Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple's iPhone Already Has a Backdoor

Posted by timothy on from the hidden-driveway-too dept.

Nicola Hahn writes: As the Department of Justice exerts legal pressure on Apple in an effort to recover data from the iPhone used by Syed Rizwan Farook, Apple's CEO has publicly stated that "the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone." But, as one Windows rootkit developer has observed, the existing functionality that the FBI seeks to leverage is itself a backdoor. Specifically, the ability to remotely update code on a device automatically, without user intervention, represents a fairly serious threat vector. Update features marketed as a safety mechanism can just as easily be wielded to subvert technology if the update source isn't trustworthy. Something to consider in light of the government's ability to steal digital certificates and manipulate network traffic, not to mention the private sector's lengthy history of secret cooperation. Related: wiredmikey writes: Apple said Monday it would accept having a panel of experts consider access to encrypted devices if US authorities drop efforts to force it to help break into the iPhone of a California attacker. Apple reaffirmed its opposition to the US government's effort to compel it to provide technical assistance to the FBI investigation of the San Bernardino attacks, but also suggested a compromise in the highly charged legal battle.

In his first public remarks since Apple CEO Tim Cook said he would fight the federal magistrate's order, FBI Director James Comey claimed the Justice Department's request is is about "the victims and justice."

19 of 401 comments (clear)

  1. So the vulnerability is the updating mechanism? by mlw4428 · · Score: 3, Insightful

    I hate Apple as much as the next anti-Apple-fan boy, but come on. Literally EVERY OS has this concern. I wouldn't call it a backdoor anymore than I would suggest that having a window not made out of bulletproof glass is an open invitation for robbers into your house. In other words, this is sort of like "duhhhhhhh" material and hardly newsworthy. Now having an open and honest discussion about the security of update services for OS and the security methodologies employed, would be a fantastic article.

  2. There's a lesson here by Jawnn · · Score: 5, Insightful
    ...and that is that you should not trust the security of your stuff to a third party. Not Apple, not "the cloud", and definitely not the government. Don't get me wrong. I am not some foil hat wearing paranoid when it comes to "the government", but I damn sure don't consider them trustworthy enough to manage my crypto keys. I'd trust a handful of cloud operators before I'd trust the government, and none of them get my keys either.

    Listen up, law enforcement, DoJ, et al. I am more afraid of your incompetence than I am any dark "world domination" motive on your part, but I am nowhere near as afraid of :"teh terrorists" as I am of you, regardless of your motive. So hands off my crypto. M'kay?

    1. Re:There's a lesson here by FlyHelicopters · · Score: 4, Insightful

      And that's all fine. Remind me again why Apple has to provide said help?

      A Judge can order a safe broken into, the FBI can hire a safecracker to break into it. If that safecracker doesn't want to do the job, they'll get someone else.

      What DOESN'T happen is the Judge directly ordering a SPECIFIC safecracker to do the job against their will, and in the process, damage their reputation for ALL safes.

      No one is disputing the FBI's right to inspect this phone. More power to them, crack away... Why exactly does Apple have to help again? Have we become slaves?

  3. The title of this article is wrong! by NicholFD · · Score: 5, Insightful

    Nicola Hahn is incorrect. No one has stated that Apple has the ability to, "remotely update code on a device automatically, without user intervention". The method the device would be updated requires DFU (Device Firmware Upgrade) mode, physical possession of the device and a USB connection to a PC/Mac: https://www.theiphonewiki.com/... Way to grab a headline, though...

  4. Cluster Fuck by sycodon · · Score: 3, Insightful

    This is all a giant Cluster Fuck.

    It's still unclear; does the FBI want to give the phone to Apple so they can break in, or do they want apple to give them the tools to do it themselves?

    If it's the former, then Apple should get it done, then destroy the tools and cal it a day. if it's the latter, then Apple should make it clear and call them out on it.

    What is clear is that getting the data from the phone is not secondary to the Us vs Them bullshit going on now.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    1. Re:Cluster Fuck by suutar · · Score: 5, Insightful

      from what I've read the FBI prefers the latter but would accept the former. However, Cook has said that law enforcement around the country has already said they have hundreds of iPhones they want appel to unlock if the FBI wins; if that's so, I don't think destroying the tool is going to be a viable option.

    2. Re:Cluster Fuck by ausekilis · · Score: 3, Insightful

      I don't think that's quite right either: zdnet has a reasonable rundown. The court order is for "Apple to provide", which I interpret as giving the gov the tool. I read elsewhere (can't find the source, maybe on /. earlier today...) that Apple requested the FBI make a sealed request and they would have complied. That hints that Apple didn't want their (potential) tool to be public knowledge.

      It's also not quite as simple as "Apple does it, destroy the tool, call it a day." It's like any weapon, once developed it's hard to put the genie back in the bottle. We can't go back from missiles, guns, bombs, etc... The technology is there, and it can't be undone. Similarly, if Apple where to develop the tool and use it in-house, then there are brains in Cupertino that know how to defeat the protection. Think of insider threat, extortion, the increased attempts to break into Apples network, etc... Not to mention the requests from law enforcement to break into other phones.

