Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Deluged By Police Demands To Decrypt iPhones

Posted by Soulskill on from the atf-struggles-with-slide-to-unlock dept.

New submitter ukemike points out an article at CNET reporting on a how there's a "waiting list" for Apple to decypt iPhones seized by various law enforcement agencies. This suggests two important issues: first, that Apple is apparently both capable of and willing to help with these requests, and second, that there are too many of them for the company to process as they come in. From the article: "Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year. An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, 'contacted Apple to obtain assistance in unlocking the device,' U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was 'placed on a waiting list by the company.' A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock' an iPhone 4S. But after each police agency responded by saying they 'did not have the forensic capability,' Maynard resorted to asking Cupertino. Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."

58 of 239 comments (clear)

  1. Is Apple being compensated? by APE992 · · Score: 5, Interesting

    If they're going to expect Apple to spend time doing their work for them are they are least compensating them for the time and energy necessary for this?

    1. Re:Is Apple being compensated? by noh8rz10 · · Score: 4, Interesting

      i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino...

    2. Re:Is Apple being compensated? by Anonymous Coward · · Score: 4, Insightful

      You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.

      It is irrelevant how much Apple spends to operate that backdoor.

    3. Re: Is Apple being compensated? by Anonymous Coward · · Score: 5, Informative

      Now you know and knowing is half the battle. Don't buy iPhone.

    4. Re: Is Apple being compensated? by fustakrakich · · Score: 5, Funny

      That's right. Steal somebody else's

      --
      “He’s not deformed, he’s just drunk!”
    5. Re:Is Apple being compensated? by __aaltlg1547 · · Score: 5, Insightful

      You understand that in this case the police HAD a warrant. What's your complaint?

    6. Re:Is Apple being compensated? by __aaltlg1547 · · Score: 2

      Did you receive documentation that said otherwise?

    7. Re:Is Apple being compensated? by FuzzNugget · · Score: 5, Interesting

      You're deluding yourself if you think a backdoor is a good thing.

      No, this is overall a bad thing: Apple is able and willing to break the encryption on an iPhone, presumably through a backdoor or brute force.

      Then again, we could all be mistakenly conflating "encryption" with "lock screen", which really speaks to the level of (in)competence on the part of law enforcement.

      Hmmm, maybe this is a good thing (just not quite in the way you were thinking)

    8. Re:Is Apple being compensated? by bytesex · · Score: 3, Interesting

      Maybe the backdoor isn't so much the crypto format itself - it's in the password to decrypt. After all - these companies have a thing for you sharing information 'in the cloud', right? What's to stop them from simply posting your password somewhere central - for recovery purposes on your (and apparently, other people's) behalf? I reckon 90% of users would find it super-convenient!

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
    9. Re:Is Apple being compensated? by node+3 · · Score: 4, Insightful

      You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.

      It would be, were that the case. But it's all but certainly not. There's no way Apple would put an actual back door into their products.

      If you had read the article, you'd notice that the process takes four months. If they had a back door, it would take a few minutes. Also, had you read the article, you'd notice that Google will reset the password and send that to law enforcement.

      But I'm sure that's not outrageous. Lol!

      It is irrelevant how much Apple spends to operate that backdoor.

      That's true, but only if there was an actual back door.

      However, in all fairness, if you have proper evidence that Apple has a back door, I'll be right there with you. That would be wholly unacceptable.

    10. Re:Is Apple being compensated? by blaster · · Score: 5, Interesting

      Apple does not have a backdoor per se. But Apple does have the device signing key and can thus completely compromise the chain of trust. The only thing stopping you from compromising a phone with a 4 digit passcode in seconds by brute forcing it is the fact that software rate limits attempts, and the option to have it delete its intermediary keys after 10 bad attempts. If you have the ability to load an arbitrary kernel it is trivial to bypass both of these, but only Apple has that capability, at least on devices without jailbreaks that can be executed them while locked.

      If you want to make sure your data is secure then use a full password and not a PIN, which will make Apple's ability to run code moot since brute forcing it will not be practical any more. You can look at https://acg6415.wikispaces.com/file/view/iOS_Security_May12.pdf/343490814/iOS_Security_May12.pdf for more info on the actual architecture.

    11. Re:Is Apple being compensated? by Anonymous Coward · · Score: 2, Insightful

      My complaint is that the police can fuck right off if they want to decrypt anything on mine.

