FBI vs. Apple

money.cnn.com... toryLink&linkId=21352953

Why doesn't the FBI just go to Prison, make a deal with a Black Hat Security Cracker and have them write a Program to crack Apples stuff. Seriously from what I am reading this article makes the ‪#‎FBI‬ look like a bunch of Script Kiddies the way they are begging Apple to hack its own #. I mean some of these guys can start a dam Nuclear War if they wanted to. So im sure hacking ‪#‎Apple‬ ios 5 would be a walk in the park. Even if they are out of practice lol. Its a lot easier then going to court over this. The hackers in prison have nothing to lose and everything to gain.

lifars.com...

It would likely require only a few lines of code to disable the auto-wipe feature of the iPhone. The person who originally added the feature to the login module surely had the ability to turn the feature on and off while testing it. For that matter, it would probably just take a line or 2 of code to bypass both the login module and auto-wipe feature entirely.

In a way I’m kinda surprised the FBI needs Apple’s assistance to do this. I do understand the implications of the FBI having the ability to bypass the login/auto-wipe functions on ‘all’ iPhones, but I just assumed it to be so basic that it would probably already be part of their (FBI) cracking toolkit. I guess I overestimated their technical savvy.

Why can’t Apple determine the password for this particular phone and then provide it to the FBI, rather than writing code to get around the login/auto-wipe features? Or, why can’t Apple gain access to the phone, do a complete data dump and provide the dump file to the FBI?

I think if there’s no way for Apple to do this in these kind of cases, then Apple’s got it all wrong. In this particular case the information is critical and should be accessible, without jeopardizing the security of all iPhones. I mean, come on guys... Let’s take something really simple and complicate the hell out of it.

Something about all this smells funny to me. I’m with you on this, Stevemagegod...

For whatever reason, you guys think hacking a modern network security system is a piece of cake. Especially iOS 5. 4th gen is a different story that's pretty easy. iOS 5 and above has been a challenge to anyone that has been trying to crack it open. Apple has been vigilant with their current security system and constantly updating any and every weakness. The icloud system makes things even harder to bypass.

Apple should just give them the info on the phone or phones they want.

Don't they have a warrant for that?

originally posted by: netbound
Why can’t Apple determine the password for this particular phone and then provide it to the FBI, rather than writing code to get around the login/auto-wipe features? Or, why can’t Apple gain access to the phone, do a complete data dump and provide the dump file to the FBI?

After Lavabit and then all the various laws to turn over information a lot of companies stopped storing user passwords. Not only did it let them fight against a law that many believe is unjust but it shielded their companies from liability in the event their password database gets stolen. The way IOS works, alongside several other programs now is that all of the information is encrypted and the password itself is the decryption key. The password doesn't enable the program to run a decryption key but rather acts as the key itself. This creates keys that are easier to reverse engineer but also means that no one other than the person who encrypted it actually knows the phrase to decrypt it (which means the company can't reset a password if you lose it).

What's going to eventually happen is they're going to duplicate the data and then brute force the decryption but that could take months or even years, at which point the data won't be all that relevant other than the contact list which is really the only thing the FBI should care about anyways... what was actually said doesn't really matter, only who they were speaking to. They may even end up quietly settling the whole thing with Apple, Apple provides the contact list but leaves all the actual data secret.

a reply to: Stevemagegod

Interesting piece from The Intercept which mentions Google also, not sure how much business they'll lose if encrytpion is outlawed but not everyone can live with their head in the sand:

Google, the other tech behemoth that has promised to make encryption, security, and privacy a priority—but has stalled in implementing unbreakable encryption on its services by default—was notably silent for most of the day. But then Google CEO Sundar Pichai expressed his support in a series of tweets: “Important post by @tim_cook,” he wrote.

theintercept.com...

Let's not forget that the regular police can crack into an iPhone if they want anyway. If you're arrested and your phone taken away, it's almost 100% certain your phone is going to be plugged into a police station computer and its contents downloaded and analyzed.

They can crack SIM cards, social media passwords, get all your SMS text messages, phone logs, contacts, pictures ... everything. When and *IF* you get your phone back, it may magically be "water damaged" to hide the fact that all your data was stolen and copied to a police computer.

I've seen it happen with my own two eyes.

So, IMO this whole thing is nothing more than a psyop from Apple OR the FBI to judge public opinion and see what/how people think about backdoors for national security/law enforcement. Apple might want to see how their customers react by releasing the letter...the FBI might have asked Apple to do it so they can also see how people will respond.

