This is the type of hacking I want to see. Hardware hacks. This means you need possession of the phone.
What the FBI wanted Apple to do was a software hack. With software hacks you can access phones WITHOUT possession. And with a backdoor you can access MILLIONS of phones at the same time. In your home. IN your bedroom. That is what I'm afraid of.
Software hacks can be exploited by bad actors in China, Russian, North Korea. That can't happen. The FBI has to improve its hardware hacking ability.
I agree.
And, to be fair, if they pull this off, it will be kudos to them. It's a very difficult thing to pull off.
This is the type of hacking I want to see. Hardware hacks. This means you need possession of the phone.
If Apple did the secure enclave correctly in the iPhone6/6s, it'll take something far more sophisticated than NAND mirroring to crack. They'll have to de-cap the chip and try to probe. And it's fairly easy to make a chip unprobe-able, so even that avenue can and will be cut off in the future. Uncrackable encryption is here to stay.
You're right, on the 6/6s, with the secure enclave, this is essentially impossible.
On the 5s though, which this phone is, it's certainly possible, though incredibly difficult.
This is the type of hacking I want to see. Hardware hacks. This means you need possession of the phone.
What the FBI wanted Apple to do was a software hack. With software hacks you can access phones WITHOUT possession. And with a backdoor you can access MILLIONS of phones at the same time. In your home. IN your bedroom. That is what I'm afraid of.
Software hacks can be exploited by bad actors in China, Russian, North Korea. That can't happen. The FBI has to improve its hardware hacking ability.
Totally agree. Possession and some disassembly required. Very different than software hacks, nobody wants unfettered remote sensing. I also believe that this technique was likely very well known to terrorist IT people who ordered the shooters to completely demolish their personal phones for good measure, even though they were most likely encrypted, which also furthers the point that there is nothing of value on the iPhone 5c.
How the frack is that even a solution, you still need the hardware key on the device + the pass code, plus the whole code to go from these to the decreption key. This thing is absolute nonsense and not the solution. There is a solution but this is not it.
Well, that will get them something they can hack without erasing the data. They may still not be able to decrypt the data. It may take a 100 years by which time ISIS will be long gone and the USS Enterprise will be running iOS for spaceships.
I believe that Apple has hired some firmware security folks that may prevent this kind of hardware hacking in the future.
Time will tell.
You are missing the point of the harness. You make a copy of the chip. You put it in the harness. You boot the phone. You make 5-7 guesses. You restore the chips copy. Repeat.
Nicely written article that seems to omit the OBVIOUS. NAND mirroring only replaces the data on the phone. All of the security is located in the Processor, this according to Apple's documentation.
There is no secure enclave in the 5c, so all the data is in the NAND, including the passcode counter.
If this phone had been any later model than the 5c the FBI could have just used the terrorists thumb to unlock the phone.
Not necessarily. TouchID is supposed to only work with a live finger even though people supposedly have shown it work. Plus, you only get three attempts before it requires passcode. How many times have you messed up with a live finger?
You get 5 attempts, after 3 it goes to the keypad. Try again and u will see a bunch of dots entered as input. Then one more time with same result followed by a message that you must unlock with passcode to enable Touch ID.
Nicely written article that seems to omit the OBVIOUS. NAND mirroring only replaces the data on the phone. All of the security is located in the Processor, this according to Apple's documentation.
There is no secure enclave in the 5c, so all the data is in the NAND, including the passcode counter.
The hardware key is well, in the hardware on the phone and how do they get it out, combine it with the passcode (which is not directly a key) and then try it
Even if its on he NAND, they'd have to be sure the phone has no way to not notice external tampering to its memory (or change in memory); if any changes is done only with the API, that's possible unless you know how the thing is coded exactly. There isn't much methods that are bulletproof unless you have access to the code and know how it has been implemented.
Nicely written article that seems to omit the OBVIOUS. NAND mirroring only replaces the data on the phone. All of the security is located in the Processor, this according to Apple's documentation. So while you may be able to save the data after the try and wipe process, this process does nothing to restore the phone access functionally. From what I understand once the 10 try counter reaches 10 the phone will always wipe data from the phone even if a successful passkey is entered via the GUI. Restoring the phone access is what decrypts the data without knowing what the encryption key is. Altering the processor has its own hazards given that there are hash signed certificates that insure that only authorized and unaltered code is executed. Apple's security white paper states that the
security features are stored in the boot ROM with keys burnt into the ROM at
the factory. Much of this information is also stated in court documents provided by the FBI. Then there's the very simply question; NAND mirroring is such a simple process that it boggles ones mind to think that the FBI hasn't thought of doing this given that the San Bernardino phone is not the first phone the FBI has that they can't unlock. BTW, court documents state that the iOS is 9, not 8, but the phone processor does not have a secure enclave. A secure enclave only makes the processor more secure, not the data on the NAND chip.
The process that seems to be most viable is the delayering of the processor to expose the encryption key and the key itself might be encrypted. The problem; you get one shot. The FBI has also mentioned the Israeli firm Cellebrite, a well recognized firm that has developed software to hack other iphones without altering the phone in any way. The OS noted by the FBI in court documents is iOS4.
Nicely written article that seems to omit the OBVIOUS. NAND mirroring only replaces the data on the phone. All of the security is located in the Processor, this according to Apple's documentation.
There is no secure enclave in the 5c, so all the data is in the NAND, including the passcode counter.
"so all the data is in the NAND" - That's simply not true. The enclave is just another part of the A7 processor. The A6 processor on the 5C still stores the UID and the boot up software, it just doesn't have an enclave. An enclave is simply a portion of the processor that has been segregated (walled off if you will) from the rest of the processor. That walled off portion has its own security features built in by the chip manufacturer making the processor harder to defeat.
