Apple Can Unlock iOS 8 Without User Permission

Discussion in 'iOS 8' started by jevan28, Sep 27, 2014.

Thread Status:
Not open for further replies.
  1. jevan28, Sep 27, 2014
    Last edited: Sep 27, 2014

    jevan28 macrumors newbie

    Joined:
    Sep 27, 2014
    #1
    According to statements made by Apple, devices running iOS 8 prevent Apple from extracting your private information (citation below). This unfortunately is not true is much as we'd like it to be.

    The program that controls your passcode from being viewable by Apple is no different than the program that allows you to browse Internet pages. It can be updated. The program inside iOS 8 that does updates has root (administrative power). That means it can modify, replace, delete ANY software on your device. A simple request by the party that wants the information on your phone would simple replace the existing program that make the key inaccessible with a code that makes it accessible.

    The recent claims of the FBI saying this is travesty seems to be either buffoons that don't understand their technology or a charade creating a sense of false security.

    As far as Apple goes, this is a total embarassment to programmers who see right through your false claims of security.

    Apple will see their sells decline to goverments by propagating a false sense of security, instead of making the phones truley resistant against privacy attacks.

    The true solution lies in a second motherboard added to the device that boots a tiny read only os live that runs only the app meant to communicate with the internet. A standalone packet encryption card would take the data and send it to a network card. A preshared key would ensure no middle man attacks. The separated security motherboard stops all sniffing from the main motherboard. No other apps loaded in the mini live os give it the running app a true hardware sandbox, not just a vunerable software one. The live os would need international security audits, meaning if multiple goverments use it, then your have the highest level of security. If only the American gov uses it, it's not. The live os could firewall all connections an app trys to make to the internet, asking for permission first, stopping malicious apps from leaking from peer to peer encrypted communication. Banking would finally become safe online. Anyway, Apple is far from protecting their users.

    source: http://www.washingtonpost.com/busin...12af58-3ed2-11e4-b03f-de718edeb92f_story.html
     
  2. Wayfarer macrumors 65816

    Wayfarer

    Joined:
    Jun 15, 2007
    #2
    Yay privacy-gate! I wonder what kind of wonderful information they can access.
     
  3. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #3
    How does someone replace the program that controls the pass code, lockdownd, without the program being signed by Apple? Then there's the problem of getting the modified lockdownd onto a locked device without wiping everything on the device. How is that done? lockdownd is quite different than MobileSafari in what they can access and do.
     
  4. PNutts macrumors 601

    PNutts

    Joined:
    Jul 24, 2008
    Location:
    Pacific Northwest, US
    #4
    I didn't see anything about insecure phones in the article so I guess you're making it all up?
     
  5. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #5
    People are really digging to find something (even when there isn't necessarily anything to find).
     
  6. Yun0 macrumors 65816

    Yun0

    Joined:
    Jun 12, 2013
    Location:
    Winnipeg, Canada
    #6
    i wonder what its like to be tim cook, in charge of one of the richest companies on the planet & always having someone try to get some dirt on them just because

    if anything android is worse for this privacy thing, just look at all that tasty malware & viruses, yum yum
     
  7. WolfSnap macrumors 6502a

    WolfSnap

    Joined:
    Sep 18, 2012
    Location:
    SoCal
    #7
    In order to update the software, you need to input the passcode.

    in DFU mode, the filesystem is encrypted and not unlocked. You can delete the container, but, that's it.

    Explain to me how I can get root level access to replace system protected files without having root level access?
     
  8. jevan28 thread starter macrumors newbie

    Joined:
    Sep 27, 2014
    #8
    The US Goverment can force Apple to covertly sign the replacement, therefore creating a false sense of security with present claims.

    The US Goverment legally is allowed to covertly create backdoors in any American comminucation product. This backdoor could easily usurp any signing process and Apple would be forbidden by law to speak of it. Read about NDAA if you think talking would be a smart idea, because such a backdoor is targeted at terrorists and if you interfere with terrorist investigations (which require no proof) you aid and abed them and NDAA says you can disappear without trial.

