Apple Is Said To Be Working On an iPhone Even It Can't Hack

An anonymous reader writes with this story at the New York Times: Apple engineers have already begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts. If Apple succeeds in upgrading its security — and experts say it almost surely will — the company would create a significant technical challenge for law enforcement agencies, even if the Obama administration wins its fight over access to data stored on an iPhone used by one of the killers in last year's San Bernardino, Calif., rampage. The F.B.I. would then have to find another way to defeat Apple security, setting up a new cycle of court fights and, yet again, more technical fixes by Apple.

Re: Torn

I find it hilarious that security efforts are not being driven by the government but to protect people from the government.

Re:Torn

[Nethemas+the+Great]

If the lack of security--due to government mandated back doors--allows for state sponsored persecution of innocents, enemy state or NGO attacks, etc. where would you stand then? You do grasp the concept that a security vulnerability may be exploited by any actor, at any time, not solely the "right and just" United States government after receiving a lawfully obtained court warrant?

Re:Torn

[alvinrod]

In a perfect world maybe, but you're not considering the real world where few lives will be saved, but the vulnerability will be abused constantly.

Precedent

[Dorianny]

It would be trivial for Apple to disable all IPSW image installations without a unlock code making what the FBI requested technically impossible, however if the FBI were to prevail in court the Judiciary is likely to take a dim view of Apples actions

Re:Torn

[Nethemas+the+Great]

In case I wasn't clear with my above post. This is the physical version of what I'm talking about.

Why does Apple get props for doing the obvious?

[Xylantiel]

Why does apple get headlines for doing what they should have done in the first place? Anything else is a broken, insecure device. If the vendor has a backdoor, it's not secure, whether they allow the government to access it or not.

Re:Why does Apple get props for doing the obvious?

[timholman]

Why does apple get headlines for doing what they should have done in the first place? Anything else is a broken, insecure device. If the vendor has a backdoor, it's not secure, whether they allow the government to access it or not.

Apple's encryption is still very secure. It hasn't been broken, and even Apple won't be able to break it for the FBI. What the FBI wants Apple to do is hack the unlock code for them.

The only "vulnerability" is this case is that Apple potentially has the ability to push new firmware onto this model of iPhone (the 5c) using its own signed certificate, even if the phone is locked. The FBI wants this new firmware to do two things: (1) bypass the "10 wrong tries on the unlock code and the iPhone erases itself" routine and (2) reduce the time interval between unlock code entries. Once this is done, the FBI will brute force input combinations until the iPhone unlocks.

The only problem is that Apple hasn't written this firmware. Even if the firmware existed, you'd need Apple's own certificate to push it onto the iPhone. So the iPhone is still quite secure, relatively speaking, provided the courts don't compel Apple to develop a forensics tool for the FBI at Apple's expense.

Of course, Apple doesn't want this situation to ever, ever happen again. You can bet the iPhone 7 will plug this potential vulnerability by making it impossible for anyone to push firmware onto a locked iPhone, even with Apple's own certificate. At that point, the FBI will no doubt petition Congress to legislate that Apple (and Google, Samsung, LG, etc.) provide a means for altering the firmware of any smartphone sold in the U.S., on court order. And that's when this fight will really get interesting.

Re:Why does Apple get props for doing the obvious?

[wvmarle]

What is more: the current line of products with their "secure enclave" chip and so, are already supposedly unbreakable by Apple themselves. So is this an admission that Apple can actually break into the current iPhone 6 line? Or do I miss something here?

Re:Why does Apple get props for doing the obvious?

[AmiMoJo]

Google's Nexus devices are secure and don't have the same firmware update flaw that iPhones do. In fact all Snapdragon 810 based phones are immune because the 810 does not allow firmware updates to the secure memory, it's a ROM burned into the silicon.

Android has in fact offered full device encryption with the key held in secure storage for years now. Since the Nexus 6 it was enabled by default, and Google has been pushing for other vendors to enable it by default too.

Samsung has been offering it's "Knox" security for phones for many years now too. No idea if that it hackable, but it's not true to say that no-one else has offered full device encryption that was claimed to be unbreakable.

Re:Why does Apple get props for doing the obvious?