    12. Re:Is Apple being compensated? by SeaFox · · Score: 4, Informative

      i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino...

      No, I'd say this is a bad thing. A back log of getting these requests fulfilled will only be used as justification for there to be a regular law-enforcement back door built into a later version of iOS. "This process is taking too long and Apple is being burdened with fulfilling these requests, if only we had a way of accessing an iPhone ourselves without needing their assistance it would make things easier for all parties when investigating terrorism and child pornography..."

    13. Re:Is Apple being compensated? by blaster · · Score: 5, Interesting

      Would you have preferred if I had written "Apple does not actually need a backdoor per se in order toto perform the actions mentioned in the article?" My point was that what law enforcement is asking does not require a backdoor, since a lot of posters seem to think it implies there must be one. Furthermore, security researchers can and do look and see how all the signing keys etc are structured on running systems even without source code access. Is there a chance there is still something hidden, sure, but there is also a chance someone snuck a root exploit into an innocuous looking commit in an important open source project. Source code access generally does lead to more trustworthy code, but it isn't so black and white as you claim. In the end we depend on people to validate what we use, and just having the source available is not in and of itself validation.

      As for the rest of the your comments, you simply don't know what you are talking about, but you would if you had actually read the PDF I linked. First off, rewriting the bootloader via JTAG is not an option on a lot of SoC's and embedded devices once they have had some of their internal fuses blown. From the PDF:

      "When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load."

      So the stuff in flash might be rewritable, but it won't be executed unless it is signed. Reading the raw flash is also completely useless, because all data written to it is AES encrypted via a DMA engine in the SoC that uses various different keys, but all of them are tied to or derived from values fused into the processor and not readable via software or JTAG (they are routed directly to the DMA block and never exposed). That means the brute force needs to be attempted on the SoC in that particular iPhone, or you need to drastically increase the search space. A suitably advanced attacker code probably also obtain the SoC keys by decapping the chip, dying it, and looking at the fuses with a scanning electron microscope, but I generally don't worry about an attacker with sorts of resources; they would probably just beat my PIN out of me...

    14. Re: Is Apple being compensated? by thegarbz · · Score: 2

      But ask them for the encryption key first.

    15. Re:Is Apple being compensated? by gd2shoe · · Score: 3, Informative

      The summary implies that it did only take a couple of minutes... after months of sitting on a shelf while Apple dealt with the backlog of other phones needing to be unlocked by law enforcement.

      --
      I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    16. Re:Is Apple being compensated? by AmiMoJo · · Score: 4, Informative

      The iPhone is FIPS 140-2 certified.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    17. Re:Is Apple being compensated? by AmiMoJo · · Score: 4, Insightful

      No, the backlog is 4 months. Nobody knows how long actual decryption takes, but the nature of these things is that it will either be minutes or thousands of years with a supercomputer dedicated to the task. Apple claims that it uses AES with a 128 bit key, so if they can unlock it that quickly they MUST have a backdoor to the encryption key.

      This is absolute proof that they have your encryption key on file somewhere. Others have already verified that they do indeed use AES 128.

      To cover themselves legally Apple will have to evaluate every request that comes in, handle the evidence securely (maintaining the chain of custody) and then handle the potentially sensitive and illegal decrypted data in a way that doesn't expose its staff. It's no wonder there is a backlog.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    18. Re: Is Apple being compensated? by jimicus · · Score: 3, Informative

      Doesn't need to be a back door - forensics products to crack phones already exist:

      http://www.msab.com/app-data/downloads/Release_Notes_(English)/XRY_release_notes_6.5_EN.pdf

    19. Re:Is Apple being compensated? by Cyberax · · Score: 2

      Dudes, Apple holds your encryption key in escrow to allow device restores. That's even disclosed in their freaking policy.

    20. Re:Is Apple being compensated? by kasperd · · Score: 4, Informative

      Apple claims that it uses AES with a 128 bit key, so if they can unlock it that quickly they MUST have a backdoor to the encryption key.

      The input provided by the legitimate user for decrypting the content has way less than 128 bits of entropy. So they just need to brute force that input. What Apple can do, which the forensics people might not know how to do, is to extract the encrypted data and put it on a computer, where brute forcing can happen without each input having to be entered through a touch screen. Any security one might think this adds, is nothing but security-through-obscurity. Real security of the encryption could only be achieved by the user entering some sort of password with sufficient entropy. A 39 digit pin code would be sufficient to make AES be the weakest point. But would anybody use a 39 digit pin on their phone? Anything less would make the pin be easier to brute force than AES.

