The digital forensics company Cellebrite now claims it can unlock any iPhone.
I dithered before blogging this, not wanting to give the company more publicity. But I decided that everyone who wants to know already knows, and that Apple already knows. It's all of us that need to know.
Having a strong password only works if there is no low level maintenance process somewhere listening for a secret wake up sequence. Product developers have a bad habit of putting these in like the Intel ME for a start, the battery may also contain a cpu.
But as for the rest that "need to know" it puzzles me as to why people actualy trust a mobike phone that they provably "don't own"... And this applies to way more than Apple.
Because they also trust the "real owner", at least in some circumstances, for some purposes, to some degree.
A person with an iPhone has some idea what Apple will do with their data, backed up by some knowledge of Apple's past actions. That includes having some confidence that at least in some circumstances Apple will do what it can to *not* give the data to some of the people who "already know".
If Apple and its phone were just giving stuff up to anybody and everybody, Cellbrite would have no market.
... and, by the way, even if the phone were totally open source from the hardware up, it would still have bugs, so any trust you put in it would still have to be limited and based on probabilities. And it would still be impossible for any human to review all of the code and designs, so some trust in people would also be necessary.
"That includes having some confidence that at least in some circumstances Apple will do what it can to *not* give the data to some of the people who "already know"
As far as I am aware, that forlorn hope is based on no more than a couple of federal cases.
If you manufacture a closed-hardware, closed-software tracking device that is jam-packed with monitors and sensors, it is far-fetched to think that it's not going to be used for tracking, monitoring and sensing.
My device is a 12-year-old android device that was immediately rooted and switched to Cyanogenmod. It runs no apps. I leave it at home most of the time - no point in using it to track me, you can just look up the address for my landline. It only travels with me if I need to call for a lift or a taxi (no apps, I wait for the operator), and for receiving SMS text messages (they don't work on the landline).
I realise 12-year-old Cyanogenmod is probably quite insecure, but it was never a huge target for hackers, because so few people used it. The numbers using it now must be tiny - they might even have to craft a special custom hack just for little old me.
If someone starts marketing a device that they claim is hack-proof, give it at least five years before you invest, and stay up with security blogs like this one in the meantime. At the first sign of a hack, write that device off forever, and wait for the next brick of snake oil.
SUMMARY: If you don't want to be tracked, sensed and monitored, then pulverise the SIM, and then throw that device (along with the SIM powder) in the river. I can't get over people who use these devices, and then fret about security. Shit, INsecurity is designed-in from the hardware upwards.
(A genuine antique Nokia (not one of those new-fangled mock-ups) might cut the mustard, as a pure phone/SMS device; but they can still be tracked via the towers they connect to).
Pure use COTS radio chips, of which there is no more than a handful of manufacturers. R&D for such devices is very expensive. All the ones on the market are closed-hardware, closed-firmware. The prospect of someone (even Pure) developing open radio hardware and firmware is vanishingly slim.
The radio chip is pretty much at the bottom of the hardware stack. If the snoopers can control the radio, you might as well give up now.
What Cellebrite is developed is actually how collection of evidence should be worked.
LEAs/prosecutors should not force for cooperation/twisting hands neither manufacturers of smart phones to crack it encryption/passwords nor user/owner (suspects) to reveal password under pretext of obstruction of justice. Collecting of incriminating evidence and burden on proof in any criminal justice system claimed to be civilized in on LEAs/prosecutors and their forensic units properly equipped with sufficient tools.
Cellebrite does provide the tool to do that properly.
"Neither Apple nor Google immediately responded to a request for comment on Cellebrite's new UFED product announcement.
But Apple at least is expected to release a new version of its mobile operating system, iOS 13, in September, with a beta arriving next month that will likely send Grayshift and Cellebrite both back to the drawing board."
Does that mean we can assume Cellebrite attacks the OS? Anyway,
I think it would be helpful if there was at least a general description of how Cellebrite is doing this.
Regardless, something this powerful must require actual possession of the device.Right?
Cellebrite can’t do what it purports to do if it attacks the OS. The secrets it needs are stored in a separate chip that doesn’t trust the OS. Typically the attacks used by Cellebrite are brute force attacks and their special thing is that they bypass the timeouts enforced by the security chip.
It remains to be seen if this attack works with longer numeric or alphanumeric passcodes because if Apple did their homework correctly brute forcing a longer code takes an extreme amount of computing power.