[shawn2772]

Google's Nexus devices are secure and don't have the same firmware update flaw that iPhones do. In fact all Snapdragon 810 based phones are immune because the 810 does not allow firmware updates to the secure memory, it's a ROM burned into the silicon.

As an Android security engineer I appreciate you standing up for Google, but this isn't true.

The relevant software for device encryption includes:

1. The system image. This contains the vold daemon which mounts the encrypted disk and configures the kernel with the key.
2. The boot image. This contains the Linux kernel, which includes dm-crypt, the code that does device encryption.
3. The trusted OS image (TOS). This contains the code that knows how to use device-specific hardware-bound secrets. Vold calls into it when decrypting the disk encryption key to pass to the kernel.
4. The bootloader image. This is used to load all of the above. The details vary, but generally the TOS is verified and loaded first, then the bootloader switches out of secure mode (I'm describing the process for ARM-based devices; it's a bit different for others), then verifies and loads the boot image and boots the kernel. The kernel mounts the system image and configures dm-verity which does run-time verification of system image blocks.

All of the above are flashable images, and replacing them would enable bypassing the security controls they implement. The bootloader image is the most critical one, since it verifies and loads both the TOS and the boot image. If you can change the keys it uses to verify those, you can change everything else. The bootloader (including the keys it contains) is signed by a key whose public part is burned into ROM. That key can't be changed, and the private key is held by the device OEM. I believe the keys used to sign the system and boot images for Nexus devices are held by Google (not sure), and the key used to sign the TOS is held by the TOS maker (Qualcomm, on the recent Nexus devices).

You could compromise Android device encryption with the assistance of any of these parties. Getting the OEM to sign a new bootloader allows you to provide your own versions of any of the higher-level pieces, though these things are pretty intricate and writing replacements from scratch that would work is a big, big job. If I were working for the FBI, I probably wouldn't take that approach. Getting Google to sign a modified system image would, from a technical perspective, be much better. You'd still have to brute force the password, and you'd still have to have the TOS perform a 50ms operation for each password you try, but that would be no problem for a four-digit PIN. If the user used, say, an eight-character password, though, it wouldn't be enough. Also, Google's response to a request for a modified system image would probably be about the same as Apple's.

The best point of attack would be Qualcomm (for recent Nexus devices; other platforms and older Nexus devices use different TOSes). Get them to sign a TOS image that takes the device secrets and simply exports them in response to some request. With those secrets in hand, and a copy of the device flash, you can then brute force the device encryption key off-device, on big hardware. No realistic user password would stand up to that. The process is complicated so I won't bother explaining it here, but it would be very doable.

To be clear, the Android security team considers these multiple points of entry a bug, not a feature. I, personally, want to get to a state where if you don't have the user's password, you aren't getting in, barring direct attacks that involve peeling apart chips to extract secrets. Doing that requires a separate secure processor (something most Android devices don't have) running non-updateable software. Working to make this possible is one of my current projects.

It's a much tougher problem in the Android world than for Apple, though, because of all of the players in the ecosystem. Not because they're unw

which brings to mind the old question ...

[swell]

Can God make a chili pepper so HOT that even He can't eat it?
Yeah, makes you think, doesn't it?

Android?

[irrational_design]

What I haven't heard yet is where Android lands on the security spectrum. Are they already as or more secure than what the rumors are now saying Apple is trying to achieve? Are they as or more secure than where Apple is right now? Are they as or more secure than where Windows is right now?

Re:Android?

[VValdo]

I think it depends on the OEM. There are factors such as whether the device storage is encrypted by default, whether the bootloader is locked by default, what kind of security hardware is available on the SoC and whether it is used, whether exploits are patched, whether there is a continuing roll out for discovered exploits, whether updates are automatically installed w/o authentication, whether the baseband contains known exploits and attack vectors (cough), etc.

So there's no one answer because there's no one Android device and many phone OEMs (and the manufacturers of the underlying hardware platform) may be implementing security to different degrees. Though many of these considerations do have google guidelines and policies in place, some of which may be enforceable via google compatibility tests, there is a wide spectrum of what you can expect from Android generally speaking I think.

You might look to Google's policies and recommendations, and more importantly their Nexus devices themselves as models for what they consider best practices to be. Then there is blackphone and other distros that have security as their primary focus, so they may be good to consider as well.

Re:Android?