      You can shift the balance a bit by iterating the calculation which produces a key from the pin code. A million iterations would probably be acceptable from a user experience perspective, but that would only reduce the required number of digits from 39 to 33. A milliard iterations would not be good for the user experience, since they now have to wait quite some time after entering a pin. And with the pin still needing to be 30 digits in length, they'll often need to re-enter it multiple times, before they get it right.

      --

      Do you care about the security of your wireless mouse?
    21. Re:Is Apple being compensated? by Charliemopps · · Score: 5, Insightful

      You understand that in this case the police HAD a warrant. What's your complaint?

      That encryption is not encryption if Apple can "undo" it.

    22. Re: Is Apple being compensated? by CastrTroy · · Score: 2

      At least with Android it seems like it would be possible to install 3rd party tools that would encrypt the data such that it would not be accessible by a back door. You can completely replace many aspects of the operating system. It would probably be not-too-difficult to install different applications to deal with email, SMS, contact lists, and anywhere else sensitive information might be stored on your phone. Windows and iOS are too closed to do this in a dependable way.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    23. Re:Is Apple being compensated? by Impy+the+Impiuos+Imp · · Score: 5, Interesting

      Is it a user's password or is it Apple's? Is there a back door in the algorithm? Is it an inherently weak algorihm, but the police don't know what it is so they can't launch an attack?

      Inquiring minds want to know!

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    24. Re:Is Apple being compensated? by DJRumpy · · Score: 2

      Yes you can set it to accept any input, not just a 4 number pin. I use it myself.

    25. Re: Is Apple being compensated? by Nerdfest · · Score: 2

      With CyanogenMod, etc, you have the source and can verify that there isn't a back door.

    26. Re:Is Apple being compensated? by sribe · · Score: 3, Informative

      No, this is overall a bad thing: Apple is able and willing to break the encryption on an iPhone, presumably through a backdoor or brute force.

      Brute force. 10 failed attempts at the lock screen results in the phone being wiped. But Apple can copy out the encrypted contents, and then keep guessing until they find the code, no matter how many tries.

      Then again, we could all be mistakenly conflating "encryption" with "lock screen", which really speaks to the level of (in)competence on the part of law enforcement.

      On the iPhone, same thing--when you set up the lock screen, it sets up a random key which is used to encrypt/decrypt data in-flight to the flash, so that nothing is stored decrypted. The passcode is used to de-scramble the key, which is stored in a special location...

    27. Re: Is Apple being compensated? by sribe · · Score: 4, Informative

      Now you know and knowing is half the battle. Don't buy iPhone.

      Right, because, as the article points out:

      Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.

      Oh, good for google! Wait, why doesn't Apple just reset the password and provide the new password to law enforcement. Oh, yeah, right, better security--they can't just reset the password. And boy, how much better it is for the suspect's privacy that google notifies him. Let's see, he's been arrested, his phone seized, a warrant obtained to examine its contents--I'm sure he'd be so much more relieved if he were to get email from Apple when his pass code is cracked, because by god that is so important to his privacy!

    28. Re:Is Apple being compensated? by gtirloni · · Score: 2

      I salute your effort to have a rational conversation. Unfortunately this is Slashdot.

      By the way, does anyone have suggestions for discussion sites that try to follow basic discussion rules (like forming sound arguments) as a philosophy?

      --
      none
    29. Re:Is Apple being compensated? by BasilBrush · · Score: 3, Interesting

      Apple can't "undo" encryption. But a lockscreen pin code is 4 digits long. Guess how many tries they on average and as a maximum in order to brute-force it?

      Reduce that average time, because some passcodes are used more often than others. (0000,9999,1234, numbers that spell out various 4 letter words)

      After 6 attempts, you have to wait a minute before trying again. At some point there will be a complete lockout, but even that can be reset via iTunes.

      So brute-forcing is by no means impossible. But it will take time and, realistically, automation. Hence why law enforcement have to wait once they've issued Apple with a warrant.

      Those who are Android fans should bear in mind that Google will also retrieve data from Android devices if the Police issue them with a warrant.

      The smartphone of choice for those people who need to protect their phone data from the Police is still the Blackberry.

