Apple AirPlay Private Key Exposed

An anonymous reader writes "James Laird has reverse engineered the Airport Express private key and published an open source AirPort Express emulator. 'My girlfriend moved house, and her Airport Express no longer made it with her wireless access point. I figured it'd be easy to find an ApEx emulator — there are several open source apps out there to play to them. However, I was disappointed to find that Apple used a public-key crypto scheme, and there's a private key hiding inside the ApEx. So I took it apart (I still have scars from opening the glued case!), dumped the ROM, and reverse engineered the keys out of it.'"

Open source win

[jhigh]

Score one for the good guys. This is just further proof that security through obscurity is a myth. You cannot expect that keeping everything locked inside your proprietary case is going to keep it secure. The best security is sunlight. Let the community poke and prod at your software and/or hardware and it will only improve your offering.

Re:Open source win

[agentgonzo]

This is just further proof that security through obscurity is a myth.

Unfortunately, you can boil the entirety of information theory to 'security through obscurity'. Airplay uses public key encryption and is in that sense 'secure'. Everything that needs to read the encrypted content (in this case the airplay device) needs to have the key to decrypt it. Thus you can argue that the whole system is 'security through obscurity' because it is relying on the 'obscurity' of the private key that the end-user can't get access to (unless the pry it open with a butterknife and dump the ROM).

Re:Open source win

[queazocotal]

Yes. Eventually.
Reverse engineering and hacking closed stuff is ____NOT___ a victory.
It sends the wrong signals.
'Protected stuff sells just fine'.
'We don't need to worry about little guys stealing our market as the nerds can hack our cheap boxes'.
'Appeasing content providers is an easy buisness model'

The problem with hacking is that it's getting easier to protect stuff.
A decade ago, if you were making a router, you had little choice to make it from a CPU chip, a ROM chip, and a RAM chip.
All soldered to a board, with comparatively accessible traces.

Ok - worst case, you needed to desolder the flash, and it was really annoying to do.

There is almost no way to protect keys in this beyond the 'normal' code obfuscation methods.

Now, increasingly security architecture is moving on-chip, and becoming cheap. Partially as a
side-effect of making devices more flexible.
Many or even most small 32 bit chips now have a small area of ROM that handles the initial boot,
and some user-settable one-time writable memory.

Because it's 'free' (a K or two), these often now include routines that will let the user on initial flash
(or in production of the a large number of chips) say 'only boot from a bootloader with key authenticated
by the in-ROM key'

To get to this key is practically very hard - especially if the vendor has taken measures - covering the few
bytes of ROM in question with metalisation - to prevent this.
You can't get at it with a soldering iron.
You can't often now even get at the off-'chip' RAM or ROM easily now, as it's not on seperate chips, it's on
chips laminated to the CPU.

Geohot - for example - did nothing at all clever cryptographically.
He exploited a basic bug in the implementation that is the sort of thing you get when someone reads the
manpage on a crypto function, and implements it, not really understanding all of the twiddly bits, and leaving
some out.

Getting crypto right with modern chips is getting increasingly easy - it is not more expensive or needing more
hardware to get it right, it simply needs employing someone with a clue to look over your code.
Drop 20K on http://www.schneier.com/ - for example - or basically anyone that's actually understood crypto,
and is not just writing it as a 'normal' program.

The only 'right' way to respond to this is to buy open platforms.
Unfortunately, this is often hard.

DMCA violation

[sideslash]

This guy should just meekly accept that his girlfriend's expensive gadgets don't work for her anymore. How dare he tinker around and fix things. (At least I think they imported some flavor of the DMCA down under.)

Good guys? Really?

[unassimilatible]

You're pro-open source, so that makes you a "good guy"? I like chocolate, you like vanilla, ergo, I am good, you are bad.

Good for you that you believe in open source, but do we have to make it a religion?

Re:Good guys? Really?

[Squiggle]

You're pro-open source, so that makes you a "good guy"? I like chocolate, you like vanilla, ergo, I am good, you are bad.

Does being pro-freedom make you a good guy? Does believing that everyone should have free access make you a good guy? Does helping your others make you a good guy?

Free software ideology isn't about the end product, it isn't chocolate versus vanilla, it is about process and access: how do we choose what gets made, how do we make it, who gets to make it and who gets access to what has been made?

Re:Good guys? Really?

[Hijacked+Public]

how do we choose what gets made

By either making it yourself, or by purchasing something made by someone else only when it fits all your particular requirements.

how do we make it, who gets to make it and who gets access to what has been made?

If you truly value freedom, and not just freedom for you and those who agree with your particular worldview, you don't 'choose' those things. You allow people to be free to make whatever they like however they like and you react to those choices as above.

Apple's products are Apple's right up to the point where they sell them to you. If they choose to not make the source code for their software available and sell it only as a compiled version, that is their choice. If they choose to offer only their own means on installing additional software, their choice.

To argue they should be obligated differently is fine with me, but to cloak that under the guise of promoting 'freedom' is not.

Very cool hack!

[GameboyRMH]

Now what the hell's an AirPlay and what good is it to me?

Oh, it's an Apple-proprietary media streaming protocol? Well, I give an A+ for l33tness, but an F for choosing a useful target.

Re:real easy innit

[erroneus]

I wouldn't. I've got a wife and I can tell you first hand, it's HARD to have a girlfriend and a wife.

No

[unassimilatible]

Like IP or not, the Constitution speaks to patent and copyright. I happen to believe that IP laws can, but not always do in practice, increase innovation. As an Apple stockholder, I'd prefer people don't hack their products, and that Steve Jobs decides how Apple software will be designed. You might disagree, and think other people's intellectual property should be "free," but it doesn't make you a good guy, except, apparently here on Mod Abuse Central, where I got modded "flamebait" for daring to not toe the party line. Real flame there!

So no, you're entitled to your views, but imposing them on someone else does not make you good. It makes you kind of officious actually. And people who modded me flamebait for saying it, you are definitely not good.

Re:No

[Man+On+Pink+Corner]

Slashdot "libertarians": Small government for me, big government for those I disagree with.

That's rich. A government that is big enough to give companies like Apple all the IP rights they want is big enough to take them away from the rest of us.

As an Apple stockholder, I'd prefer people don't hack their products

OK, I'm with you there 100%. I promise not to sneak into any Apple stores at midnight and 'hack' any of their products.

The thing is, though, once I buy the product, it isn't Apple's anymore, and I can and will do with it as I please.