method the user might have employed to create the mnemonic. Or, in fact, that the user even employed such a method at all.

                3. Michael Wojcik Silver badge

                  Re: Easy good passwords, here I go again...

                  if the password is alphanumeric and an actual word or combination of words, dictionary based attacks drastically shorten the time to "guess" [blah blah blah]

                  Sigh.

                  Arguments like this are just handwaving without some actual statistics, or at least back-of-the-envelope approximations.

                  A recent version of the aspell US English dictionary contains around 204800 words. Using an xkcd-style four-word phrase (which gives a passphrase on the order of 20 characters, quite easy to type reliably for many users; I routinely use passphrases twice that long) gives about 70 bits of entropy. That's assuming words are chosen with equal distribution from the list; it assumes nothing about, say, the per-symbol entropy of English.

                  Note it also assumes the passphrase contains no spacing, punctuation, or non-letter symbols, except the ones that appear in the aspell US-English dictionary (things like apostrophe and hyphen). Those can easily be added by the user in a meaningful fashion, increasing the entropy. It also assumes monocase, or a case-insensitive verification mechanism; if the system is case-sensitive, we can use mixed case as well.

                  What's 70 bits of entropy worth? Compare it with a random (equal distribution) password drawn from mixed-case English letters, numerals, and a dozen non-alphanumerics. That's 64 symbols, or 6 bits of entropy per symbol. So 70 bits of entropy for the passphrase is just shy of a 12-character password using this scheme.

                  If you can make a million attempts per millisecond, brute-forcing a 70-bits-of-entropy passphrase takes a little under 19 thousand years, on average.

                  The trick with xkcd-style bag-of-words passwords is to generate a number of unbiased phrases from the dictionary, then pick one you can remember by visualization, "newspaper headline" interpretation, or whatever. The relatively low per-symbol and per-word entropy of natural language really doesn't matter when it comes to resistance to brute forcing, once the phrase gets to be even a few words long. Models only do well against plausible natural-language phrases.

                  There's a commonplace among infosec folks that xkcd-style passphrases are not particularly strong. Schneier subscribes to it in this post, for example, talking about the password-cracking bake-off Ars Technica hosted back in 2013. But it's not the scheme itself that's broken. The weakness comes from weak use of it - from users choosing words from too small a dictionary,1 or creating passphrases that are too small.

                  (Also, the Ars piece only worked with one attack mode - cracking a corpus of unsalted MD5 hashes. While Schneier generalizes that to "password crackers know to combine words from their dictionaries", even with smarter candidate generation, stronger key-derivation functions such as Argon2 are going to slow brute-forcing tremendously.)

                  Even then, terms like "broken", "weakness", and "too small" are misleading. Absolutes are always inaccurate when discussing security. What we need to talk about is the risk (probable loss) under a threat model. My probable loss for someone brute-forcing my Reg password is very low - I don't have much at risk here, under my threat model. And the probability of someone brute-forcing it is relatively low, because most attackers have little incentive to do so. So my password only has to be strong enough against brute-forcing to lower that risk to a point that I'm comfortable with.

                  1Generally that means "user has a larger dictionary, but only chooses familiar words, and has a relatively small working vocabulary in the first place". For a random-word-phrase scheme, the user's "dictionary" is the set of words they're willing (with high probability) to use.

            2. Doctor Syntax Silver badge

              Re: Easy good passwords, here I go again...

              "What we've got here is failure to communicate"

              Or was it "a failure"? or did I expand "we've" to "we have"? So many things to remember...

            3. Allan George Dyer
              Black Helicopters

              Re: Easy good passwords, here I go again...

              @Tikimon - "it's a random string of letters"

              Wrong!

              "Start with a sentence you can remember."

              This isn't a random start to the process, the following steps are deterministic, so the output is not random. Meaningful sentences in any language will have some statistical pattern to the initial letters. Worse, a memorable sentence is likely to be a quote, so the password crackers will drop a dictionary of quotations into their process if this becomes popular.

              So, if you are using this scheme, the last thing you want is for everyone else to be using the same scheme... Therefore, you aren't using this, and you're a spook who has worked out how to crack this easily, hey, are those black helicopet//

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like