Slashdot Mirror
Slashdot Asks: Should FBI Reveal to Apple How to Unlock Terrorist's iPhone? (latimes.com)
After reports that the FBI managed to unlock an iPhone 5c belonging to one of the San Bernardino shooters without the help of Apple, Apple is now the one that needs the FBI's assistance. "The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices," said Justin Olsson, product counsel at security software maker AVG Technologies. However, many experts in the field believe that the government isn't legally obligated to provide the information to Apple. As mentioned in Los Angeles Times, this creates a new ethical dilemma: Should tech companies be made aware of flaws in their products, or should law enforcement be able to deploy those bugs as crime-fighting tools?
Shouldn't Apple be chasing after them for circumventing the encryption and digital rights management system on the phone? Its what they do to people coming up with jailbreaks... why would this be diffrent?
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
O wait....we have already bent over. It is too late folks. No one cares what you think anymore. The system is established. Only blood will wash it away. Enjoy.
Well, actually, we don't need to leave it to a bunch of internet commenters to decide this issue -- there is an actual process described as "equities review" which the Executive Branch is responsible for, when a cyber vulnerability is known, but not yet disclosed to the public:
https://www.whitehouse.gov/blo...>href=https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities
The considerations described here (in whether to reveal or keep secret a vulnerability) cover:
-- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
-- Does the vulnerability, if left unpatched, impose significant risk?
-- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
-- How likely is it that we would know if someone else was exploiting it?
-- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
-- Are there other ways we can get it?
-- Could we utilize the vulnerability for a short period of time before we disclose it?
-- How likely is it that someone else will discover the vulnerability?
-- Can the vulnerability be patched or otherwise mitigated?
In this case, I might argue that this is becoming so well known (though the technical specifics have not been revealed), that the FBI/US had better tell Apple to make sure that other users of the affected phones can be secured -- while the intelligence value of the exploit is rapidly decreasing due to its publicity.
Apple already knows it's hackable, that's why the 5S and newer have Secure Enclave.
Still, they should make the FBI rue the day they tried to destroy Apple's market, however they can. Revealing the San Bernadito phone as a ploy is the minimum they should pursue.
Yet, ultimately I hope Apple loses an inquiry about this break because it's better for all of us if they see the unconstitutional law enforcement agencies as adversaries.
There, now I've disagreed with both camps.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Yeah, Apple is approaching the wrong party. That company in Israel found the flaw, and the FBI paid them to use it. Apple has so far been unwilling to encourage folks to expose bugs, by paying them, so....
Logically, especially since it is well known that Apple has plenty of cash on-hand to buy things, Apple should buy the vulnerabililty, instead of expecting to get it for free from the Feds. How greedy do you think ordinary folks are willing to let Apple be, in such circumstances?
Of course they hacked the phone.
There is a very easy, very reasonable trick that is guaranteed to work to get the data out of that phone with minimal risk (assuming it has a 4-digit PIN). It's not a mistake, it's not a bug, it's not something anyone has to "discover". It's simply an attack outside the threat model that Apple used when designing that particular iPhone (and, with minor differences, all currently released iPhones). I have no doubt Apple knows full well it will work and knew it would work when they designed the phone (it's blatantly obvious, and Apple's security engineers aren't idiots) - protecting against it is just not trivial (it cannot be solved by software, it requires support hardware) so, to this date, they've chosen not to. In fact, they added a minor roadblock against it on newer phones (but only a minor one that can also be bypassed - because doing better is Hard(TM) and costs money), which demonstrates they are fully aware of it. I explained how it works here (search for "replay attack"). I'm not the first one to mention this approach.
Making iPhone secure against all physical attacks is impossible. If your PIN is bruteforceable (as is the case here), then security relies on the PIN attempt counter. An attacker with physical possession of the phone can always find a way in. Apple just has to decide how much effort (and money) they want to put into making that harder. The current bar is at approximately the "a couple experienced hardware/software hackers and a couple thousand dollars in R&D costs" level. With some more money/effort they could raise it to the "a crazy dude like Chris Tarnovsky and a medium-budget silicon hacking lab" level. It's not going to get to the "noone will practically be able to do it" level without making the iPhone into a tamper-resistant hardware security module with physical defenses (i.e. not something likely to fit in your pocket).
It still baffles me why everyone is so concerned about how the FBI got in, when we know an easy way in already.