    It would be better for Apple to actually make it truely impossible, which requires a hardware solution For example, the passcode program would run on it's own mini-motherboard being it's own root. The passcode device would only encrypt and decrypt and could not be sent commands by the motherboard of the phone (impossible to update). As long as there is a root program that overpowers the passcode program, no one is safe.

    In light of the real dangers of spyware, privacy is obviously becoming more and more important to international governments and consumers. America needs more exports to slow down debt. Govermentally forced insecure products will increase our debt by destroying potential sales.

    I want to see a real Fourth Ammendment Privacy Checkmate with Apple's products. When Apple does that I offer you this tv ad:

    Fade In.

    Angled in on a chess board with black and white pieces on a black and white checkered board. White knight moves into checkmate on black king.

    Fade out.

    Black Screen in White Font:
    To be owned,
    or not to be owned.
    That is the question.

    Fade Out.

    Fade In.

    Now we see a the new iPhone that can't have a signed key by Apple that replaces the passcode program with a governemnt spyware one, because you realize it's not a software solution, it's a hardware solution!

    Apple has failed to accomplish the security they claim they now have in protecting users phones. To get a better product, we must call them out on this one.
     
  9. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #9
    While they may be able to force Apple to sign it, how does the modified lockdownd get onto the device?
     
  10. elistan macrumors 6502a

    Joined:
    Jun 30, 2007
    Location:
    Denver/Boulder, CO
    #10
    You mean like the "secure enclave" hardware solution Apple introduced with the 5S?

    http://www.macrumors.com/2014/02/26/touch-id-secure-enclave-document/

    But of course, your impossible to update hardware solution could have its own back door in turn... how far down the turtle stack do you want to go?
     
  11. jevan28 thread starter macrumors newbie

    Joined:
    Sep 27, 2014
    #11
    Assuming there is no backdoor, the passcode program could not be replaced without putting in your passcode. My point is that Apple could be forced to replace it covertly during a update, after you've put in your passcode.

    While you are up and running, root will always be a threat because root usurps anything and if don't know the exploit planted, you are owned.

    One solution: The passcode program runs on it's own separate hardware, aka an encryption card. It will handle all encryption and decryption hiding it from iOS 8 root. This should be a tiny pluggable usb device allowing users to throw out the goverment spyware encryption cards. Non-American manufacturers who know security and privacy will drive their sells. Even in the case of covertly forced backdoor in iOS 8, the card would destory it's effectiveness.

    Checkmate government spooks!
     
  12. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #12
    You're overlooking that iOS cannot be accessed, not matter what, when a passcode is set and the device is connected to an untrusted computer. That ability is completely within mobile's command. root can't do anything about that but ask mobile to allow it, mobile in turn asks the end user. If the end user doesn't accept it with a popup, mobile rejects the pairing leaving root without the ability to be accessed via USB.
     
  13. jevan28 thread starter macrumors newbie

    Joined:
    Sep 27, 2014
    #13
    Internalltionally audited encryption cards that are approved by goverments would have the highest level of trust. They are the simplest thing to audit. They just encypt/decrypt. That's all they need to do. Try auditing iOS 8. It would take years and by the end of the audit it would be obsolete and the new version would exist.

    The turtle stacks ends with a international audit of something an Arduino 101 student could accomplish as their term project. When you know Germany uses it, Russia uses it, China uses it, well, we're done here...
     
  14. XboxMySocks macrumors 68020

    XboxMySocks

    Joined:
    Oct 25, 2009
    #14
    Its funny because you are completely right. To be able to modify lockdownd on a stock iOS device, remotely mould be an incredible feat.

    The password is encrypted by a 256AES which is assisted in its randomness by the time of day, steps you have taken, data available on the phone, etc (basically RNG) AND your UDID. This would literally be an amazing feat to crack once, never mind for every device you want.
     
  15. ScottishDuck macrumors 6502a

    ScottishDuck

    Joined:
    Feb 17, 2010
    Location:
    Argyll, Scotland
    #15
    I'd suggest OP only comment on matters that they actually understand instead of making Alex Jones level baseless accusations.
     
