FBI Director defends iPhone 5C unlock tool that's obviously going to leak into wrong hands FBI Director James Comey says the tool his agents bought and used to unlock the San Bernardino killer's iPhone will only work on a "narrow slice" of phones. On Wednesday, Comey gave a lecture at Ohio's Kenyon College's Center for the Study of American Democracy in which he said the exploit only works on iOS 9 iPhone 5Cs. Apple …
It is unlikely to the extreme that it is using a remote exploit, so it isn't like I have to worry about someone getting into my phone unless they steal mine. I think it is very likely they are copying the NAND contents, resetting the retry counter, and copying the NAND back onto the phone to try another half dozen PINs.
Those who claim they can copy it onto multiple phones are wrong, the NAND is encrypted with a key generated from the unique device key of the iPhone, other iPhones have different device keys and wouldn't decrypt even with the correct unlock code. If it is using NAND mirroring then:
1) it would only work on pre-5S models, since the lock counter is stored in the secure enclave on newer models
2) it would require rather expensive equipment - and physical possession and disassembly of the phone
3) it would be rather slow, since you could only try about a half dozen PINs between NAND copies
4) it would only work on phones where a 4 digit PIN is being used, not on phones where an alphanumeric password is being used
I guess you are lucky enough to live in a free country. Yes a lot of those good points mitigate many threat models, but a big part of this is a march towards government intrusion (even in free countries) and intrusion above and beyond the level warranted by the alleged crimes of people.
It isn't going to leak so much to Eastern European mobs but firstly to other agencies. In the now famous iPhone debacle, there was a second request for the same assistance in NY for cracking some alleged drug lord's iPhone. Fair call, he sounds like a Bad Guy™. But sooner or later it becomes routine in all investigations. Next thing you know, a fishing expedition is launched whenever someone forgets to return a DVD.
Assuming that our friendly TLAs hadn't already cracked it and were just trying to set a legal precedent (that is a pretty big assumption there), if you can control the parts that retrieve and act upon the device key (ie not containing secure enclave) it is possible to pull the device key. Once you have that, brute force of any short password or PIN can be done for a few bucks of Amazon time.
If it is the NAND mirroring thing then you have to disassemble the phone and connect it to some rather expensive hardware. It won't be something a typical police department can afford, nor will they be sending phones to the FBI (or your local equivalent) for this lengthy process for a simple fishing expedition.
Use a password rather than a PIN and you are completely protected from the NAND mirroring attack. It isn't certain they are using that, but it seems more and more likely, given the information that has been publicly released.
The "second request" mentioned appears likely, in fact, to be an earlier one, where the judge suggested Apple oppose it and sent them back a couple of times to get them to revise their brief so he could deny the order, which he did. That one was in various states of play from October, 2015 on.
All these cases (by now several hundred) have to do with executing legally obtained search warrant for a phone the police have in their possession.
" it would be rather slow, since you could only try about a half dozen PINs between NAND copies"
Arguably so, although the sensible approach would be not to keep re-flashing the NAND but to connect a piece of hardware emulating it that reverts instantly to the original image. Still need to keep rebooting the phone though, so a really professional attack device might also have the DRAM de-soldered and emulate that too - and just keep going...
That won't work, because each iPhone has a unique ID that's part of the SoC. Trying to extract that would require removing the A5 SoC used in the 5c, decapping it and using an electron microscope to determine the unique ID (assuming you know where to look the die, which may require Apple's help)
The passwords can only be tried on the original phone, they can't copy the data elsewhere to an emulator unless they can get at that unique ID.
Maybe that's what the Israeli firm did, but if so that raises the cost an order of magnitude due to the extremely expensive equipment required, though at least it would be quick. But still, only useful for phones using a PIN, if you use a password you'd be fine so long as it isn't susceptible to a dictionary attack (so don't use "password"!)
Just who are the fbi trying to protect?
They wanted to force apple to produce an exploit they claimed would only be valid on 1 iPhone 5c, but now they have an exploit that can affect all iPhone 5c and prior phones they don't want to share with Apple so they rectify the bug enabling the exploit. They are intentionally endangering the American publics right to privacy by not releasing details to the manufacturer that is willing to produce software to fix this exploit. They are not protecting or serving in this case.
Americans do indeed have a right of privacy from undue police inquiry. That right can be modified by issue of a search warrant, however, as was done in the cases for which they obtained orders for Apple to assist them. The search warrant specifies the modifications in terms of what can be searched and what, if found, can be used in a prosecution.
Privacy rights notwithstanding PRISM https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29 effectively means electronic privacy is a dead concept, and the list of tech companies including Apple who participate in that are indeed a bunch of disingenuous liars, and not just when they pimp their products.
I have a slightly different perspective.