If this phone had been any later model than the 5c the FBI could have just used the terrorists thumb to unlock the phone.
Potentially only if Touch ID was enabled. I see many people in public with phones that support Touch ID that are using passcode instead.
If the phone has been turned off (powered down), which court records indicate the phone was powered off, any iPhone with Touch ID (5S and above) requires a pass code for the first entry. Thereafter the Touch ID can be uses to unlock the phone. Apple has also built in a function that after so many unlocks using the Touch ID the pass code has to be entered to unlock the phone. The phone in question is a 5C and does not have Touch ID.
This is the type of hacking I want to see. Hardware hacks. This means you need possession of the phone.
If Apple did the secure enclave correctly in the iPhone6/6s, it'll take something far more sophisticated than NAND mirroring to crack. They'll have to de-cap the chip and try to probe. And it's fairly easy to make a chip unprobe-able, so even that avenue can and will be cut off in the future. Uncrackable encryption is here to stay.
Could you go the other way and make the chip more probable?
Have a region in the chip that the entropy key gets written to in a way that could be read by means that trash the chip in the process. So basically the device would need to be destroyed and the person with this information would still need to present a warrant to the chip maker to get the entropy key turned into the private key.
Not necessarily. TouchID is supposed to only work with a live finger even though people supposedly have shown it work. Plus, you only get three attempts before it requires passcode. How many times have you messed up with a live finger?
You get 5 attempts, after 3 it goes to the keypad. Try again and u will see a bunch of dots entered as input. Then one more time with same result followed by a message that you must unlock with passcode to enable Touch ID.
Plus one has to know what finger or thumb to use. Many right handed users hold the phone in their left hand and thus will use the left thumb. But could also use the right index finger or right thumb. Or hold the phone in their right hand. And use the right thumb or left thumb or index finger. And vice versa for left handed users. So a failure to unlock when swiping could mean it wasn't read or it's the wrong finger or thumb. So someone trying to hack in can't be sure, unless they know for sure what finger or thumb was used to unlock.
You get 5 attempts, after 3 it goes to the keypad. Try again and u will see a bunch of dots entered as input. Then one more time with same result followed by a message that you must unlock with passcode to enable Touch ID.
Plus one has to know what finger or thumb to use. Many right handed users hold the phone in their left hand and thus will use the left thumb. But could also use the right index finger or right thumb. Or hold the phone in their right hand. And use the right thumb or left thumb or index finger. And vice versa for left handed users. So a failure to unlock when swiping could mean it wasn't read or it's the wrong finger or thumb. So someone trying to hack in can't be sure, unless they know for sure what finger or thumb was used to unlock.
They should let you set one fingers so that it locks-out touch ID if used and then requires a passcode after the first attempt.
What the FBI wanted Apple to do was a software hack. With software hacks you can access phones WITHOUT possession. And with a backdoor you can access MILLIONS of phones at the same time. In your home. IN your bedroom. That is what I'm afraid of.
Why does it matter to you if the FBI can access private data on suspicion of criminal actively ? Why are you "afraid" ?
Stop the logic "if you don't do any wrong, you don't have to worry". Do you want cops searching your house anytime they want even though you don't have anything to worry? It's all about "privacy".
Comments
And, to be fair, if they pull this off, it will be kudos to them. It's a very difficult thing to pull off.
You're right, on the 6/6s, with the secure enclave, this is essentially impossible.
On the 5s though, which this phone is, it's certainly possible, though incredibly difficult.
I also believe that this technique was likely very well known to terrorist IT people who ordered the shooters to completely demolish their personal phones for good measure, even though they were most likely encrypted, which also furthers the point that there is nothing of value on the iPhone 5c.
This thing is absolute nonsense and not the solution. There is a solution but this is not it.
thos will take 1-2 days to try all 10000 options.
Issaa must had thought them how to work outside the 4 dots...
Even if its on he NAND, they'd have to be sure the phone has no way to not notice external tampering to its memory (or change in memory); if any changes is done only with the API, that's possible unless you know how the thing is coded exactly. There isn't much methods that are bulletproof unless you have access to the code and know how it has been implemented.
"so all the data is in the NAND" - That's simply not true. The enclave is just another part of the A7 processor. The A6 processor on the 5C still stores the UID and the boot up software, it just doesn't have an enclave. An enclave is simply a portion of the processor that has been segregated (walled off if you will) from the rest of the processor. That walled off portion has its own security features built in by the chip manufacturer making the processor harder to defeat.
If the phone has been turned off (powered down), which court records indicate the phone was powered off, any iPhone with Touch ID (5S and above) requires a pass code for the first entry. Thereafter the Touch ID can be uses to unlock the phone. Apple has also built in a function that after so many unlocks using the Touch ID the pass code has to be entered to unlock the phone. The phone in question is a 5C and does not have Touch ID.
THAT’S WHY I HAVE EVERYTHING TO FEAR.
Have a region in the chip that the entropy key gets written to in a way that could be read by means that trash the chip in the process.
So basically the device would need to be destroyed and the person with this information would still need to present a warrant to the chip maker to get the entropy key turned into the private key.
Plus one has to know what finger or thumb to use. Many right handed users hold the phone in their left hand and thus will use the left thumb. But could also use the right index finger or right thumb. Or hold the phone in their right hand. And use the right thumb or left thumb or index finger. And vice versa for left handed users. So a failure to unlock when swiping could mean it wasn't read or it's the wrong finger or thumb. So someone trying to hack in can't be sure, unless they know for sure what finger or thumb was used to unlock.
Error 53? On an iPhone 5c?