Slashdot Mirror
Apple's War Against Jailbreaking Now Makes Perfect Sense
An anonymous reader writes "Apple has always been extremely anti jailbreaking, but it might now have a good reason to plug up the exploits. As Hardware 2.0 argues, Apple's new iOS 7 Activation Lock anti-theft mechanism which renders stolen handsets useless (even after wiping) unless the owner's Apple ID is entered relies on having a secure, locked-down OS. Are the days of jailbreaking iOS coming to a close?" I can see a whole new variety of phone-based ransom-ware based on this capability, too.
timothy, you're going to have to explain how the implimentation of this feature by Apple in any way changes a developer's ability to create ransomware with similar functionality. 'Cause the way I see it, to be able to hijack the Authentication Lock, you're probably going to have to have sufficiently low-level access to just impliment your own lock.
No kidding!!! What do you say at this point?
How about "war against security exploits that allow malicious users to gain unrestricted access to your phone?"
I guess Linux and Microsoft are both engaged in a 'war against jailbreaking' too, when they close fucking security exploits.
Jesus christ - if you want root on your device, get a device that is built to allow that. Don't bitch that a company closes fucking security holes in its software.
Whats wrong with IMEI blacklisting.
The summary implies they've had this in the works for multiple iterations of iOS and never did it. I find it highly doubtful they were ready to implement this, but didn't for what, 5 consecutive versions of iOS?
Really? You'd buy a "gray-market" iPhone without seeing that it's on, and operational? Are you that retarded, really? I can only assume that you're retarded, since I can't imagine even the most dim-witted average person forking over good money for an iPhone without verifying that the thing is functional.
What this does is it makes it *mostly pointless* for someone to steal an iPhone, unless (until) someone finds a way to circumvent this activation lock. If it's useless, that scam works a limited number of times, and you're going to have some 'splainin to do to your customers. And you're going to have some angry customers who know who you are and can provide a description to police... "Hey I bought this iPhone advertised on Craigslist, and I have reason to believe it's stolen. I got it from this guy, here's his name and description."
Wow...
Would you steal a stereo? Would you steal a purse? Well, if you jailbreak your iPhone, you may as well!
Jailbreaking your iPhone prohibits Apple from protecting the safety of your loved ones. Think of the children.
TERRORISTS!!
Shenanigans!!
Anything to convince law-makers that having control over your own devices is evil.
Bah!
"Helping to keep you two steps ahead of the Thought Police!"
They want to prevent anyone else from starting an app store in competition with theirs.
There is a simple solution to theft - initialize each device with a unique key, and give a copy of that key to the owner. By all means pre-load it with trust for the vendor key as well so that it can auto-update by default, but the master key goes to the user. The key might be a $2 USB drive in a little envelope that says "keep safe and don't open unless you want to modify the OS software - Vendor may not be able to repair devices without this key."
The average user just sticks the key in a drawer and gets the default experience. A user who wants to unlock the device just downloads their alternate firmware installer of choice and it will ask them to insert their key so that it can reflash the phone. Users could also disable the Vendor's keys if they wish. By all means let users generate their own keys and install those on the device as well (obviously this will require the previous key). In the case of business-owned phones the business would procure the phone and keep the key, and thus they can stay in control of the hardware even if they allow employees to use it.
Now users can reflash at will, but if somebody steals the phone they will be unable to do so. It would have minimal cost, and since the defaults are all idiot-proof those who don't care about the feature can ignore it and as long as they don't remove the Vendor key the vendor can still do anything they can do today. However, it would establish that the person who paid for the phone is the one who owns it. Since the key is a tangible object, it can be transferred if the owner wishes to do so, and I'd just make it a read-only simple USB drive so that it could be copied if desired as well - just like a car key.
I think that was the point. People will see a pattern of phones sold second-hand not working, and will cease to buy second-hand phones. Legitimate sellers are screwed.
Support my political activism on Patreon.
Go to an Apple store, they take it out of the box right there and activate it. Go to an AT&T store, they take it out of the box right there and activate it.
There's no reason to not say "open the shrinkwrap, plug it in, and let's verify that it's ready for activation, and not a brick."
