Slashdot Mirror
DOJ Says iPhone Is So Secure They Can't Crack It
zacharye writes "In the five years since Apple launched the iPhone, the popular device has gone from a malicious hacker's dream to law enforcement's worst nightmare. As recounted by the Massachusetts Institute of Technology's Technology Review blog, a Justice Department official recently took the stage at the DFRWS computer forensics conference in Washington, D.C. and told attendees that the beefed up security in iOS is now so good that it has become a nightmare for law enforcement."
I've never been too impressed with government agencies and their knowledge of computing.
As far as I know the iphone doesn't use full disk encryption. It's not that difficult to get all the data off it.
What 'law enforcement' means is that it's not convenient to steal people's data.
Gee. The government can't spy on you using your own hardware?
This is truly frightening.
XKCD:Xeric Knowledge Comically Dispen
Law enforcement LOVES the iphone:
http://chris.pirillo.com/why-do-law-enforcement-officials-love-the-iphone/
(also article is a little too breathlessly enamored of apple: PR astroturf?)
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
It's a start.
...I've got some "moon" rocks I'd like to sell you.
Honestly, this seems like a way to trick dumb criminals into thinking their information is secure just because they use an iPhone. If this were truly the case, and the DOJ does really have problems in dealing with iOS devices, I'd expect them to remain tight lipped about it.
How long until they just resort to this?
Well, yes, that's what they'd like you to believe, isn't it?
I thought all you had to do was use a little social engineering and you can do what you want with the data. /ducks
-- Brought to you by Carl's JR
Why, if all them criminals and terrorists were to get iPhones, they'd just be able to blab anything they wanted all day long and there ain't a durn thing we could do to crack 'em, nope. Why, I don't know what we'd do then, no sirree. I sure hope them criminals don't all go out and buy iPhones to openly talk about crime to each other on or nothin'...
iCloud Supoena.
So, the "remote control" is uncrackable? iCloud and Siri and "location awareness" with GSM, WiFi and GPS make the security of the actual device nearly an orthoganal proposition to any enforceable protection for the user or data.
When this is so clearly a form of misdirection, I can't help but wonder the purpose of a DOJ statement like his being made public. Which perception and behaviour are they trying to influence, and by whom?
"Flyin' in just a sweet place,
Never been known to fail..."
It's BS. I can tell you how to crack iphone.
Iphone is vulnerable to side channel "emissions" based attacks. It can easily be cracked with the right equipment even if not be brute force. To say it's encryption cannot be cracked by bruteforce is true but most encryption cannot be cracked by bruteforce.
Anyone care to dispute that Iphone is vulnerable to side channel attacks?
The iPhone sports a master encryption key and DOJ has access to it.
iPhone is the most vulnerable phone out there. We hope all criminals will now use it.
Just ask Apple the password they'll give it to you : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
5 minutes ago I knew nothing of Apples full disk encryption. Now I find an article that states:
http://anthonyvance.com/blog/forensics/ios4_data_protection/
So I'd say I'm just VERY skeptical that the DOJ can't crack something that wasn't really designed with any security in mind in the first place. Either that, or the DOJ has nobody with any skills whatsoever.
AccountKiller
It's been there since the 3GS. Which is definitely more than 10 minutes old.
TFA and TFS should be modded +5 Funny.
One suspects that there are back doors all over the iPhone, in addition to the various apps that have access to remarkable amounts of stored material and regularly send it home (or elsewhere). Otherwise its alleged impenetrability would hardly be promoted by law enforcement. It's like Brer Rabbit pleading "please don't throw me in the briar patch".
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Either that, or the DOJ has nobody with any skills whatsoever.
Or they'd like criminals to believethat they can't pull data from an iPhone.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I look forward to Ovie Carroll's next few breathless announcements:
"Hooh, boy, that YouTube is soooo secure, a person could sign up for an account using their real name and home address, then post videos of them committing crimes online and law enforcement would never ever be able to track them! Honest!"
