Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoJ Says Apple's Posture on iPhone Unlocking Is Just Marketing (reuters.com)

Posted by timothy on from the whereas-your-adherence-to-the-constitution dept.

New submitter kruug writes: The U.S. Department of Justice filed a motion seeking to compel Apple Inc to comply with a judge's order for the company to unlock the iPhone belonging to one of the San Bernardino shooters, portraying the tech giant's refusal as a 'marketing strategy.' The filing escalated a showdown between the Obama administration and Silicon Valley over security and privacy that ignited earlier this week. The Federal Bureau of Investigation is seeking the tech giant's help to access the shooter's phone, which is encrypted. The company so far has pushed back, and on Thursday won three extra days to respond to the order. Reader Lauren Weinstein writes of this tack: "The level of DOJ disingenuousness in play is simply staggering."

25 of 339 comments (clear)

  1. Apple - standing alone by Swampash · · Score: 5, Insightful

    Assume that every other hardware manufacturer that is NOT getting threatened by the Federal Government has already rolled over.

    Tim Cook: thank you. All you other bitches: FOAD.

    1. Re:Apple - standing alone by imgod2u · · Score: 4, Informative

      That's actually exactly what Apple is saying and it's true: they can't access the encrypted data because they don't have the key.

      What the FBI wants is for Apple to develop a hacked version of iOS that can be loaded onto the phone and allow external inputs to try different user unlock PINs as well as get rid of both the 10-attempts limit as well as the time-between-tries limit.

      Obviously the existence of such a hack -- as well as the ability to load a locked phone with it -- is a dangerous tool that can be used on any iPhone. Apple isn't just refusing to hand such a thing over, they're refusing to even develop (or at the very least, acknowledge the existence of) such a hack. Thus discouraging any hackers from going "shit, it can be done, let's find out how!".

    2. Re:Apple - standing alone by MikeMo · · Score: 3, Informative

      That's not the deal at all. Apple can't decrypt it. The FBI wants them to remove the safety measure where the phone will discard the encryption key altogether after 10 failed attempts at guessing the passcode.

    3. Re:Apple - standing alone by ooloorie · · Score: 4, Informative

      That's the FBI's position. Apple says it can't be done.

      That simply isn't true. Apple is facing a specific order to decrypt a specific iPhone in a specific legal case. If this can't be done, there is nothing for Apple to fight, because the court order only applies to this phone. The fact that Apple is fighting this order and is saying that they are refusing to develop an unlock tool implies that they believe it can be done but are simply refusing to do it.

    4. Re:Apple - standing alone by ooloorie · · Score: 4, Insightful

      That's not the deal at all. Apple can't decrypt it. The FBI wants them to remove the safety measure where the phone will discard the encryption key altogether after 10 failed attempts at guessing the passcode.

      Yes, that is likely what this is about (see my other posting). And if they can push a software update with this safety feature to an existing phone without the user unlocking it first, then Apple's software is not secure. That's exactly my point.

      That is, Apple is right that such an update would make future iOS devices much less secure, but what this whole spat reveals is that the current system is already not secure precisely because governments can make demands like the US government is making. That is, the fact that we're even having this debate is due to a bad implementation of cryptography on Apple iOS.

    5. Re:Apple - standing alone by ooloorie · · Score: 3, Insightful

      What the FBI wants is for Apple to develop a hacked version of iOS that can be loaded onto the phone and allow external inputs to try different user unlock PINs as well as get rid of both the 10-attempts limit as well as the time-between-tries limit.

      Yes, that is probably what the FBI wants. My point is that if Apple can push such a software update to an existing phone without the user unlocking the device first, then iOS cryptography is broken already. And that is likely the case, because if Apple couldn't push such an update to an existing phone without unlocking it first, then it would make no sense for the court to try to force them to develop such an update, since the court can only order Apple to develop such a tool for a specific case, not for future cases that aren't before the court yet.

    6. Re:Apple - standing alone by __aaclcg7560 · · Score: 4, Informative

      Apple is facing a specific order to decrypt a specific iPhone in a specific legal case.

      Apple has previously cooperated with warrants to unlock iPhones for the authorities, but that was before they changed the encryption method to better protect user data hackers and spies. If Apple develops an unlock tool for this specific case, what prevents it from being used for every legal case in the future?

      I like the idea that no one — not even the government — can browse through the encrypted data on my iPhone. The Founding Fathers used encryption to protect their own communications from the British government. In fact, under some bills being considered by various national governments today, they would have gone to prison for using encryption technology.

    7. Re:Apple - standing alone by cfalcon · · Score: 4, Informative

      > My point is that if Apple can push such a software update to an existing phone without the user unlocking the device first, then iOS cryptography is broken already.

      You should look a bit more into it.

      First, if we are talking CRYPTO, lets be real: a 4 digit passcode is triival to brute force. I don't care WHAT you use- Twofish/AES/Serpent in Veracrypt, I will absolutely break your 4 digit passcode in moments. Because it's a fucking FOUR DIGIT PASSCODE.

