FBI iPhone hack lost forever, White House mobe compromised, SSH – and plenty more Another week draws to a close so it's time to review the security news you may have missed in between the big hitters: the NSA contractor who leaked more exploits, Apple's encryption password blunder, and so on. This week we've seen bugs, hacking, and government silliness – take a look... Computerinsel PhotoLine full of bugs …
I wonder if the FBI even got the details of how it was done?
A certain phone forensics vendor supposedly offers "hack latest* iPhone to decrypt its contents" as a service. I think the price tag is around $30k. But then you don't get the details - you have to ship it to them.
* Well, maybe not iPhone X or whatever it's called... just yet.
That's not surprising. If a security vendor has a 0 day they're able to use to break into an iPhone, they'd want to keep it to themselves. If Apple finds out they'll need a new 0 day.
I do wonder how much they can really get access to though. Apple encrypts on two levels - one the whole NAND is encrypted, and then individual files are encrypted depending on the security level. Text messages and recent callers aren't encrypted at the file level, because of the need to add new messages and callers to their respective .sqllite DBs. Things like say your wifi passwords are encrypted at the file level because they won't change while the phone is located, so I very much doubt any exploit is going to get those.
I keep thinking Apple should have a separate DB for incoming messages, phone calls and other stuff received while the phone is locked so they can do file level encryption for the main DBs to keep them secure. Then an exploit would only be able to get the text messages / callers from since the last time the phone was unlocked (which may still be good enough for the FBI in some cases)
That and encrypting all data sent to iCloud with a key I control instead of just some things are two improvements I think Apple could/should make that would make it almost impossible for investigators to get access to your phone's contents regardless of 0 day exploits. Wouldn't fix the "$5 hammer" method of getting at your encrypted content though :)
They get everything on the phone, since they fish out the relevant keys from the hardware that stores them.
The problem is that people want to be able to unlock their phones with a short PIN that's easy to enter.
Bruteforcing a 4-digit PIN or a password of reasonable length is obviously trivial.
Thús, they need to stick an actual strong encryption key into hardware that can prevent bruteforcing the PIN by restricting the rate and number of attempts. The vulnerabilities relevant here are in this hardware, or rather the software that drives it.
Plus, since the key is actually in there somewhere, given enough time and money/equipment/skills it can always be read out eventually.
It's a way to push up the time and budget needed to dump a random iPhone (a lot), not a way to totally prevent it.
If you use a proper passphrase instead, the security is just like full drive encryption on a normal computer.
You can't brute force a 4 digit PIN on a newer iPhone with a secure enclave, it'll either erase after 10 attempts (if that's been configured) or require re-syncing to iTunes. Now it is probably not that hard to get around the latter, so I guess you could try 10 passcodes in a little over an hour (due to enforced delays) and therefore all of them in around six weeks...
The PIN isn't the key, rather it decrypts a nice complex AES key, so you have to guess the PINs using the interface. Perhaps there are attacks against the secure enclave, but I wouldn't bet on it. It runs a formally verified L4 microkernel. It is embedded in the iPhone's SoC, and at the microscopic (literally nanoscopic these days) feature sizes modern SoCs are fabricated with, you'd need some expensive equipment indeed to mount an attack against the hardware even if they haven't tamper proofed it in some way.
I'm not sure a reset/replay attack is possible on a device with secure enclave. Depends on whether it ONLY uses the phone's main flash storage for its storage (encrypted, obviously) or has some private storage of its own. If it has private storage and the passcode try count is saved there, being able to reset the NAND won't help you.
A major state level actor could probably still find a way to do that, or more likely some other easier attack, but if one of them makes you a target I think you should just assume they're going to get what they want, regardless of what OS your phone, PC, or whatever is running and what special hardware security features it may have.
I strongly suspect that when the FBI was looking for help from other branches of the US government in breaking into that iPhone 5c last year the CIA or NSA could have helped if they wanted to. However, they knew damn well a work iPhone left behind by a terrorist who had destroyed his and his wife's personal phones and their computer's hard drive would come up empty, and didn't want to tip their capabilities to the outside world for no reason.
If everything else fails (i.e. not having any vulnerabilities in the secure enclave and the things related to it), there's always the standard techniques for extracting stuff from uncooperative hardware - decapping, scanning electron microscope, focused ion beam, etc. I don't know if this is what the vendor in question does against newer phones.
Atleast rewriting the flash memory to get infinite tries at guessing the PIN is supposed to be prevented in newer iPhones (but it should have worked against the 5c).
A lot of iPhone forensics guys (Zdziarski among others) actually approached the FBI and offered to help do this but were universally turned down or ignored. The real motive behind the actions of the FBI in that case were probably to establish legal precedent for forcing vendors to cooperate in general and getting a way developed for doing it with iPhones in particular.
There were certainly a lot of other phone unlocking demands waiting for them if Apple had folded or lost in court. The FBI just picked the most "oh noez terrorists national security!!" case to get the precedent set.
Instead they ended up wasting (reportedly) 1M USD in an attempt to save face and influence legislators about the need for fundamentally breaking software/hardware security because of "TERRORISM!". Total cost for having one of the US guys do it would have been less than $10k.
It's all fine and good that Kelly didn't use his personal phone for official business. The problem is, if he had his personal phone on his person there are some concerns:
* Possibility of camera or microphone turned on to record sensitive info.
* Snooping on location information could reveal who/when/where Kelly was meeting people.
* Possibility of leaking other info that could be leveraged by someone will evil purposes (mundane details like when he uses the bathroom feature in at least spy dramas).
Like many of Drumpf's dummy advisers, I am sure he never used his phone for non government business just like Jarred the Mindless or was it Junior the I love it who was using a Gmail account for official govt business. Drumpf himself uses the highly secure Twitter to pass on govt policy to the various govt departments and to "My Generals".
Also, Russia would never divulge classified US documents to those who are not entitled to receive them.
Kelly, a known liar was believed when he said it was only used for personal business. Mate, I have a couple of bridges, several tall buildings and an island surrounded by water.....big water......ocean water..... for sale.
The three greatest lies:
I'm not drunk occifer.
I love you.
I won't cum in your mouth.
and now,
It was only used for personal business.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