"You know where the safest place to hide stuff is? Underneath the welcome mat at 950 Pennsylvania Avenue, NW in Washington, DC. Really! We did a study and figured out that once that mat is pushed down on top of something, whether it's drugs, cash or big file folders full of industrial secrets, there's NO way that any one can get into it."
"My biggest nightmare is someone committing a crime, then emailing a detailed confession to ovie.carroll@usdoj.gov. Once something gets into those email tubes it's IMPOSSIBLE to get it back out and figure out what happened. Really. You can trust me. I'm with the government."
I hate to be that Android fanboy, but Android has full OS encryption, which is much harder to crack
After all, they know what terrible security looks like from 2006
http://washingtontechnology.com/articles/2006/03/17/government-gets-nearfailing-grade-on-fisma-scorecard.aspx
Join the Slashcott! Feb 10 thru Feb 17!
I didn't draw this conclusion at all. From the actual article it states initially the drives weren't encrypted at all so the flash dump lead to completely accessible contents. Now the flash dump is encrypted but the key is in flash memory which is simply locked by a pin. Even with a fully AES encrypted drive, you can brute force that with the standard 4 digit pin in 15 minutes. The hard part is not working out the AES key the hard part is brute forcing the pin sitting in the front which leads to the AES key sitting in standard flash memory. Yes a longer pin takes longer (55 days for the 8 digit pin) but one can imagine emulating the entire flash dumped iphone in software and parallelizing that just to pull out the key from bruteforcing the pin..
-avi
Since the 3GS, the iPhone uses full disk encryption -- but instead of requiring an externally provided key (provided, e.g., by hashing a password), the key is stored on the device and automatically used to decrype data whenever data is requested from the device. The encryption system exists to enable the instant "remote wipe" feature (which is accomplished by simply deleting the key stored on the device), but does nothing to prevent anyone from accessing data on the phone if it is not connected to the network once they acquire physical control of it (or if the user is prevented from issuing a remote-wipe command, as might well be the case if the seizure of the device is concurrent with the user's arrest.)
I have a hard time believing that the DOJ can not crack the iPhone. They are either full of shit or actually telling the truth. I can only assume it is a little bit of both.
Have they not spoken with the hackers that discovered Jailbreaking? They are well known and can be reached rather easily.
Even though I own a few MacBook Pros, I have never wanted to own an 'i' product. However, if the DOJ is this fucking stupid then maybe an iPhone is in my future.
"That's right...I said it."
DOJ Says iPhone Is So Secure They Can't Crack It
I dropped mine off the balcony to the pavement below. It seems that it is very easy to crack an iPhone.
Now that's funny. I can shatter mine.
“He’s not deformed, he’s just drunk!”
The DOJ wants crooks to rush out and buy iPhones instead of Android phones, so that they can track and eavesdrop on them.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
In other words, AES-256 encryption is still secure. This shouldn't really come as a surprise to anyone.
Or, they're cops and they don't want to have to go through the bother of getting a warrant when the phone is 'obviously in plain sight and thus immune to the regular rules of search and siezure'.
Understanding the scope of the problem is the first step on the path to true panic.
No need to hack an iphone in order to get a users data if you are law enforcement. A subpoena (or perhaps even less than that) would get you all the information you need from apple's iCloud. I said "perhaps even less than that" because there's been numerous articles over the last few years highlighting the fact that your data stored in a third parties' datacenter is not protected by your civil rights.
Can somebody explain how if the iPhone is so uncrackable/breakable that Apple can still export it? I seem to recall some kind of PGP problem where exporting something that was too secure was a violation of US laws. Or maybe I'm mixing reality with a bad Nicholas Cage movie, which is entirely possible.
https://www.accountkiller.com/removal-requested
And you haven't exactly disputed the article either. Just because it's 2 years old doesn't mean it's not accurate.
I have several IOS devices, and the only "password" you can put into it is the simple 4 character unlock code. You should certainly know that all encryption is based on keeping something secret that's very difficult to guess. If the only secret you're keeping is a 4 digit key, you're completely hosed to brute force attacks.