@Alejandro: Yes, it does require physical access to the device. When an adversary has physical access it's usually game over. However i really think if you have a strong password and the phone is off, there's nothing they can do. After the "initial unlock", who knows ? In theory they can open up the device and extract the keys from memory or something. However many people having weak numeric pins (like their date of birth) it would be trivial to brute force it, regardless of the enforced delay between wrong entries. Their tech is indeed powerful, but i doubt they can just take a locked phone, plug it in and magically extract everything (especially if it's powered down). Their tech also extracts data from unlocked devices or where the password is known, but i don't think this is what the original article refers to.
There is one certainty. No phone, smart or otherwise, means nothing to crack. If you wish to contact me, send me an email. I might get back to you. Even the VA and my bank have come to terms with that!
Regardless of the strength of the password, any phone is vulnerable to "rubber hose cryptography."
Rubber hose cryptography requires as a minimum "fresh meat" and when there is a lot at stake there are ways to age it fast and thus spoil the fun.
Lets assume you have a panic button system on your phone that is voice activated or similar fast method it can br made to act like a "deadman's switch" and destroy the crypto keys on the device.
Then it does not matter how much the $5 wrench gets bounced to tenderise the meat the game is over as no matter what the meat says it will not work unless you know a short cut on brut forcing 128bit AES etc.
The question is can you make a deadman's switch reversable?
To which the answer is yes if the crypto keys are backed up somewhere. To which the next question is can that be done in a way that Government entities can not get at it whilst the key owner can at a later date?
To which the answer is a qualified yes, provided the Government entities are hard limited in some way.
I've discussed this in the past on this blog as have others.
The thing is not to limit your thinking on authentication factors.
With "Something you are", there were jokes about using something other than your fingerprint. However it's quickly obvious that once they have you they have that authentication factor and there is little that you can do to stop them trying every accessable body part. So "Something you are" is in many respects a fairly lousy authentication factor.
With "Something you have" you run into similar problems as "Something you are" they can go through your possessions and follow financial clues to safe-deposit boxes etc. But there is a limit on this if the box is in a jurisdiction that for various reasons choses not to play ball with your Government entities. However as has been seen with Julian Assange, for some people they will spend billions if not trillions of tax payers money for what are very petty reasons so even national governments can be coerced in one way or another. So "Something you have" may not be as strong as required.
Which leaves "Something you know" which in the case of "passwords/phrases" is not immune to the $5 wrench or brain laundry type extraction techniques. However there are other types of "Something you know" which includes the temporal and geographical. That is a "Time and place" for a meeting with "a person you know and trust" etc.
There are other "Something you know" that can be tied in with "Something you are" or "Something you have" that can not be tested by Government entities and torturing you or your loved ones won't help them in the slightest, even if you do tell them.
For instance lets assume you break the crypto keys down into multiple parts and give them to say three people you trust. Each of those persons is in a different jurisdiction not just to you but each other. They can chose to hand over either the genuine share or one of a number of false shares, there is no way of telling from examining the share if it is genuine or false, it's just a binary string etc, thus the key share holders have deniability.
There are other variations some of which do not even involve "fresh meat" that can be tenderised, just "refined sand" that can not be persuaded.
However you would want to be protecting something fairly important to go to such lengths, and thus not having them on your phone or computer in the first place would be a more sensible route to follow.
With all the patterned (sometimes shallow) efforts to unlock people's items and also the (sometimes vain) efforts for some of us to lock our own items, I'm inclined to experiment if it weren't for so much frustration and actual loss.
For example, when password loss occurs, and/or a person gets locked out of their own devices, it can cause the following problems:
1) lots of lost time (obviously) 2) indirect losses due to lost time: - relationship losses (hard work spent away from loved-ones attempting to "fix" a broken system - mental health losses (unresolved anguish when losing non-replaceable original copyrigt works) 3) too much temptation for revenge: (this is BAD, because it opens the doors for) - unnecessary revenge/warfare planning, loss of resources better spent on other things - unnecessary revenge/warfare itself (which comes with built-in extreme losses every time) 4) too much time spent learning the wrong items
OK, sure this may be obvious to many of you, so please hold the rebuttals because this all needs to be stated again and again since malevolence-style hacking is still with us, even when it's accidental.
Aren't we now glad that we had this review ?
P.S.-Anybody still pathILLogically seeking my passwords, you can have a few. Either you already had these, or you needed these for some embedded archives. Either way, have fun trying to be me. Now that these are posted here, whomever has many of these exact passphrases will look guilty. And maybe they should, if they indeed hacked me maliciously.
Caveat, there exists somewhere in the world, one guy who I deliberately gave a bunch of my stuff to; he alone would inherently be innocent most likely because I handed him my hard drives and maybe a few flash drives in person. I wasn't even flinching about potentially embarrassing personal files. If the act helped buy me some time away from the extremely curious, it was worth it.