      So, how does Apple try to secure this? The only way it can- with hardware. The crypto is 128 bit AES, so they aren't trying to attack that. Later versions of the iphone have secure hardware implement this sort of logic. The version in question actually IS less secure- it has software that does the task of the wiping. Apple is refusing to build and cryptographically sign software that will do it.

      There's no cryptographic way to secure a 4 digit passcode, or a 6 digit passcode. It's physically impossible. Hence the use of hardware. If you have a serious crypto passphrase on your iphone- and you absolutely can- then the only way in is through the crypto, either the AES or the PBKDF2. It's not as strong as AES 256 XTS (because it is AES 128 XTS), but it is still considered unbreakable.

      So don't talk shit about their crypto if their crypto isn't even up for debate. This is about a software workaround possible on an older model to brute force requests into the hardware that is expected to defend a 4 digit passcode against repeated attempts. The crypto isn't even in the conversation.

    8. Re:Apple - standing alone by Aighearach · · Score: 3, Insightful

      You accuse me of "misinformation," I'm throwing down the gauntlet on that! You're a liar to accuse me of that. If you disagree, disagree, don't make a false accusation.

      You accuse me of "misinformation," and then you verify my statement! As you said, "firmware is just a piece of software." Right. Is a piece of software tied to one computer, or can it also be run on other computers? Is that indeed part of the nature of software?

      You're saying that you believe that adding an ID check to the software source code somehow locks it so that it can only be used with one device. I'm a software developer, and I say you're full of shit and don't even realize that software can be easily altered later to work with a different ID. There is no way to "lock" it so that can't happen. Even if it is a compiled binary file, it is easy to find and replace the ID because they already know the ID of the phone it would be written for.

      Don't claim I'm "spreading misinformation" when you don't even understand the details. Yes, I am saying it is "technically impossible" for Apple to write firmware that is locked to one device, because of the very nature of what software is. The only way that a piece of software can be locked to one device is if that device has a custom CPU and there are no other devices that can run the code. But iPhones don't come with individually customized processors, all the phones of the same model have the same processor and can indeed run each other's firmware.

    9. Re:Apple - standing alone by thegarbz · · Score: 4, Informative

      What this comes down to is that iOS cryptography is vulnerable because their key management appears to be vulnerable.

      Key management isn't vulnerable at all. Only the user's choices make it vulnerable. Just like if I run an SSH server with all the best encryption but the login is "root" and the password is "password", the underlying process isn't weak at all, only the user inputs are.

      If you're worried set your unlock key on your phone to a passphrase and use 256 random characters. That choice is yours. If you still think it's insecure, then your can come back and complain about Apple's handling of it. But the reality is you'll come back and complain about how hard it is to access your own phone.

      By the way my unlock code is 000000. 6 digit passcodes were enforced by my company. I hate having to type a password in to access my phone. Does that make my phone crptographically insecure? No it just makes me a stupid user with no idea (or maybe no desire) to secure my data.

  2. it's sort of true by phantomfive · · Score: 4, Interesting

    On the one hand, Apple tried to make a deal and keep the whole thing secret. So that makes it seem like Apple was willing to go along (for at least this one case) as long as it was kept quiet.

    On the other hand, it doesn't really matter. If Apple is doing it as a publicity stunt, then it's doing it because the customers want it. Frankly that's better than a corporation trying to "do the right thing" that people don't want.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:it's sort of true by phantomfive · · Score: 3, Informative
      Here is the quote:

      The FBI then made its tailored request, which Apple asked to be placed under seal, according to the New York Times. Instead, the FBI went public, setting off the high-profile drama

      --
      "First they came for the slanderers and i said nothing."
  3. How did they try to keep that secret? by SuperKendall · · Score: 4, Informative

    Apple did nothing to keep this secret. It's already known they have assisted the FBI before.

    Instead what happened is no-one cared, not even Apple, until the FBI demanded essentially that Apple break hardware security. That is where Apple drew the line; that is what brought all of the attention to bear.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:How did they try to keep that secret? by j-turkey · · Score: 3, Insightful

      That turns it into a comedy - the FBI going public and then accusing Apple of doing it for publicity. Did they employ some clowns thrown out of the NSA after Snowden or something? It sounds like something the Star Trek Set guy would do.

      Sort of...the FBI didn't do it for publicity. They did it to set precedent, and this case was chosen very carefully by the DoJ in order to achieve this (by tugging at heart strings and a sense of panic in the wake of terrorism). There are plenty of other investigations that they could have made similar demands under. If Apple cooperated with the FBI and it was done under seal, then it could not be used as precedent to use the courts to force Apple to do the same in future cases.