AccountKiller
would that still be a misdirection?
Oh, I see, anything which is said in favor of iPhone security is "reverse psychology", anything critical of iPhone security is "speaking truth to power".
You guys crack me up.
I hear so many mixed messages about iPhone security.
On one hand, with later models using full-disk encryption it seems like there are some aspects of the phone that are encrypted well enough that you might not be able to get into them easily. I have one app that even advertises its ability to encrypt data stored in the app providing the phone was full-disk encrypted (pre-iOS4 3GS devices upgraded to iOS4 didn't have full disk by default; you had to blank them and restore to get it).
On the other hand, we hear about third-party forensics tools that claim to be able to snarf data simply through a local connection, and then there's all the jailbreaking, etc. which would seem to bypass or at least make some of that security questionable.
Which is it?
If you wanted to snoop on cell phones, would you advertise which cell phones
you really could not crack?
So we know it's true.
Because when a person is arrested for a crime, it's the duty of law enforcement to collect and examine available evidence that could support or refute the theory that the person committed the crime. An iPhone can contain a lot of useful evidence. (My favorite is a text message to a girlfriend: "Hold on, I'm about to go rob the Dunkin Donuts.")
Well, if you have to ask, we're putting you on a watch list.
Have gnu, will travel.
Last time I checked, the government can't lie. It can only deny.
Sorry, incorrect. Go watch "Don't talk to police" on YouTube. Required viewing for US residency.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Humor
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Amen!
In the US, this is another example of political correctness gone overboard.
What the old saying about people not learning from mistakes in the past are bound to repeat them in the future?
Then again...look at Germany, banning most anything Nazi connected....I believe similar type bans happen in other EU countries too?
But seriously....this is a part of US history, and should not be suppressed. I remember seeing old Bugs Bunny cartoons...people got blown up into 'blackface'....if they even show these episodes on tv, these parts are usually edited...
Why? This is part of history, and people should know what attitudes were publicly held and presented to see how much we've changed over the years.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Settings -> General -> Passcode lock -> Simple Passcode OFF
You can create a password that is noticeably longer and uses non numeric characters.
You have several iOS devices , security conscious, and never looked into what simple Passcode off did?
"There is no real right or wrong, just what the majority accepts at the time."
Well, it's their second worst nightmare. Their worst nightmare is being asked if they have been to the Stampede yet.
LOL Thanks, that was great!
I'm pretty sure the government can only lie. Maybe you are thinking of some government other than the U.S. government?
Whereas when I was at school the British Empire did nothing but bring peace and civilisation to mankind. Even the wars with the Maori in New Zealand were spun as a success story. It took my uncle living in Australia to tell me that the Aborigines were treated like dirt and were systematically wiped out by the British settlers.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
But the ECHR does, which is why the Right in the UK want out of the EU. (Incidentally, typo alert - you mean "populace". "Populous" means "with many people". Another spellcheck fail, like brakes/breaks.)
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Google is your friend. Before you show your ignorance, verify it first with a simple search.
Nice try, DoJ.
Most people use the standard 4 digit pin, this pin unlocks the keys to the encrypted FS.
With physical access to the phone, one can brute force a 4 digit numeric pin in about 20mins. The brute force has to be done on the phone itself, because you can't access the keys directly, but rather the API of the crypto chip. So you boot your brute force boot image via DFU mode. This of course bypasses any wipe on X failed attempts settings that might have been set in iOS.
Alphanumeric PINs are a PITA, so I'd suggest using a 7 or more digit numeric PIN. This is done by turning off simple passcode and then entering a passcode with only numbers (dispite the full keyboard). When asked for the passcode again to unlock the iPhone will give the normal numbers keypad. (Telling a hacker that your pins only uses numbers, but also make your life much easier).
I do know that, which is why I have a long, complex password on my iPhone. (The fact that you do not know this is possible points out that you still know nothing of Apple's security.) You are committing the equivalent of submitting an article from 1995 as evidence against someone claiming that computers are faster today than they were in 1995.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
My girlfriend has cracked hers twice, and she doesn't know the first thing about hacking. A 3' fall onto the sidewalk works almost every time.
