Slashdot Mirror
Apple Is Said To Be Working On an iPhone Even It Can't Hack (nytimes.com)
An anonymous reader writes with this story at the New York Times: Apple engineers have already begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts. If Apple succeeds in upgrading its security — and experts say it almost surely will — the company would create a significant technical challenge for law enforcement agencies, even if the Obama administration wins its fight over access to data stored on an iPhone used by one of the killers in last year's San Bernardino, Calif., rampage. The F.B.I. would then have to find another way to defeat Apple security, setting up a new cycle of court fights and, yet again, more technical fixes by Apple.
It would be trivial for Apple to disable all IPSW image installations without a unlock code making what the FBI requested technically impossible, however if the FBI were to prevail in court the Judiciary is likely to take a dim view of Apples actions
What I haven't heard yet is where Android lands on the security spectrum. Are they already as or more secure than what the rumors are now saying Apple is trying to achieve? Are they as or more secure than where Apple is right now? Are they as or more secure than where Windows is right now?
The U.S. Government can conceivably ban the sale or possession of that type of phone.
They do it all the time with other products, or require licensing and training and over site after purchase.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
to the data on the phone (disabling wipe after 10 attempts) - is the phone really all that secure?
This issue become if another country that is not bounded by the search and seizure laws (China) forcing a deep investigative search of all phones entering the country, and possibly leaving long term trap doors in the phone. If this person later becomes a person of interest (for any reason) the country immediately downloads your entire phone remotely and turns it upside down looking for sedition/treason.
Any knowledgeable international travelers already know to leave their laptops at home or bring a burner laptop on the assumption that Chinese customs and immigration *will* load your computer up with five different flavors of spyware during the immigration process. I expect they would love to do the same with every phone that enters the country.
Architectural plans are like computer source code with a couple of differences: You only compile once.
> In fact, you could even assume those that didn't volunteer their keys are suspect to begin with!
I once had a couple of cops kick me out of Kansas for that line of thinking. It's a long story but I'll try to make it brief.
They tried to convince me that my refusing to allow them to search my vehicle is grounds to allow them to search the vehicle, that it constituted probable cause. Yes, I laughed aloud and explained that I was not a teen. I did applaud their effort, quite literally. They then told me to get out of Kansas and that if they ever saw me again, they were going to arrest me.
Oddly, with all the travel I have done (and the condition and manners in which I've done it) that's the worst thing I ever faced. There's more to the story but that's the gist of it. I don't believe the rest is significant but I'll share it if you want to understand the circumstances. I'm not sure if I should be frightened or amused by the treatment. I have to wonder if they use that line often and if anyone falls for it?
I'm also pretty sure they can't just kick me out of Kansas but I didn't figure I'd stick around where I wasn't wanted and I was headed out anyhow - and right on the border. They were even kind enough to give me an escort to the on-ramp at the nearest highway. I didn't have the heart to tell 'em that I'd just gotten done helping clean up after 90% of Greensburg had been destroyed by a tornado and that I'd only cleaned up because I happened to be right there in the area and they needed help. I just figured that I'd avoid Kansas. I've never been back.
"So long and thanks for all the fish."
You people are deluled. This has nothing to do with values. Apple would bend over and provide the government with the vaseline if they thought to do this would be more profitable in the medium/long term. Decisions like this aren't made based on the personal and private struggles of 1 CEO.
Clearly, their analysis has shown them that bending over threatens their profit and market share in the near future, hence their firm and very PR-supported resistance campaign against this. Also, they get to tout their products as more secure than the alternatives to all of the progressive hippies who are prone to buying their stuff.
This also explains Microsoft's opposite stance, Microsoft being the main supplier of cloud services for the federal government right now.
If the lack of security--due to government mandated back doors--allows for state sponsored persecution of innocents, enemy state or NGO attacks, etc. where would you stand then? You do grasp the concept that a security vulnerability may be exploited by any actor, at any time, not solely the "right and just" United States government after receiving a lawfully obtained court warrant?