      I've never been a fan of Apple's walled garden and prefer to have control over my devices... though with their standing firm on consumer privacy that iPhone is starting to look pretty good.

    3. Re:Cluster Fuck by AK+Marc · · Score: 4, Insightful

      There are piles of backdoors into iPhones. Apple keeps them locked up and secure. The government wants the tools, not the phone. They are using "terrorism" as the reason to demand the tools.

      --
      Learn to love Alaska
    4. Re:Cluster Fuck by Jason+Levine · · Score: 5, Insightful

      The demands would never stop from US law enforcement agencies. And then they would roll in from governments around the world. And then some hacker group would get their hands on the "unlock" tool and repurpose it to break into any iPhone at any time.

      If Apple breaks the encryption, there is no way that it will be just for this one phone and that's it.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    5. Re:Cluster Fuck by Lord_Jeremy · · Score: 5, Insightful

      They already did that. The secure enclave in the iPhone 6 and 6s serves all those functions. It's essentially a black box, and itself is responsible for the unlock attempt counter and the storage hardware encryption keys.

  5. Dumb Pre-Paid Phones? by BoRegardless · · Score: 1, Insightful

    Is this why drug dealers buy lots of pre-paid phones?

  6. What more? by NetNed · · Score: 4, Insightful

    The cell provider gave them their info and Apple gave the FBI the last iCloud back-up for the device, so what more could they actually find on the phone that would be of such a great use? I mean, I have a hard time believing that a couple of people that think throwing a hard drive in to a lake destroys the data on it would have the info on their phone not back-up to iCloud or have used something that is only obtainable from the unlocked phone itself. Add to that the story of the phones pass code changing while in FBI possession, which would be easy to track, and that the reports were that they threw their phones in the lake too. So you can find a 18 year old downloading illegal movies, but you can't track who changed the phone's lock code?? Ahhh yeahhhh, all of it together seems like some overwhelming bullshit.

  7. iPhone has a backdoor for Apple's own use. by fraxinus-tree · · Score: 3, Insightful

    iPhone has a backdoor for apple's own use. For a lot of people, it's OK as long as only Apple uses it. Even if they know about it, they understand it as a fair trade. Well, for me it is not OK but I am a minority so I work around the problem by not using i-devices.

    FBI wants to use this very backdoor, too. For a lot of people, this is already NOT OK. The government is pretty much different from a company you have business with.

    And it is not about the ability to crack. NSA probably has the resources to do that. FBI wants it "by the law".

  8. The FBI's argument. by msauve · · Score: 3, Insightful

    It's obvious that the FBI doesn't have a good intellectual or legal argument, and they're now resorting to an emotional one.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  9. Smoke and Mirrors? by JustNiz · · Score: 2, Insightful

    I'm seriously wondering if this whole thing could really just be a giant PR/marketing exercise by Apple, when in fact they are already complying with the NSA?

    http://www.theguardian.com/wor...

  10. Re:Tim Cook's letter by Tablizer · · Score: 5, Insightful

    I especially like this quote:

    "...we strongly believe the only way to guarantee that such a powerful tool isn't abused and doesn't fall into the wrong hands is to never create it."

    --
    Table-ized A.I.
  11. Re:Tim Cook's letter by FlyHelicopters · · Score: 5, Insightful

    It seems like the plan is proceeding nicely. We getting into the "public debate" phase. Soon it will move on to the trade-off phase decided on by a panel of private and governmental experts.

    Yea, but part of the challenge is that not everything in the world can be "compromised" or "traded-off".

    Encryption either works or it doesn't. Your info is either secure or it isn't. If the government can access it, then it isn't secure.

    There just isn't any give-and-take here, either you can make your info private, or you cannot.

  12. Re:Signed updates are fine... by adamstew · · Score: 3, Insightful

    You can fix that super easily:

    secure enclave will accept software updates in two cases: 1) provide unlock code and keep the encryption key intact. 2) do not provide unlock code and then wipe the encryption key.

    This is a secure method of doing it. You can either provide the unlock code and update the firmware of the secure enclave without wiping the device, or you can wipe your device and update the firmware of the secure enclave without the unlock code.

  13. Re:Tim Cook's letter by kheldan · · Score: 3, Insightful

    Encryption, by it's very nature, is a binary issue; it either 'works' or it 'doesn't work', there is nothing in between. If you design in a work-around for not having the keys, then the encryption 'doesn't work' because it can be defeated. If you make the front door and it's framework out of quarter-inch thick hardened steel armor plate and secure it with an Abloy lock, but then have a spare key under the Welcome mat, you've failed to properly secure your house. If you have a secret and you share it with someone else, it's not a secret anymore. There is no such thing as 'a little pregnant', you either 'are' or you 'are not'. So it goes with encryption: Either 'encryption==TRUE' or 'encryption==FALSE', there is no state between the two. Even if they banned ALL encryption, it won't accomplish what they want to accomplish; criminals and terrorists will still use encryption of some sort or other, it's commonly available now -- and they won't have any 'backdoor' into that, either! The entire subject is moot. What law enforcement and the government wants is pointless and stupid and they need to just GIVE UP and forget about it. If they can't suss out what criminals and terrorists are doing using conventional investigative methods then they're incompetent and need to be replaced with people who can.

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!