That's how how FDE usually works. The standard OS access control system controls which users can request data.
Unfortunately, your backup isn't encrypted, unless you manually turn it on. You just have to have access to the backup and you can read all the files on the device, including the ones encrypted individually by the security settings enabled in iOS 4.0. Its only on the device that the files are secure w/ that hardware. Of course you can encrypt your backup, like I said. But that isn't automatic.
It is true. You can even have the artificial security of manually encrypting a file. However, the file is stored completely unencrypted in backups. And furthermore, you have no iOS encryption AT ALL, unless you put in a security code on the device.
What I don't get is: why don't they go after the data in the "cloud". Police should really be oiling their supoena-sending machines instead of spending time on virtually uncrackable crypto. From Skype, Steam and 3 email accounts (including Google), police could with good certainty know if I was at home or at work at a certain time, by looking at the IP address. If I'm out and about, If I was better at posting to Facebook, they could get geotagged images from my phone. Sometimes I listen to radio streamed over IP, and then they could even know when I go to the toilet (because I pause it). On Android phones, contact information is synced with Google. For legal investigations, where police can get subpoenas, it seems that they have a great future full of useful information ahead. Authorities outside of the US may have more trouble.
I have several IOS devices, and the only "password" you can put into it is the simple 4 character unlock code. You should certainly know that all encryption is based on keeping something secret that's very difficult to guess. If the only secret you're keeping is a 4 digit key, you're completely hosed to brute force attacks.
FYI iOS hasn't been limited to a 4-number password and has been able to use a long, variable-length alphanumeric passcode for over 2 years now, with the release of iOS4. If you used an Apple iPhone config utility to set policies (meant for enterprise, but any user could download the tool), you could use alphanumeric passwords 3 years ago under iOS 3.x.
You can use a more complex passcode that is as long as you want and contains more than just numbers - but it's optional. In settings -> general -> passcode lock, turn off "simple passcode."
Why, no, I haven't meta-moderated lately. Thanks for asking!
And that's the problem - by default, it's a 4-digit pin. You can enable a more complex passcode that can be longer and include other characters, but that option is turned off by default.
Why, no, I haven't meta-moderated lately. Thanks for asking!
Excellent Brer Rabbit reference. Made me go look up why Song of the South is nearly unavailable these days. I enjoyed it as a child.
Sorry, but gray text on gray background is making my eyes bleed.
Sure they can. Police lie all the time. Only idiots still believe what you said.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
First, it means that there have been no cases where an iPhone has been hacked and then used as evidence in a public criminal trial. This is self-evident, because if there had, people would instantly respond to this that: "this is all nonsense, it happened in the case of XYZ". The DoJ hence saves us the trouble of searching to find out.
Second, it means that hacking into an iPhone is nontrivial. This is self-evident, because if it was trivial, you would have two dozen security analysts saying that hacking an iPhone is the easiest thing in the world and the DoJ sucks ass for supposedly not being able to. The DoJ hence saves us time again.
Third, it is likely indeed the case that there is nothing the NSA (and by extension, the DoJ) cannot crack given time. But if they were to actually DO so in a public trial, it would completely negate this statement. That means that at least for a while they CANNOT do so in a public trial.
Fourth, public trials are the norm for almost all crimes.
Conclusion: If you are a mid-level criminal doing something that would likely get you tried in a public trial, you should use an iPhone, because the DoJ either cannot or will not (doesn't matter to you) hack into it and use it as evidence.
Excellent. Although I'm surprised Apple didn't use some proprietary encryption into which they would have built a backdoor for the government to use.
Liberty in your lifetime
Your friend in the other room already told us everything. This is your chance to come clean and maybe get a lighter sentence.