Considering how much people divulge about themselves online these days, the government or other actors don't need a back door persecute the innocents. Maybe, if we want protection from prying eyes, we should be more conscious about what we put out for the world to see.
Google's Nexus devices are secure and don't have the same firmware update flaw that iPhones do. In fact all Snapdragon 810 based phones are immune because the 810 does not allow firmware updates to the secure memory, it's a ROM burned into the silicon.
Android has in fact offered full device encryption with the key held in secure storage for years now. Since the Nexus 6 it was enabled by default, and Google has been pushing for other vendors to enable it by default too.
Samsung has been offering it's "Knox" security for phones for many years now too. No idea if that it hackable, but it's not true to say that no-one else has offered full device encryption that was claimed to be unbreakable.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Google's Nexus devices are secure and don't have the same firmware update flaw that iPhones do. In fact all Snapdragon 810 based phones are immune because the 810 does not allow firmware updates to the secure memory, it's a ROM burned into the silicon.
As an Android security engineer I appreciate you standing up for Google, but this isn't true.
The relevant software for device encryption includes:
1. The system image. This contains the vold daemon which mounts the encrypted disk and configures the kernel with the key.
2. The boot image. This contains the Linux kernel, which includes dm-crypt, the code that does device encryption.
3. The trusted OS image (TOS). This contains the code that knows how to use device-specific hardware-bound secrets. Vold calls into it when decrypting the disk encryption key to pass to the kernel.
4. The bootloader image. This is used to load all of the above. The details vary, but generally the TOS is verified and loaded first, then the bootloader switches out of secure mode (I'm describing the process for ARM-based devices; it's a bit different for others), then verifies and loads the boot image and boots the kernel. The kernel mounts the system image and configures dm-verity which does run-time verification of system image blocks.
All of the above are flashable images, and replacing them would enable bypassing the security controls they implement. The bootloader image is the most critical one, since it verifies and loads both the TOS and the boot image. If you can change the keys it uses to verify those, you can change everything else. The bootloader (including the keys it contains) is signed by a key whose public part is burned into ROM. That key can't be changed, and the private key is held by the device OEM. I believe the keys used to sign the system and boot images for Nexus devices are held by Google (not sure), and the key used to sign the TOS is held by the TOS maker (Qualcomm, on the recent Nexus devices).
You could compromise Android device encryption with the assistance of any of these parties. Getting the OEM to sign a new bootloader allows you to provide your own versions of any of the higher-level pieces, though these things are pretty intricate and writing replacements from scratch that would work is a big, big job. If I were working for the FBI, I probably wouldn't take that approach. Getting Google to sign a modified system image would, from a technical perspective, be much better. You'd still have to brute force the password, and you'd still have to have the TOS perform a 50ms operation for each password you try, but that would be no problem for a four-digit PIN. If the user used, say, an eight-character password, though, it wouldn't be enough. Also, Google's response to a request for a modified system image would probably be about the same as Apple's.
The best point of attack would be Qualcomm (for recent Nexus devices; other platforms and older Nexus devices use different TOSes). Get them to sign a TOS image that takes the device secrets and simply exports them in response to some request. With those secrets in hand, and a copy of the device flash, you can then brute force the device encryption key off-device, on big hardware. No realistic user password would stand up to that. The process is complicated so I won't bother explaining it here, but it would be very doable.
To be clear, the Android security team considers these multiple points of entry a bug, not a feature. I, personally, want to get to a state where if you don't have the user's password, you aren't getting in, barring direct attacks that involve peeling apart chips to extract secrets. Doing that requires a separate secure processor (something most Android devices don't have) running non-updateable software. Working to make this possible is one of my current projects.
It's a much tougher problem in the Android world than for Apple, though, because of all of the players in the ecosystem. Not because they're unw