    30. Re: Is Apple being compensated? by Cwix · · Score: 4, Informative

      https://code.google.com/p/cryptonite/

      this looks like it could help

      --
      You are entitled to your own opinions, not your own facts.
    31. Re:Is Apple being compensated? by TheCarp · · Score: 2

      My complaint is that Apple is even capable of complying. If I buy a device, its mine, if I encrypt that device, I, and whoever I give the key to, should be the only people able to decrypt it (key weakness and cryptanalsys not withstanding, obviously).

      If this is not the case, then it should be made explictly obvious up front, and not even just buried in the fine print, because this, in reality, is a HUGE difference between expectation and reality.

      But.... I have already exercised my right as a consumer in this area, I have not and willnot buy an ijail.

      --
      "I opened my eyes, and everything went dark again"
    32. Re:Is Apple being compensated? by KGIII · · Score: 2

      This is the internet. I'm afraid you're shit out of luck. ;)

      (Trying Opera, again. I used it before Firefox. Someone mentioned extensions in another thread so I installed it again. So far it is pretty speedy.)

      Anyhow, I'd be interested in a site where logic rules the day and the topic was technology. I'd like something similar to what I recall Slashdot as having been. I am slightly worried that I am remembering Slashdot of yore through the haze of rose colored glasses though.

      --
      "So long and thanks for all the fish."
    33. Re:Is Apple being compensated? by therealkevinkretz · · Score: 2

      We're not "err[ing] on the side of the criminal". We support the rights of the individual and (most of us) dismiss or at least skeptical of the suggestion that we need to give those up to make it easier for law enforcement.

      Back to which phones are "safe" - I don't want to mention specific sites or products but they're easy to find, along with what data on what phones they're able to access. Some phones seem harder to access than others. Recent iPhones seem strong (unless, as described in the article, Apple assists).

    34. Re: Is Apple being compensated? by GoogleShill · · Score: 4, Informative

      There is no copying of data. The data is /always/ encrypted on the device, it's the encryption key that is password protected.

      It's actually very simple. When the device is initially set up, a symmetric key is generated and all the user data is encrypted using that key. When you set a lock screen password, the encryption key is then encrypted using the password and stored in flash. Unlocking the device with the valid password decrypts the key into RAM so that the user data can be decrypted. Locking the device removes the decrypted key from memory, thus leaving all of the data in flash in a secure state.

      If the device is configured to self-erase after too many failed password attempts, the device simply deletes the encryption key from flash and the device is effectively wiped.

    35. Re:Is Apple being compensated? by Savage-Rabbit · · Score: 3, Interesting

      Is it a user's password or is it Apple's? Is there a back door in the algorithm? Is it an inherently weak algorihm, but the police don't know what it is so they can't launch an attack?

      Inquiring minds want to know!

      Apparently you encrypt an iOS device when you enable the pass code option. The default pass code is numerical and is only 4 digits, which is very weak. You can activate a 'pass phrase' option that gives more security but the pass phrase should be at least 12 characters long. An 8 char password can, for example apparently be cracked (brute forced presumably) in under 2 hours. Since the iPhone defaults to a 4 digit numerical code I don't suppose cracking 98% of these devices will be terribly hard. However, as always, it appeals far more to the Apple haters here to jump to the conclusion that iOS devices phone home to Apple and send them your encryption keys and pass phrases in clear-text. I am not so sure about that myself, I know of a criminal case where a FileVault image was sent to Apple for decryption but they returned after a while saying that their people had failed to crack it.

      --
      Only to idiots, are orders laws.
      -- Henning von Tresckow
    36. Re:Is Apple being compensated? by Joce640k · · Score: 2

      Is it a user's password or is it Apple's? Is there a back door in the algorithm? Is it an inherently weak algorihm, but the police don't know what it is so they can't launch an attack?

      Inquiring minds want to know!

      If there's a "seven week delay" they're probably brute-forcing something.

      --
      No sig today...
    37. Re:Is Apple being compensated? by therealkevinkretz · · Score: 2

      I think you're just being argumentative for the sake of being argumentative. First, I didn't describe a specific right, only "the rights of the individual". In my country, at least, there are several such recognized rights.

      And if I were being specifc about privacy rights re: smartphones, there are still individual rights. See "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures ...", etc.

    38. Re:Is Apple being compensated? by node+3 · · Score: 2

      Actually, even in the summary, the relevant part is here:

      "Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."

      It says that the waiting list is 7 weeks, and the process takes four months. However, even so, the entire article is quite vague. The only thing that's not is that there's no way there's as back door in Apple's encryption. At the very least, you'll need more than vague claims to support such a case.

