Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Has Backlog of Requests From Police to Unlock Seized iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
Which is probably done by some code in the devices ROM. So if the device manufacturer can change this code by knowing the DFU software install key...
Actually, when you select a long password that consists of only digits you get a numberpad entry (same as regular PIN plus an 'OK' button so that the number of digits is unknown). I think that changed in iOS6 because in iOS5 you got the whole alphanumeric keyboard.
Anyway, I have that plus the wipe-on-10-attempts setting so hopefully a random person won't get access to my stuff.
Assuming their database architects weren't grossly negligent, they have a one-way hash of each user's password. Not the password itself. I wouldn't be surprised if they have ways to backdoor your data, but it wouldn't be via entering your literal password nor could they provide your literal password.
Plus don't forget that there are time delays after a certain number of attempts! (1 minute after 5, 5 minutes after 6 or something like that)
iFunBox only has access to an iOS device if the device has been authenticated with the computer. If you lock an iOS device and connect it to a computer that it has never been connected to before, the computer and iFunBox would not be able to view its contents. This includes the camera roll. Once the device's passcode has been enter and the device is unlocked and connected to a computer, it is authorized to always present it's contents to the computer.
There is a white paper by Apple describing how it works.
First, there is the "real" decryption key, which is 16 random hexadecimal digits.
Second, there is the master key, which is also 16 random hexadecimal digits. The "real" key is only ever stored encrypted with the master key. To erase an encrypted drive, the only thing Apple needs to do is erase the location where the encrypted "real" key is stored (I think it is stored in two locations in case of a read error on the first location). Once that location is erased, there's nothing that can be done, even if you have the master key.
On MacOS X, when you use encryption, you have the choice of sending the master key to Apple who can return it to you if you answer three security questions, or writing it down and keeping it forever in a save place.
The "master" key is stored encrypted with the user's password. So if someone can guess the user's password, the master key can be recovered. Of course it is possible to try out all possible user passwords until one works. But the master key is encrypted in such a way that decrypting it takes about a tenth of a second, so only ten user passwords can be tried per second. I'd say ten random digits and letters is quite unbreakable.
An interesting situation if you have multiple users on a Mac: User 1 stores the master key, encrypted with user 1's password. User 2 stores the master key, encrypted with user 2's password. So two users on the same Mac can have different passwords.
There's no backdoor. They're just brute-force cracking the cryptographic hash of your 4 digit pin code, only 10k permutations. Want to REALLY protect your iPhone, then set a much longer password, which is annoying to have to type in all the time you access your iPhone. Alternatively, wait for the finger print reader in the iPhone 5S.
The 10 failed attempts thing is only done at the OS software level, won't work if you extract the raw cryptographic hash, you can make all the attempts you want.
That is incorrect. They simply remove the password. I've worked in computer forensics for over 6 years and worked with Apple many times in investigations.
----------
Source would be personally being in some of the labs and witnessing it during active investigations.
I saw a video on YouTube by a 13 year old kid who can hack into an iPhone, law enforcement should seek him out to bypass the backlog.
Ok, assumingly it's not AES128 it self that is defeated then, as that would be somewhat of a breakthrough afaik.
Was this before FileVault was used on the entire disk, not just the home catalog btw? If I remember correctly some loopholes existed with that scheme.
I think the media is missing the boat by not posting the correct head line.
Fox News comes to mind and get it on Rush Limbaugh and Sean Hannity:
Apple refuses to help police and government in murder case.
That should help cutting through the 7 week backlog.
Now we're talking!
Fox News comes to mind and get it on Rush Limbaugh and Sean Hannity:
Apple refuses to help police and government in murder case.
That should help cutting through the 7 week backlog.
Now we're talking!
Try 0 0 0 3.
Try 0 0 0 4.
Try 0 0 0 5.
Try 0 0 0 6.
Try 0 0 0 7.
Try 0 0 0 8.
Try 0 0 0 9.
Try 0 0 1 0.
All data on iOS device is erased.
Not a great method!
They store your encryption key if you okay it.
They better not be storing my local passwords on their servers. (not talking about my apple ID that I DON'T use the same password elsewhere)
So you're saying they store the password in pain text? I find that really hard to believe.
ATF agents are the least scrupulous people with the most incentive to ruin your life for their own gain out running around carte blanche.
I'd sooner put my devices in a microwave or set my car on fire before I'd give them anything to play around with. I'd much rather explain to a judge why I have no trust in their "authority", and why I'd sooner see them getting shot up in whichever third-world hellhole they spend all day fantasizing they're in, than cooperate with their BS-wrangling schemes ever again.
I'd like to see Apple respect its customers privacy instead, and tell these pumped-up idiots that if they want customers data they'll have to get it from the customer, and anything they cant get, they cant get.
Apple should not become a corporate extension of the penal system, especially not such a corrupt one.
I'd sooner put my devices in a microwave or set my car on fire before I'd give them anything to play around with. I'd much rather explain to a judge why I have no trust in their "authority", and why I'd sooner see them getting shot up in whichever third-world hellhole they spend all day fantasizing they're in, than cooperate with their BS-wrangling schemes ever again.
I'd like to see Apple respect its customers privacy instead, and tell these pumped-up idiots that if they want customers data they'll have to get it from the customer, and anything they cant get, they cant get.
Apple should not become a corporate extension of the penal system, especially not such a corrupt one.
So the lesson is - Make sure someone else has access to your iCloud, and have them remote wipe as soon as the cuffs are on. I'm not sure if it's 100% effective though, or if it's like hard drives, and can be recovered.