Apple's iPhone Already Has a Backdoor

Nicola Hahn writes: As the Department of Justice exerts legal pressure on Apple in an effort to recover data from the iPhone used by Syed Rizwan Farook, Apple's CEO has publicly stated that "the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone." But, as one Windows rootkit developer has observed, the existing functionality that the FBI seeks to leverage is itself a backdoor. Specifically, the ability to remotely update code on a device automatically, without user intervention, represents a fairly serious threat vector. Update features marketed as a safety mechanism can just as easily be wielded to subvert technology if the update source isn't trustworthy. Something to consider in light of the government's ability to steal digital certificates and manipulate network traffic, not to mention the private sector's lengthy history of secret cooperation. Related: wiredmikey writes: Apple said Monday it would accept having a panel of experts consider access to encrypted devices if US authorities drop efforts to force it to help break into the iPhone of a California attacker. Apple reaffirmed its opposition to the US government's effort to compel it to provide technical assistance to the FBI investigation of the San Bernardino attacks, but also suggested a compromise in the highly charged legal battle.

In his first public remarks since Apple CEO Tim Cook said he would fight the federal magistrate's order, FBI Director James Comey claimed the Justice Department's request is is about "the victims and justice."

And soon it won't be

[JonahsDad]

When I read exactly what the FBI was asking Apple to do, I realized that there was a back door, and that Apple will most likely be doing what they can to close this back door in a future iPhone release.

If I were Apple, I'd make sure a future release gave the user the option of only allowing firmware updates after the user logged in. This doesn't have to be required for every iPhone (corporations might want this disabled on iPhones they purchase for their employees), but it should at least be an option.

Re:And soon it won't be

[dunkindave]

A normal update does require you to unlock the phone to accept the update. They're talking about leveraging recovery mode which can be used to force load an image onto a phone that might be otherwise unusable. See here - https://support.apple.com/en-u...

Yes. That's the exact Apple support page that worries me. It says "iTunes will try to reinstall iOS without erasing your data." Updating iOS in this way needs to either require my passcode or erase my data. I expect that it will in a future version version of hardware (because only doing it in software isn't enough).

I have gone through this process, so can speak from experience. My wife changed her passcode, then promptly forgot the new one. The only option according to Apple is to reinstall. But if the phone is previously synced to a computer, it has exchanged cookies that allow the computer to still access the phone's contents (this is one of the reasons why the FBI wanted to find that hard disk). When I did the reinstall, it first read the contents out like a normal backup, then installed a fresh OS, then restored the data from the backup. I think this is what they mean by "try to reinstall iOS without erasing your data." It does get erased, but is restored, so effectively not erased.

About six months later she did the same thing, except this time, she tried rebooting the phone. When I hooked it to the computer, the system was unable to access the phone, so the restore could only put back the data saved during the latest backup (about a month before). She was bummed since she lives off her phone's calendar and doesn't trust it backing up to iCloud.

Re:So the vulnerability is the updating mechanism?

I think the article is not correct. iOS doesn't let you run an update that reboots the phone unless you input the password first (ostensibly to prevent you from being locked out on reboot).

I think Apple can force load a new OS without this limitation, but it needs physical access to do so.

Android

[Tokolosh]

Lot's of good discussion about iOS and Apple.

I would like to have the same analysis about the state of Andriod. Can it be made secure against such backdoors? Do third-party flavors and rooting have a role? Is it possible to have a device where all software and firmware code can be examined?

iPhone 7 will use SE to authorize any OS updates

Apple has updated the secure enclave with an iOS update in the past and added additional protection, so it presumably can do an update that would REMOVE protections on the SE. So the same scenario of this phone can theoretically be applied to any existing iPhone and not just a 5c.

So right now, Apple is making the iPhone 7 immune to this attack vector. With the iPhone7, even Apple with not be able to do a firmware modification to the SE in DFU mode. The correct user password will *have* to be entered in the iPhone7 and it will be enforced solely in the SE hardware. There will be nothing that can get around that. You can't solder on a different SE chip, you can't swap components, change the IEMI, or anything else.