    39. Re: Is Apple being compensated? by fluffy99 · · Score: 2

      There is no copying of data. The data is /always/ encrypted on the device, it's the encryption key that is password protected.

      It's actually very simple. When the device is initially set up, a symmetric key is generated and all the user data is encrypted using that key. When you set a lock screen password, the encryption key is then encrypted using the password and stored in flash. Unlocking the device with the valid password decrypts the key into RAM so that the user data can be decrypted. Locking the device removes the decrypted key from memory, thus leaving all of the data in flash in a secure state.

      If the device is configured to self-erase after too many failed password attempts, the device simply deletes the encryption key from flash and the device is effectively wiped.

      Ding, ding, ding, ding! We finally have a poster who understands how this works! This is how almost all disk-encryption works. This is also how MS disk and file encryption works. This method also allows you to have multiple keys to the same file or disk partition, as the real key encryption simply gets encrypted using each individual key and stored with the file. I'm willing to bet IOS saves another copy of the encryption key that's encrypted with their pubic key, and they have the ability to unencrypted it using their private key.

      Also note that the algorithm used to unlock the encryption key, may not be the same algorithm as used to encrypt the data. There have been examples of software and usb drives claiming AES encryption, but it turned out that only applied to the stored key and the actually encryption was very easy to break (in some instances it was literally XORing with the stored key).

    40. Re:Is Apple being compensated? by mjwx · · Score: 2

      Those who are Android fans should bear in mind that Google will also retrieve data from Android devices if the Police issue them with a warrant.

      The beauty of Android is that it is very, very easy to make this very, very hard for Google (or anyone trying really).

      But the best defence against the Police is a Nokia 6110. As long as you dont use SMS they store practically nothing.

      The only real security for mobile devices is to store nothing sensitive (or incriminating) on them.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    41. Re:Is Apple being compensated? by mjwx · · Score: 3, Insightful

      You can crack the 4 digit lock screen in like 2-4 minutes.

      Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.

      You're commenting on forensics without knowing how to do forensics with a computer or electronic device. Please stahp.

      The limitations of the device or OS are pointless. You wont key in 10,000 passcodes because you never do forensics on the devices themselves (in case of booby traps and to maintain data integrity and prevent the suspicion that the forensic examiner tampered with the data) you always do forensics on an image of the device's OS. This is easy to get off Android using FastBoot, I'm certain Iphones will have something similar. Then you simply run up the image with an emulator and crack away to your hearts content. If you're really in a hurry, you set up multiple emulators and crack them in parallel.

      So I have no doubt that a 4 digit passcode can be broken very quickly (2-4 minutes is not an unfair estimate if they've used a common 4 digit passcode like 1234 or 9876 and you'd be surprised how many people do this, but I think it would be about 1-2 hours).

      An 8 digit random passcode is far, oh so very far from being unbreakable it's not funny.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    42. Re:Is Apple being compensated? by Sabriel · · Score: 2

      There is such a right. The specific right to search with a warrant is an exception to, not a removal of, the general right to privacy. You have a general right to secure what is yours (e.g. your phone). The police have, with a duly processed warrant, a specific right to pierce that security in a specific manner. They cannot legally, for example, hit you with a five dollar wrench until you confess the password.

      At least in this country. Other posters may not be so lucky.

  2. Re:iPhones Encrypted by Anonymous Coward · · Score: 3, Informative

    Since the 4. The flash is encrypted with a device key. Remote wipe simply cycles the key.

    Previously parts were encrypted, but not all.

  3. I must be missing something. by jtownatpunk.net · · Score: 4, Informative

    The summary talks about decrypting the data on the phones. The articles talk about getting past the lock screen on the phones. Those are two entirely different things. On my phone, I have to first enter the decryption code before I'm presented with the lock screen.

  4. No I think they are just confused by Sycraft-fu · · Score: 4, Informative

    Most phones aren't encrypted and usually the company can bypass it. For example with Android phones tied to a Gmail account, Google can bypass the lock screen. So if you forget your password, that is a recovery mechanism. Also data can be accessed if you physically removed the flash chip from the phone and put it in another reader. Lock screens are protection against most kinds of attacks, not high level security. Most people don't need high level security though, so it works well.