You know...myself and anyone my age..grew up with those cartoons...and somehow...we're not all damaged....why would todays kids be any different...are they more stupid now and need to be protected somehow?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
From what I see (and I have looked), iPhone security is not that great. The argument in TFA about "pull the plug and you cannot decrypt anything anymore" is bogus. I mean, it is a phone with a battery and a power-jack. Put it in a shielded case with power and you do not need to "pull" any "plug". And for a few hours a classical and cheap tin-can should just do fine. There are some types of evidence that forensics needs to stabilize under time-pressure, mobile phones are just one more instance of that.
What I really suspect is this is a push to have people trust their phones more, maybe even for secret stuff that can then be harvested by the intelligence community. Zero-days in iPhones cannot be that hard to find if you can throw some money at the problem. It is also possible that criminals are not trusting their iPhones at this time, and this is an attempt to make them do so.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Don't talk to police.
sysadmins and parents of newborns get the same amount of sleep.
http://en.wikipedia.org/wiki/Self-incrimination#United_Kingdom_law
Which is neither here nor there, just another anal retentive proclamation from Big Blue.
It definitely cracked me up
But no banana! I'll keep my blackberry, thank you.
Okay, can't watch the youtube video(blocked due to limited bandwidth here), but it let me onto the infowars site.
750M rounds is 2.5 rounds per person in the USA, yes. However: Scare tactics are being used.
First, it's for training ammunition - my training/qualification for the year is at well over 500 rounds between pistol and rifle(~half each). I'm not DHS, but it should be a clue as to how many rounds it takes to train&qualify somebody. It's often an annual requirement.
Second - it's a 'purchase UP TO' order, up to 70M rounds/year, between all winning parties, for a 5 year contract. NOT 'planning to buy 750M rounds of ammo'. Going by the contract, that's a MAX of 350M. The minimum order in a year is 1 lot of 1k rounds. In these sorts of contracts they list the maximum possible they expect for each item - for example, a big purchase of .40S&W handguns, a shift to .357 Sig, whatever. .223 is well represented, though I wonder that they aren't shooting NATO 5.56 spec rifles(the difference is about a human hair; doesn't matter much in training I guess). Going by my figure, a max order of 70M rounds would let you dual-qualify ~140k people. Office types trained 'just in case' would use a bit less ammo, SWAT types far more. A quick search shows 160k employees in DHS. Or maybe it's 188k employees AND 200k contractors. Whatever. I doubt they're going to be qualifying EVERYONE anytime soon, and probably don't plan to short of some crazy doomsday scenarios.
Third - "including 357 mag rounds that are able to penetrate walls." - just about ANY handgun self defense caliber is fully capable of penetrating a wall while remaining potentially lethal. It's a simple fact that a human body, which self defense rounds generally have to be able to completely penetrate to be considered effective, is more difficult to penetrate than 2 sheets of drywall. You want to go back to yea old days - when the .357 was developed, the standard was actually penetrating a car windscreen with a maximum deflection such that you'd still hit the driver. 9mm, btw, is 'normally' powerful enough for this, though you might need 2 shots(not as big of a deal for a semi), but this was back when we were still issuing revolvers to police. While we're at it, the contract also lists rifle calibers - .223, .30-06, and .308; all far more powerful than .357.
In other words, it's a big hoopla over just about nothing.
I don't read AC A human right
Automatic no, but all of one check box, right on the iPhones main page when connected in iTunes, yes. I mean, anyone even remotely security conscious isn't going to have any problem seeing it right in front of their own face:
http://3.bp.blogspot.com/-O3LfGOsSkpI/Ta9HW6SCRjI/AAAAAAAAM3c/OekIqze6zkk/s1600/encrypt-iPad_backup.jpg
- "Scientia non habet inimicum nisp ignorantem"
You do realize now that any app that tries to access your info pops up a permission box? There's no way around it anymore, it's hardwired into iOS.
http://appleigaga.com/wp-content/plugins/wp-o-matic/201202/dd2c2_ios_permission_popups-620x457.jpg
Same thing for an App trying to access photos, contacts, Bluetooth sharing, etc etc.