[shawn2772]

What I haven't heard yet is where Android lands on the security spectrum. Are they already as or more secure than what the rumors are now saying Apple is trying to achieve? Are they as or more secure than where Apple is right now? Are they as or more secure than where Windows is right now?

Android devices with L or M are roughly as secure as the pre-Secure Enclave Apple devices (like the 5C). That is, the security software is all in flashable components which are signed, and if the holder of the signing keys can be coerced into signing a custom image, it's possible to bypass all of the anti brute-force protections. Brute force is still necessary, then, but it's trivial for four-digit PINs and may be feasible even for better passwords (or patterns).

That's in general. Some OEMs have gone a bit further, such as Samsung's KNOX. I don't know the details and can't comment on whether or not they actually improved the security above the baseline required/defined. by Google.

I'm the Google Android engineer responsible for lots of these bits.

Re:Torn

in a perfect world countless lives would be saved by limiting the speed of cars to 20kph but no one wants to do that either. I am agreeing that the risk/reward outlook favors encryption by a wide margin.

Re: Torn

Anne Frank had something to hide from the government

Re:Is this treason?

[skids]

People can talk secretly. Over large distances. The sooner the government comes to grip with this simple fact, the better.

Re:Theatre?

[skids]

You know what, I don't actually care if it is theater if it keeps people talking and thinking about security, for a change.

Re: Torn

[saloomy]

People who would trade liberty for security deserve neither. An overzealous government with unlimited reach and power is what so many have died for, paying their lives as the cost of liberty for their children.

A free-thinking libertarian once gave me a great acid test for weather or not laws should exist: Would the existence of such a law have helped the colonies overthrow King George III or would such a law have helped King George III keep hold of the colonies?

In my opinion, there are really three things here that have to be considered:
1. What you have
2. What you know
3. What you are
What you have is the information on the phone. This information on an iPhone is encrypted, and would take unimaginable amounts of time to reverse, but it is reversible.
What you know is the key to reverse the information. What you are includes the thumbprint that can also be used to "mimic" what you know (the key).

The government through a warrant has the absolute right to search and seize what you have: The encrypted data.
The government does NOT have the right to what you know (5th Amendment).
The third one: "what you are" is tricky. It only works in this case of the phone has been left ON, and has been unlocked in the past 48 hours using the key. From what I believe: due to the 13th amendment, the government can not force you to enter your fingerprint, because of a catch 22. You have not been found guilty (yet) of a crime, and doing so would constitute "involuntary servitude".

I don't think it would serve us well either to have all of our information readily accessible without any privacy protections either. What happens when China wants this information to find out who has been preaching Christianity in China, or Saudi Arabia wants to know who has gay thoughts?
Our iPhones have such intimate details about our lives and so much information, I wonder if it would not server us well to classify that information as an extension of "what you know".

I have to wonder

[Krishnoid]

I suspect that Tim Cook as an LGBT individual, has an intimate, proximate, and/or cultivated personal interest, with historical and current backing, in personal privacy. In these particular circumstances, it would express itself as the importance of data privacy on a personal device.

If I had to guess, it could come down through the ranks indirectly as unstated support from the top.

Whats going on

[Smiddi]

The security "war" is not longer about country versus country, but about "the people" versus the government.

Re:Torn

[Macdude]

The problem is it's not just this phone. It's the 12 others they have on stand by, it's the 175 NY has lined up and ready to go -- for starters. The other problem is there is no guarantee breaking into this phone (and enabling the government to break into any other iphone) is going to save even one life. Is it worth compromising the phone's security (and enabling all kinds of fraud) on the off-chance that some information it contains may help the government prevent a death?

This couple purposely and specifically destroyed their phones and computers before going on their rampage. Do you really thing they left incriminating evidence on the guys's work phone?

Ask yourself, what is the price of freedom? If you want to live in a world where your every move isn't monitored and recorded by untrustworthy people who seek to capitalize on every little weakness you may have, perhaps the risk of a death here or there is an acceptable price. The question boils down to, would you rather live as a slave or risk death living as a freeman?

Re: Torn

I don't have an iPhone, why should I care? Apple didn't care when the Indian government went after Blackberry.

Learn from the past:

First they came for the Socialists, and I did not speak out—
Because I was not a Socialist.

Then they came for the Trade Unionists, and I did not speak out—
Because I was not a Trade Unionist.