The FBI asked Apple to help exploit a single iPhone 5C, Apple would complete the exploit and provide the unlocked device to the FBI. How that device was unlocked would remain within Apple.
Apple made a choice not to provide this exploit and therefore forced the FBI to look at alternative options, there is no reason for these options to be bound to a single device. The single device was only a requirement of the Apple court order that the FBI submitted.
Why would the FBI intentionally contact Apple, asking them to fix an exploit, that they wanted to leverage. Its like getting the keys to a safe and then asking the owner to change the lock. If Apple provided their support from the start then they'd still have the keys and they would only be giving the FBI an unlocked safe.
The people we bought this from – I know a fair amount about them and I have a high degree of confidence that they are very good at protecting it and that their motivations align with ours.
Wasn't there something about an Italian company that had its export licence revoked recently that had programs that did things like this? Could this be the reason, with the Italian government not wanting their phones being hijacked?
"people should not worry about the FBI's actions, he said, since every agent receives training in the importance of due process and respecting individual privacy rights."
So don't worry, everything's all right. Nothing to see, move along little people.
(I'll only be a few seconds - just checking your coat to make sure your phone is safe from terrorists)
Reminds of Reagan's comment about the most scary phrase in the English language: "I'm from the government and here to help." The ferals have shown themselves to more interested in protecting their power and prestige than in such mundane ideas such as justice, privacy, and freedom. This whole episode reeks of a feral power grab.
As far as protecting the "secret", the ferals not very good at that either with OPM hack, numerous moles, Foggy Bottom's total indifference to protecting secrets for starters.
"Comey also questioned whether people were not being a little too emotional about the whole issue, commenting that we all leave so much "digital dust" about ourselves on social media sites that there was very little need for the FBI to get involved in extreme device hacking scenarios."
Then what the fuck was all the FBI-generated fuss about in the first place, you disingenuous bastard?
Slartibartfast: Come. Come now or you will be late.
Arthur: Late? What for?
Slartibartfast: What is your name, human?
Arthur: Dent. Arthur Dent.
Slartibartfast: Late as in the late Dentarthurdent. It's a sort of threat, you see. I've never been terribly good at them myself but I'm told they can be terribly effective.
This post has been deleted by its author
right here:
"The people we bought this from – I know a fair amount about them and I have a high degree of confidence that they are very good at protecting it and that their motivations align with ours."
- and I doubt anybody outside the USA (aside from, maybe, the denizens of GCHQ) trusts the FBI in a good way (I note that a criminal gang would fit the requirements of the statement quoted above). The various secruity agencies in the West need to get real and acknowledge that they've betrayed the trust that the populace they're supposed to protect had placed in them. They've turned themselves into exactly the kind of bad actor that we DON'T want around, and set themselves against the rest of us. This is not likely to end well.
@" I have a high degree of confidence that they are very good at protecting it and that their motivations align with ours."
Really? If Apple cannot be allowed to secure its phone you think this company can secure this information? Even when its selling it around the world to companies it doesn't control?
1) He assumes they're the only people who can discover this. It is likely in several companies hands.
2) It is hearsay, one man's opinion about somebody else told to third parties.
3) You have not met all their staff, and cannot therefore speak with authority, Mr FBI man, it would take only one leak from one of them.
4) They are likely hacked and don't know it.
5) It will also be rediscovered by many others independently.
You FBI man need to go to Apple and TELL THEM OF THIS ZERO DAY EXPLOIT before the bad guys use it. Because hubris is not security.
I think the FBI are just saying they have opened up the iPhone to mess with apple. I'm unconvinced that there will be much of use on it anyway.
May be I'm just very mistrustful?
At least this way the FBI can't hand out the secrets to enemies of the state by mistake right?
Anything possible is going to be looked at somewhere. If it's also practical and affordable, it will appear everywhere.
If I had the test equipment, and I were seeking to break into a device that wiped its memory after, say, 10 attempts, I'd buy a similar device and instrument all of the reset and I/O. I'd be looking for [pins] that only changed status or state on the 11th attempt – and then I'd pull it high or low or provide the normal signals to see if that was the controlling input. Not easy, and for most of not affordable, but certainly practical if you've got the money, the time, and the lab.
That's probably not what the FBI or their helpers did, but it's the first thing that I would have thought of. Then again, I have a different way of thinking. Just ask anyone who knows me!
"We are not living in a golden age of surveillance, he said, rather a golden age of communication".
HAHAHAH, f**king cockwomble. Let me fix that for ya mate..
"We are not living in a golden age of surveillance, you peons are, but me and my mates aren't.... rather a golden age of communication... whereby we talk to your electronics and it will be forced to talk to us, and we'll neither tell you, nor give a fuck whether you like it or not".
I believe someone has already used the term "disingenuous bastard". I second the motion!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