If the person you're buying from suddenly gets all nervous and says "I gotta go man, just gimme the money and take the phone, I ain't got time for that," then there's a pretty fucking good warning that you're getting scammed.
Seriously, you people are fucking dense if you think this will do anything but reduce the number of stolen iPhones.
Yeah because no thief has ever put it into another iPhone box and shrink wrapped it and sold it as new before...
If you're buying "new" iPhones from unknown people in gas stations then you deserve what you get IMHO.
No sig today...
...it will simply cripple the trust of the secondary market...
I think it will just change the protocol for selling on eBay or Craigslist. Sellers will probably learn to post a picture of the phone, turned on, showing the date... and also the serial number or something. If you can get into the settings, then it wouldn't be locked. But really, sending a bricked phone is no different from sending a broken phone or no phone at all, so I think this all falls into the "fraud" dept.
FWIW, there were five things which immediately went through my head when I saw them announce Activation Lock. In order, they are:.
- "If iOS7 can be jailbroken, Activation Lock is useless"
- "There needs to be a simpler way to 'release' a phone from your ownership". (I once went into "Find My iPhone" and was able to see all three iPads I've ever owned and the last three iPhones I've had. It turns out that it takes some deliberate navigating, on the part of the user, to indicate that they no longer own a device. That needs to be simpler.
- It needs to be *verifiable* by the buyer that a device isn't "owned" by anybody. Otherwise, the device could be locked at any time in the future. (or... there needs to be a way for someone with a locked phone to track down the person with locking rights on a phone so that they can say "Hey... remember that phone you sold back to BestBuy last Spring? They never released you as the owner". Almost like doing a title-search on a piece of property.
- Apple will probably need some kind of arbitration dept. for the "This dude sold me his phone and won't release his lock rights" or "I can't find the person who has lock rights" issues.
- If this is something which people have to turn on in the phone before it gets stolen, it's going to be useless. Almost nobody is going to take the time to enable it, which means a small fraction of stolen phones will get activation-locked, which means there will be a small deterrent to theft.
I eagerly await the rollout of iOS7 to see how Apple deals with these issues.
This is *not* about permanently disabling or blacklisting a phone. This is about making the phone unusable for the thief, but keeping it technically sound so the rightful owner could still use it if it has been recovered. It'd be trivial to blacklist an IMEI, just as it would be to circumvent the blacklist by reprogramming the baseband controller. It'd be trivial to implement a "self destruct" on the phone that could be triggered remotely, but then you'd have a phone that would need at least one chip replaced before it'd work again. This is about non-destructive locking and it relies on the OS not being rooted. They may find a way to do that on newer hardware, but as I understand it, all current hardware has been "owned" sufficiently for a software-only compromise to be sufficient.
I was promised a flying car. Where is my flying car?
Actually there is a much simpler way to go about this problem (with theft) which would leave both Apple and the NSA out of the loop.
Every cellphone is equipped with an EMEI number which works similar to a network MAC address. It is a unique hardware identifier for each phone - on a global scale.
The EMEI is visible in the settings/control-panel section of any modern phone, and often also printed on either the box the device is supplied in, or a piece of paper inside. And it is used by every carrier on the planet as a part of the calling infrastructure.
All the carriers would need to do, is to allow a "blacklist" of EMEI numbers, so when your device is stolen you simply report the EMEI to the carrier and they blacklist it. To prevent abuse each device could be supplied with an anti-theft key generated by the initial operator or by the manufacturer (so only the holder of both the EMEI and theft-key can have it blacklisted).
The technical capability to do this already exists. Some operators have even implemented it in trials. Their reasons for not using it today is the fact that not all operators actually want to bust customers with stolen phones, and this system would be kind of pointless if only half the carriers implement it.
Enter regulation. The political system could easily pass a law that forces all carriers to implement this kind of EMEI-based anti theft system. It would take little to design, it would work for every phone on the planet regardless of make/model, and it would include only known technology (just a few bits and pieces to extend the existing EMEI database plus a front-office system to operate it).
Not implementing this is pure laziness (from carriers).
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...