- "Scientia non habet inimicum nisp ignorantem"
You obviously have no idea how 256bit AES works. With every new iOS update, the hacker community tears through every damn file looking to see what Apple is doing, and if they had some sooper sekret back door, it would be found and be reported all over the place.
- "Scientia non habet inimicum nisp ignorantem"
Erm, if you have no password set encryption is pointless. "Wow encryption! How do I decrypt?" "Turn it on?"
What would be the point?
- "Scientia non habet inimicum nisp ignorantem"
It doesn't need to be full disk encrypted. Only a users data/settings needs to be. And with a password set that's 256bit AES. Yeah, maybe they could access the standard iOS system files, but since that's the same on every device it won't tell you anything.
Seriously, just set a non 4 digit password (Settings ->General->Passcode->Simple Passcode 'off')
Don't use iCloud (it's not forced on you), and in iTunes simply check "encrypt iPhone/iPod/iPad backup" which is right there on the main screen.
These theories about Apple having some secret back door simply aren't true. 3rd party security firms, as well as Jailbreak hackers who know the iOS probably as well as Apple would have noticed it, and you can bet your ass it'd be all over various news sites.
- "Scientia non habet inimicum nisp ignorantem"
A quick calc shows that he was 'only' earning $178k/year if he was indeed successful in hiding the 2.5M, instead of actually NOT HAVING IT. Given that he'd have likely gotten at least $1M back(50-50 split, $500k in legal expenses/held property), that's only $107k/year, for a premier lawyer. If he truly lost all the money(possible at this point), he LOST $71k/year. He'd be better off paying the money and just working a few more years.
I figure that one of the reasons they let him go is the increasing probability that he lost the money, and even if he stole it that the 'time served' would exceed the penalty. Heck, you can get a 'mere' 7 years for 3rd degree murder in the state.
I don't read AC A human right
Rediculous argument. By your logic you can't trust any encryption, because "Company X" gave the government the keys.
- "Scientia non habet inimicum nisp ignorantem"
Sure, if the user is an idiot. With simple Passcode off, "wipe data after 10 attempts", and iOS 5.x they won't ever get jack shit. Unless you think the Michigan PD has cracked 256bit AES.
- "Scientia non habet inimicum nisp ignorantem"
Well there are apps that use the encryption system on the device to encrypt files individually. These files do not get encrypted without a passcode enabled, even if you think that they might. I'm referring to those apps that claim to provide you with a secure place to store your naughty texts, pictures, files, contacts, etc. Unless they use their own encryption, they aren't secure once the device is unlocked, or backed up, or if the device was never locked.
In the age of doublethink, I smell a rat as it crumbles like a house of cards. Checkmate.
Isn't this as good as the DOJ asking crims/terry-wrists/pedo's to use the phone? Y'know, the whole "art of war" thing, "when you are weak, you must appear strong, and when you are strong, you must appear weak".
I'd say that the DOJ has an Apple supplied reader and decryption key at the ready. They may, or may not have a similar device for Andriod, Windows or BB devices, but for sure they have one for Apple devices.
There is no way they would or should give away thier weaknesses.
On the other hand, never put down to conspiracy what can be attributed to incompetance.
Cavaet Emptor.
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
Comment removed based on user account deletion
I have no doubt that the encryption is neigh uncrackable (or at least too much trouble to bother)...
However, considering the Key to that encryption is a 4 characture limited set, which 90% will be the persons birthday or something stupid, I highly doubt it would withstand any concerted attack.
If they want in there, they are getting in. Might take a couple of days, but it is hardly "uncrackable".
They are simply saying the technology (i.e. the encryption) is strong, not the implemetation of that technology. This is not even considering whatever backdoors Apple may have built into the thing to circumvent for this vary reason.
pure, unadulterated, horse shit.
The most pure thing coming out of the DOJ in years !
But their many contractors have no problem at all !
Wow... the US makes official propaganda statements just like the good ol' USSR, North Korea and China.... Sorta warms your heart to know we keep such good company.
The DOJ *SAYS* it cant crack it. This ploy has been around since Enigma.