In any case, the NSA can crack/hack anything they want and all electronic communication is slurped up by them anyway. If they wanted it, they can have it. This is such a big load of BS.

It's all theater and drama folks, nothing more.

originally posted by: MystikMushroom

It's all theater and drama folks, nothing more.

That's what I thought.

And doubt it originated from either government or Apple.

originally posted by: Zcustosmorum
a reply to: Stevemagegod

Interesting piece from The Intercept which mentions Google also, not sure how much business they'll lose if encrytpion is outlawed but not everyone can live with their head in the sand:

Encryption will never be outlawed. It's a death knell to the entire tech sector. Imagine if US companies are unable to encrypt sensitive information on people? A world where billing information isn't encrypted, email logins aren't encrypted, and so on. It will never happen as long as law makers take advice from tech people. Even if it were to happen though it wouldn't last for very long because there would very quickly be a push to classify encryption as a weapon/defensive measure and cover it under the second amendment.

originally posted by: MystikMushroom
Let's not forget that the regular police can crack into an iPhone if they want anyway. If you're arrested and your phone taken away, it's almost 100% certain your phone is going to be plugged into a police station computer and its contents downloaded and analyzed.

I don't know that much about iPhones but I think their main security is a 4 digit passcode to get access to the device, and then after 10 tries you're locked out. There's a hardware weakness though that lets you actually test 6-7 passcodes before the first is registered as a failed attempt. Therefore you can test a few passcodes, power off the device, power it back up, and test a few more. I might be off on the exact numbers but it takes law enforcement an average of 3 days to break into an iPhone due to this.

The app this person is using clearly prevents that technique though. The big weakness in Apple products it that a 4 digit passphrase only leaves you with 10,000 possible passwords.

So, IMO this whole thing is nothing more than a psyop from Apple OR the FBI to judge public opinion and see what/how people think about backdoors for national security/law enforcement. Apple might want to see how their customers react by releasing the letter...the FBI might have asked Apple to do it so they can also see how people will respond.

In any case, the NSA can crack/hack anything they want and all electronic communication is slurped up by them anyway. If they wanted it, they can have it. This is such a big load of BS.

It's all about time. The US only has a finite amount of resources to crack passwords. Even if the NSA can in theory break into anything (though this is debatable) they cannot break into everything. Therefore, in the interests of efficiency it is best to minimize the amount of stuff they need to break into by finding other ways of getting the pass keys. A large part of information security (and it applies here too) is in making your information cost more to obtain, therefore making it a worse cost:benefit ratio than a person can obtain by getting information elsewhere.

originally posted by: MystikMushroom
Let's not forget that the regular police can crack into an iPhone if they want anyway. If you're arrested and your phone taken away, it's almost 100% certain your phone is going to be plugged into a police station computer and its contents downloaded and analyzed.

They can crack SIM cards, social media passwords, get all your SMS text messages, phone logs, contacts, pictures ... everything. When and *IF* you get your phone back, it may magically be "water damaged" to hide the fact that all your data was stolen and copied to a police computer.

I've seen it happen with my own two eyes.

So, IMO this whole thing is nothing more than a psyop from Apple OR the FBI to judge public opinion and see what/how people think about backdoors for national security/law enforcement. Apple might want to see how their customers react by releasing the letter...the FBI might have asked Apple to do it so they can also see how people will respond.

In any case, the NSA can crack/hack anything they want and all electronic communication is slurped up by them anyway. If they wanted it, they can have it. This is such a big load of BS.

It's all theater and drama folks, nothing more.

DING DING DING we have a winner.

It's publicity stunt, a psy-op, and the FBI already has the info or can crack it or Apple has already helped them. You think the enessay can't crack the PW on an iPhone with a super quantum computer in a few minutes by brute force?

Gah.

a reply to: Stevemagegod

The FBI is certainly asking a lot of Apple here... I mean, did they really believe Apple would just create some "master key" for them? Creating that bypass would essentially make their whole company vulnerable for it happening again.. I applaud Tim Cook here, and I hope he stands firm here, because it's a very slippery slope, and if they allow it once, the door has been cracked open, and will never be shut again...

(scratches head) Grant you, I haven't taken an iPhone apart. But the data is likely on a component you can dismount, or it's in the SIM. Either way, you should be able to make copies of it.