      --

      -Turkey

  4. stating the obvious by xfizik · · Score: 3, Interesting

    Give me a break. Who would be naive enough to think Apple would refuse to cooperate with the U.S. government in such a case? Yes, they'll "refuse" on public, get some headlines for "standing up for privacy" and then quietly do what they were told one way or another.

  5. Can someone explain why the FBI needs Apple? by sheetsda · · Score: 3, Insightful

    The FBI has the hardware. At the software level it should be game-over. So what is stopping them from copying the phone's memory, putting it in an emulator or another phone, and brute forcing the 5-digit PIN. Every time it self destructs, they load up another copy and continue until the correct PIN is found. What am I missing here?

    1. Re:Can someone explain why the FBI needs Apple? by Anonymous Coward · · Score: 5, Informative

      The data is encrypted using a key fused into the hardware processor. The key is in hardware and not readable. The key is not the 10 digit pin. The 10 digit pin and the encrypted contents are sent to the hardware chip and a decryption attempt is made. The results of that are sent back. If the user fails to decrypt the data within 10 attempts the encryption key in HARDWARE is wiped out making the user brute force AES 256 on the data instead of the 9999 possible pin combinations.

      The hardware encryption chip would need to be copied as well as the data. Copying the data alone gives you nothing but random bits of AES 256 encrypted data. Putting that on a phone emulator or another phone will never work unless the unique key in hardware is known and that cannot be read.

  6. They're correct - because it's about survival by FireballX301 · · Score: 4, Insightful

    Apple knows that complying with this order will essentially destroy most, if not all of their overseas business. If they comply with this order, they will lose anyone who is even remotely suspicious of US govt motives; this includes literally billions of non-Americans around the world. The net result would simply be people moving to phones that are perceived as more secure, there's an easy market opportunity for a non US based company to put out 'secured' phones (for example, a phone that rejects all firmware updates in addition to the secure area tech) and gain all the business that Apple would lose.

    The question is, of course, if the government knows this, and I'm pretty sure the law enforcement/'intelligence' personnel here are so scoped into their mindset that they're totally unaware of this, and would reflexively brush it off as hyperbole (hint it isnt).

    1. Re:They're correct - because it's about survival by FireballX301 · · Score: 3, Insightful

      The average person might not give a fuck, but iPhone buyers outside US/EU are not average - they tend to be well off, or enterprise customers (who I can assure you will care very much so about this). More importantly, it'd be very easy for governments to spin this against the US and Apple - how easy would it be for the PRC to talk about how the US is spying on China, and mandate that all Chinese citizens/enterprise buy Xiaomi?

      You minimize the impact at your own peril.

    2. Re:They're correct - because it's about survival by DutchUncle · · Score: 3, Interesting

      I suggest that the law enforcement personnel ARE aware of the issue. Even as NYC police had a press conference pointing out how many cases were blocked because of inaccessible information on smartphones, and the commissioner was blasting Apple's current policy, a subsequent speaker (a prosecutor?) was careful to point out that Apple had formerly cooperated in such cases, and that a narrow set of conditions including a properly-executed court order to work on a single phone at a time for a single case is VERY DIFFERENT from a generic backdoor. I'm betting that something along these lines will become the court-ordered compromise: isolated workspace, isolated cases, some kind of open oversight (like normal search warrants and court orders, not the NSA secret rubberstamp court). Practical side: DoJ doesn't want to be blamed for killing the biggest tech company or crashing the stock market.

  7. They are probably right by taustin · · Score: 3, Informative

    Seems likely, anyway. On the other hand, the FBI's posture is just a constitutional overreach and attempt to institutionalize the ignoring of due process, so they're about even.

  8. Re:Why is Apple acting like obstructionist... by __aaclcg7560 · · Score: 4, Insightful

    The keys on the new phones are only five digits. They should be able to find the key in a matter of seconds.

    Except you have only ten attempts to enter the correct five digits before the data is automatically wiped. A security feature that prevents a brute force attack to unlock the iPhone.

  9. Re:something fishy about iOS encryption by AchilleTalon · · Score: 3, Interesting

    We are talking about a iPhone 5c. You should read this for more about the actual reason FBI is asking Apple to perform the decryption of the iPhone.

    --
    Achille Talon
    Hop!
  10. Action vs No Action by duckintheface · · Score: 4, Insightful

    It is not a crime to do nothing. If Apple already has a key, they can be compelled under discovery to turn it over. But they can't be compelled to create one if it does not exist. You can't require someone to act against their will. That is called slavery.

    --
    "He took a duck in the face at 250 knots." -- William Gibson, Pattern Recognition
  11. Re:The phone belongs to the county, not the shoote by Fallen+Kell · · Score: 3, Insightful

    For which San Bernadino is then looking stupid for not placing the phone under some kind of enterprise mobile device control allowing the true owners the ability to unlock the phone and read the contents.... This is why none of the news and 3 letter agencies are stating the real fact of ownership, because then they look inept for not doing basic device control.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"