Then they came for the Jews, and I did not speak out—
Because I was not a Jew.

Then they came for me—and there was no one left to speak for me.

https://en.wikipedia.org/wiki/First_they_came_...

Re:Torn

[KGIII]

> In fact, you could even assume those that didn't volunteer their keys are suspect to begin with!

I once had a couple of cops kick me out of Kansas for that line of thinking. It's a long story but I'll try to make it brief.

They tried to convince me that my refusing to allow them to search my vehicle is grounds to allow them to search the vehicle, that it constituted probable cause. Yes, I laughed aloud and explained that I was not a teen. I did applaud their effort, quite literally. They then told me to get out of Kansas and that if they ever saw me again, they were going to arrest me.

Oddly, with all the travel I have done (and the condition and manners in which I've done it) that's the worst thing I ever faced. There's more to the story but that's the gist of it. I don't believe the rest is significant but I'll share it if you want to understand the circumstances. I'm not sure if I should be frightened or amused by the treatment. I have to wonder if they use that line often and if anyone falls for it?

I'm also pretty sure they can't just kick me out of Kansas but I didn't figure I'd stick around where I wasn't wanted and I was headed out anyhow - and right on the border. They were even kind enough to give me an escort to the on-ramp at the nearest highway. I didn't have the heart to tell 'em that I'd just gotten done helping clean up after 90% of Greensburg had been destroyed by a tornado and that I'd only cleaned up because I happened to be right there in the area and they needed help. I just figured that I'd avoid Kansas. I've never been back.

Missing the point

[argumentsockpuppet]

I RTFA this time. It, like so many other other articles, missed the actual legitimate issues of the case. Every time you read an opinion that says Apple should "unlock the phone" or "decrypt the phone" misses the point that Apple must create software which doesn't exist. Whether Apple should do that or not is itself an interesting discussion, but the real issue here is whether government agencies should be able to force software companies to create hacking software, especially when the software company isn't accused of breaking any law in the case.

I don't have any issue with the idea that a government agency should be allowed to create hacking software. I wouldn't object if the NSA had required Apple to sign a software update created by the NSA for the purpose of hacking into the phone. In fact, I think that's what the government should do. However, I'm very troubled by the fact that most people are in favor of Apple being forced to unlock a phone when that's not what is really going on.

Compulsion of speech is an issue that has been supported in food labeling laws and denied in other cases. Creating software is fundamentally different than providing existing information. I believe creation of software is a form of speech, and I think the courts have upheld that viewpoint, so this case is really hinging on whether a judge under "All Writs Act" has the authority to force someone, not even someone accused of a crime, to create something new.

I think it is important in this discussion to understand how the software the government wants Apple to create would work. Apple updates happen automatically for phones which automatically connect to a known wifi access point. Those updates don't just get pulled from Apple though, the phone creates a code which is encrypted with Apple's public key, so that only Apple with it's private key can decrypt. The update is then provided to the phone, with the code provided by the phone re-encrypted so that only the phone can decrypt it, and only then is the update, signed with Apple's key, loaded into the phone.

If the government wanted to, they could require Apple to provide source code to their existing software and the government could modify it and either ask Apple to sign it or require Apple to provide its private key. However, by requiring Apple to create the hacking software, they're introducing an idea that software companies cannot refuse to create software when required by the government. Once someone does something for a government official, often that's taken as a reason that the government can require them to do it again. (See In re Boucher - case citation: No. 2:06-mj-91, 2009 WL 424718)

Apple had asked that the request be sealed, thus kept secret and not able to be used as precedent but the Department of Justice refused and thus made their request both public and able to be used as precedent. If they succeed in forcing Apple to create hacking software they get access to the information on this phone, but more importantly, the hundreds or thousands of phones they'd like to access are much more likely to be accessed by forcing Apple to repeat the process over and over. Apple doesn't want to be in the business of creating hacking software for the government. Much of law enforcement would consider this a victory, but I think the FBI is hoping to lose this case as a general might be willing to lose a battle, in order to win the bigger war. By losing the case, the FBI gains public support that they can use to pressure Congress to create laws forcing software companies to build in backdoors. Such a thing could be done securely, so that it wouldn't open the software to hackers. I have zero faith that Congress or software companies actually would do it in a secure way, but that's not the reason I am against the backdoor. Encryption is math and the math is known and freely available to anyone who searches for it. The ability to create securely encrypted software is something that can't be made to disappear, but it can be made illegal to do in the US. By d