And there's only 100,000 passcodes, even if you brute force it, so, knowing how the encryption algorithm works, you should be able to take the contents of storage, have a program on a big desktop iterate through the passcodes and find the key.

originally posted by: Bedlam
(scratches head) Grant you, I haven't taken an iPhone apart. But the data is likely on a component you can dismount, or it's in the SIM. Either way, you should be able to make copies of it.

And there's only 100,000 passcodes, even if you brute force it, so, knowing how the encryption algorithm works, you should be able to take the contents of storage, have a program on a big desktop iterate through the passcodes and find the key.

The only thing I can think of is that there's a law preventing them from doing so unless Apple consents. It makes you wonder why they would even let Apple know in the first place, since there's no possible charges if no one knows it happened.

originally posted by: Bedlam
(scratches head) Grant you, I haven't taken an iPhone apart. But the data is likely on a component you can dismount, or it's in the SIM. Either way, you should be able to make copies of it.

And there's only 100,000 passcodes, even if you brute force it, so, knowing how the encryption algorithm works, you should be able to take the contents of storage, have a program on a big desktop iterate through the passcodes and find the key.

If I'm not mistaken, I believe the phone gets wiped back to factory reset automatically if there's more than 10 failed password attempts... So, would it be possible to brute force it, or is there some work around to test those pass codes without it going against the actual phone device?

originally posted by: jhn7537

originally posted by: Bedlam
(scratches head) Grant you, I haven't taken an iPhone apart. But the data is likely on a component you can dismount, or it's in the SIM. Either way, you should be able to make copies of it.

And there's only 100,000 passcodes, even if you brute force it, so, knowing how the encryption algorithm works, you should be able to take the contents of storage, have a program on a big desktop iterate through the passcodes and find the key.

If I'm not mistaken, I believe the phone gets wiped back to factory reset automatically if there's more than 10 failed password attempts... So, would it be possible to brute force it, or is there some work around to test those pass codes without it going against the actual phone device?

Sure. Do what we'd do. Dismount the storage, and copy it out to hard disk.

The phone being wiped part is an OS function. Ditch the whole thing, take the encrypted storage out, copy it.

Now you can do whatever the # you want with it. If you know how the encryption works to produce the drive image, you can easily knock together some c# code to try every combination in a 100k passcode universe. You'll know you hit paydirt when you get something rational back for the first few sectors.

eta: if you want to be more subtle about it, you could also overwrite whatever they're using for a bootloader, and just have IT dump the contents of storage out through the USB port.

a reply to: Stevemagegod

I will be surprised if a higher court lets this judges ruling stand.

seems I read somewhere on the net today that they physically "pop" a fuse on the hardware after coding to prevent this,or maybe it's on the new phones. As if part of the decryption is in the serial numbers of the chipset or something like that?

dbl post (my first i think) delete.

I'm not linking to the forensic software, but the software exits. The police have it. It doesn't matter if you have a PIN number or whatever -- they can crack into your phone in a few minutes and see everything. The same with Android and any other smart phone. They can even hack the SIM card (that little chip in your phone you swap out when you get a new phone).

The fact is -- THE LOCAL POLICE CAN ALREADY GET INTO YOUR PHONE. Let's not forget that they can listen in on your phone calls and record them via Kingfisher and Stingray devices mounted in squad cars or helicopters. Local governments are approving budgets for these devices without even really knowing what they do.

Now I know it's a psyop or stunt. Google just agreed with Apple:

Google's chief executive sided with rival Apple on Wednesday in its battle with a judge who ordered it to help the FBI access information on the encrypted iPhone used by one of the San Bernardino shooters.

NBC

Why is this important?

Quite plainly, Google works for the US State Department.

Yep, that's right. Google is deeply in bed with the US State Department. One of the CEO's is a former State Dept. employee. Google is the State Department's public "cover" to do things it can't do in its official capacity. Let's also just forget the wholesale sell off of personal data to the NSA by Google as well...

Caught red-handed last year making petabytes of personal data available to the U.S. intelligence community through the PRISM program, Google nevertheless continues to coast on the goodwill generated by its “don’t be evil” doublespeak.

Newsweek - Google is not what it seems

The article is really, really long -- but it's VERY eye opening.

So when you take both facts -- that Google is now standing with Apple on this, and the fact that Google is basically a non-government, governmental agency...

Yeah, this smells. Smells really bad.