    You can also encrypt your phone. Well I presume you can encrypt iPhones, having not owned one I don't know. You can encrypt Blackberries and Androids. There you set a key and it does basically a full-disk encryption type of thing. You have to enter the key to access the device at all (whereas lock screen lockouts will allow some stuff to happen) and there is no recovery. If you forget the password, you're boned, flash the device and start over. Few people do that because it is not pushed and is inconvenient.

    It is also more security that is generally useful. Most people are worried about someone running up a phone bill, or getting at your account information or something if they steal a phone. A lock screen stops that. Device encryption is needed only against more serious threats, hence most don't use it.

  5. War on Drugs by pitchpipe · · Score: 5, Funny

    Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year... Because the waiting list had grown so long, there would be at least a 7-week delay...

    As soon as they are able to get these phones decrypted, this war on drugs will be won!

    --
    Look where all this talking got us, baby.
  6. How does Apple Decrypt it? by Frankie70 · · Score: 5, Interesting

    Unless the iPhone has a backdoor - the effort required for either Apple or others should be the same. Does this mean that the iPhone has a backdoor?

    1. Re:How does Apple Decrypt it? by Nerdfest · · Score: 2

      Just? If Apple can decrypt your phone, they're not doing encryption right.

    2. Re:How does Apple Decrypt it? by Yvanhoe · · Score: 2

      What is their incentive for doing it right anyway? Since when do people check the result of security audits on the smartphone they want to buy?

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    3. Re:How does Apple Decrypt it? by mlw4428 · · Score: 2

      So a company purposely makes shitty security so that they can break their own security whenever they want and people are OK with this? Sounds like an even better reason to stick/switch to Android. At least an open-source product has a better chance at security over some proprietary bullshit.

    4. Re:How does Apple Decrypt it? by AK+Marc · · Score: 2

      It's not a backdoor, it's a side door with bright neon lights and a sign that says "enter here". Backdoor indicates it's in some way hidden. Apple holding and being able to reset keys was an advertised feature. I fail to see how using an advertised feature fits the common definition of "back door".

      That's like saying that Linux has a massive backdoor in that you can put your own malicious code in, compile it, then distribute the compiled code as original. Would you consider that a backdoor?

      --
      Learn to love Alaska
  7. How ? by Taco+Cowboy · · Score: 3, Interesting

    i see this story as being a GOOD thing, generally speaking. the feds are stumped by my iphone. now the only people we need to cockblock are in cupertino

    The question is, how ?

    The Apple platform is a closed platform, and they closely guard against any attempt to change their products (even after we have purchased them with our own money)

    Until now, there is no way to safeguard our secret stored in i-Device from the prying eyes of Apple Inc

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:How ? by BrokenHalo · · Score: 5, Insightful

      Until now, there is no way to safeguard our secret stored in i-Device from the prying eyes of Apple Inc

      If you want something kept secret, you're a fool if you put it on your phone.

    2. Re:How ? by erroneus · · Score: 3, Interesting

      Jailbreak, inject a new encryption key?

    3. Re:How ? by kthreadd · · Score: 3, Insightful

      Not at all if the computer (I don't know why so many call modern hand-held computers phones since they are not very phone-like) is using strong and trustworthy encryption which you control. I don't know the details in this case (Slashdot is seldom trustworthy), but if anyone except you can decrypt it using something other than brute force then the encryption is certainly not trustworthy. If that's the case then putting secrets on this computer that you call phone is absolutely a terrible idea, but I see very little problem with it if it's actually good encryption.

  8. Brute-forcing the lock code by Verteiron · · Score: 5, Informative

    Brute-forcing an iPhone's lock code is relatively trivial with freely available tools. This puts the device in DFU mode, so "Erase device on X unlock attempts" doesn't take effect. That version of the tools only bruteforces lockcodes, but there's no theoretical reason you couldn't try at least a dictionary attack on a password, too. Since it's also possible to dump the hardware key and a complete (encrypted) image, I imagine an offline attack on the image is possible, too. You wouldn't have to rely on the relatively slow hardware in the iPhone.

    Using those tools I have successfully bruteforced the 4-digit lockcode to an iDevice running 6.0.2, and that's with no prior experience with or knowledge of iOS. I even used an emulated Mac to compile the necessary firmware patch. And that's just what I was able to do in with a few hours of fiddling. There are people who do this for a living, and tools dedicated specifically to extracting data from mobile devices. Are these PDs really saying they can't get into devices with simple lock codes?

    --
    End of lesson. You may press the button.
  9. Mod parent up by immaterial · · Score: 2

    Wish I had my mod points today...