That will be the selling point of the iPhone 7. iOS 9 was software-based protection since a software update could (apparently) change the SE. Apple will disclaim they never expected their own government trying to force them to create a hacker-version of iOS, so security of the iPhone has to be hardware based. iPhone7 will have true 100% bulletproof hardware-based protection that will truly be bulletproof. And that is what they will sell.

Then, unfortunately, the FBI will simply demand iOS source code and signing keys.

Re:Tim Cook's letter

From the arstechnica article:

The document closed with a call for Congress to "form a commission or other panel of experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms. Apple would gladly participate in such an effort."

From the leaked White House memo linked in the Counterpunch article:

Proposed Policy Principles
Deputies agreed that attempts to build cooperation with
industry, with advice proposing specific technical solutions, will
offer the most successful option for making progress on this
issue. In particular, given industry and civil society's
combative reaction to government statements to date, any
proposed solution almost certainly would quickly become a focal
point for attacks and the basis of further entrenchment by
opposed parties. Rather than sparking more discussion,
government-proposed technical approaches would almost certainly
be perceived as proposals to introduce “backdoors” or
vulnerabilities in technology products and services and increase
tensions rather build cooperation.
However, if the United States Government were to provide a set
of principles it intends to adhere to in developing its
encryption policy, such a document could spark public debate.
Proposing such principles would not be without risk, as some
constituencies may not distinguish between principles and
specific technical approaches. As a result, these principles
could come under attack, but could also serve to focus Public or
private conversation on practicalities and policy trade—offs
rather than whether the government is seeking to weaken
encryption or introduce vulnerabilities into technology products
and services.

It seems like the plan is proceeding nicely. We getting into the "public debate" phase. Soon it will move on to the trade-off phase decided on by a panel of private and governmental experts.

Re:Cluster Fuck

[sjames]

This. If it's done once, the demands will never stop. At least not until the NSA steals a copy of the hacked firmware and distributes it the LEOs everywhere under an NDA.

Re:Cluster Fuck

[danceswithtrees]

If Apple is as serious as they say they are about security and privacy, they need to change the OS/firmware/hardware to make updating a phone impossible without either unlocking the phone or wiping it clean. This way, when this happens again, and it almost certainly will, they can honestly say, we can't rather than we would rather not.

Re:So the vulnerability is the updating mechanism?

[zerosomething]

I think the article is not correct. iOS doesn't let you run an update that reboots the phone unless you input the password first (ostensibly to prevent you from being locked out on reboot).

I think Apple can force load a new OS without this limitation, but it needs physical access to do so.

Exactly correct, the article is wrong on the fundamental premise that Apple can force an over the air update. They, or anyone, can force a firmware update when connected to a wire. The Government want's Apple to create firmware that would turn off the security option in iOS that wipes the phone after 10 failed passcode attempts.

Re:What more?

[tlhIngan]

The cell provider gave them their info and Apple gave the FBI the last iCloud back-up for the device, so what more could they actually find on the phone that would be of such a great use? I mean, I have a hard time believing that a couple of people that think throwing a hard drive in to a lake destroys the data on it would have the info on their phone not back-up to iCloud or have used something that is only obtainable from the unlocked phone itself. Add to that the story of the phones pass code changing while in FBI possession, which would be easy to track, and that the reports were that they threw their phones in the lake too. So you can find a 18 year old downloading illegal movies, but you can't track who changed the phone's lock code?? Ahhh yeahhhh, all of it together seems like some overwhelming bullshit.

Easy. The FBI has two reasons for compelling Apple to do this.

1) The phone itself. Think of all the credentials stored on the device that you now can access. Saved messages in WhatsApp and other IM style apps, live access to various services (perhaps they used GMail? The Gmail app or web page will show you the account and its data as well), etc. etc. etc.

Effectively, they get access to all sorts of data without requiring a warrant - perhaps they know he had a GMail account, and then they'd need to get a warrant to get information from that account from Google. But if they can access the Gmail app from the iPhone, warranty avoided!

2) The second part is to get Apple to deveop this software, because once it exists, it can be used over and over again.

The case cited for the All Writs Act involves the use of pen registers. The telephone company lost purely because they were already using pen registers in their day to day operations to verify billing and check for fraud. So they can be compelled to connect a pen register up to a desired phone line because they were doing it already.

Apple doesn't have the software, but once they do, it can be compelled into action. That's the result the FBI really wants.