Re:Missing the point

[shess]

I'm very sorry to tell you so, but Apple needn't to create software that doesn't exist. It needs to modify an existing piece of software, called firmware that set a limit on the number of attempts with a wrong password before deleting data on the phone and it needs to remove the delay they introduced between attempts to avoid an automatic system to try passwords at a rate no human can. So, the piece of software exists and the modification is about two lines of code and maybe something like less than 10 characters to change in the code.

So if the government handed you a piece of paper and said "Read this into the microphone", you'd consider that not to be restricting your freedom of speech because you didn't have to actually create the message yourself?

This Apple software is written a certain way for reasons specific to the desired functionality. Just like you might choose specific words to get across your specific point, and might not agree to choose alternate words which make an entirely different point.

Re:Torn -- Damage done by the terrorists...

[neurocutie]

"This couple purposely and specifically destroyed their phones and computers before going on their rampage. Do you really thing they left incriminating evidence on the guys's work phone?"

Its interesting to consider that by leaving their iphone in the situation they did, this terrorist couple may end up doing far more damage to US society than their shooting spree...

Re: Torn

[NotBornYesterday]

So what? The Magna Carta was written 800 years ago, and we still value many of the principles it contains. Much of the beauty of the Constitution is how well engineered it is, and how much of its framework still works and applies today, including the 4th and 5th. The fact that the founders couldn't foresee our technology is irrelevant. What you don't seem to understand (most people, actually) is that the Bill of Rights doesn't grant people rights.

It states that these rights preexist, AND EXPLICITLY STATES THE GOVERNMENT HAS NO POWER TO INFRINGE UPON THEM.

Whether we are to be secure in papers in our houses, our strongboxes, or letters, or text messages is simply a game of semantics. These are all communications we intend to hold privately ... and therefore the government has no right to them.

Re: Torn

[jxander]

iPhones are only secure within themselves. If I send you a text, that's open and easily interceptable.

Military needs secure comms, not secure storage.

(Well okay, they need both... But the storage is cheap and easily handled)

Re:Torn

[_KiTA_]

In a perfect world maybe, but you're not considering the real world where few lives will be saved, but the vulnerability will be abused constantly.

Especially since they immediately demanded to violate those rights 12 additional times in order to break the encryption of 12 more iPhones -- none of which had anything to do with the bogyman of the week, terrorism.

This has nothing to do with fighting terrorism or protecting Americans. The FBI decided us using our right to privacy was making their jobs annoyingly difficult, so our right to privacy, in this situation, simply has to go.

Re:Torn

[Dcnjoe60]

Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.

Don't forget though, Ben Franklin is someone who never had his liberty or his safety threatened. It's an easy platitude when you've got both.

One would think that his involvement with the US Declaration of Independence, the revolution, etc., would certainly be evidence that he felt his safety and liberty were threatened.

Re: Torn

[Khyber]

"There are simply no comparisons to be made and the writers could never have comprehended the technologically advanced world we live in today."

Bullshit. I can teach 65+ year old biddies from the ghetto how to repair laptops in a couple of weeks, yet they still can't program a VCR to save their lives. Teaching the founders today by analogy would take about ten minutes, and they'd then look at you and go "You sir, are a fucking moron."

Re:Torn

[Khyber]

"Ben Franklin is someone who never had his liberty or his safety threatened"

Say fucking what? February 15, 1739: Franklin’s home was robbed by William Lloyd. November 24, 1737: Franklin and others organized a volunteer militia – the Associators – for the defense of Pennsylvania. December 23, 1750: Franklin was severely shocked, while electrocuting a turkey. June, 1752: Franklin, who has not yet heard of the French success of his 'sentry-box' experiment, experiments with flying a kite in a thunderstorm, and also proves that lightning is electrical in nature. September 16-17, 1765: Franklin’s house threatened by Stamp Act protestors. Deborah refused to flee, and the mob was dissuaded by 8oo Franklin supporters ready to combat them.

Franklin has had his liberty and safety at risk more times than you can possibly imagine. these are just the documented and notable ones.