  16. jevan28 thread starter macrumors newbie

    Joined:
    Sep 27, 2014
    #16
    You are talking about software rules. Software rules can be covertly change when the password is entered, becuase goverment can own your root due to their authority. To really be safe with the present situation: (1) you have to assume no privacy breaches exist. (2) And never enter your passcode for an update. I wouldn't call that security.

    Passcode software solutions asks the user to trust they are protected.

    Hardware solutions ensure the users knows they are protected. The OS would not have access to the devices key! The OS ask for a partion table from the encryption card. The OS could then ask for any file. The encryption card decrypts the file before it arrives to the OS. The OS has no direct connection to the drive, it cannot see the encrypted files and therefore could not try brute force attacks by comparing the result of encrypted files.

    ----------

    Sir, an insult is not a valid argument. It just an indication of your laziness to make a proper argument.

    If you have something intelligent to add, let's hear your argument on how root having control of the passcode process (iOS 8 and all existing operating systems) is better than...

    a hardware device that controls the passcode process and that hides the encryption from root.

    Hardware vs. Software.

    Let me give you a hint, the hard science wins.
     
  17. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #17
    Governments can't do anything without Apple's cooperation. Apple would have to release an update for everyone in order for a single end user to install in. It is not possible for Apple to release a single OTA update or iTunes update for one end user. If it was, the resulting update would have a backdoor into every iOS device running that version. This would lead to very bad PR for Apple and cause more problems with other nation's security concerns. Your statements about a hardware solution is very similar, if not identical, to what iOS 8 already does. The encryption keys are not on the device, only part of them are. The last part is the passcode, the hardware key. When it is entered and entangled with the rest of the encryption key, the device decrypts the userland partition for access by USB. I suggest you read the whitepaper on the subject. It's a very lovely read. You can find it here: https://ssl.apple.com/privacy/docs/iOS_Security_Guide_Sept_2014.pdf
     
  18. jevan28 thread starter macrumors newbie

    Joined:
    Sep 27, 2014
    #18
    You're missing the point just like the others. You are assuming the changes are being made without permission. The changes would be made covertly after you enter the passcode. Apple could not tell you this was being done by law. Again, the encryption cannot be done in the OS, that's threat. A separate device uncontrolled by the OS would take that exploit of the goverment away.

    The same mistake is made by those who trust the https, ssl. They brag about the mathematics of the encryption, but encryption is not weakest link, it's how it's used. The handshake makes it owneable by the middle man. Same in this situation. The best encryption is useless if root can covertly change your passcode security through goverment order, leaving an exploit that the highest bidder or best hackers can use as a backdoor to your phone as well.
     
  19. jevan28 thread starter macrumors newbie

    Joined:
    Sep 27, 2014
    #19
    Apple is does not have authority over govement, government has authority over Apple. So, you are wrong. Goverment can tell Apple to shut up and they will follow orders. That means you don't get to talk about a back door. It's publically made obvioius in legislation, Ok?

    Yes, an update can be made for a single user, because a single user can make an update. The concept of spoofing is not new and applies to updates and key signing.

    Apple has no separate encryption card, so you're wrong. My hardware solution is nothing like Apples. Apples solution is owned by root. My solution is not owned by root and the update process.

    Let me offer another slogan?

    Fade In

    Black Background, White Letters:
    Is your encryption owned by root?
    Fade to black.

    Fade in.
    Then your owned.

    Fade out.

    Fade in.

    The internationally audited encryption card spinning in darkness with the cool reflective shiny surface.

    Fade out.

    Black Background, White Letters:

    Don't Be Owned.
     
  20. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #20
    You appear to be determined to have your views as being correct, regardless of their accuracy or inaccuracy. With this, I leave this thread and hope you are able to come to turns with your current state and the future of this world.
     
  21. nickdylan macrumors regular

    Joined:
    Mar 17, 2012
    #21
    Who even cares? I want my phone to be secure on the off chance it gets stolen. Yes, OF COURSE the government of the wealthiest country in the world has the resources to get into your locked iPhone. Why on earth would you think at any point that they wouldn't? Guess you'd better stay on their good side :p
     
  22. dannyyankou macrumors 604

    dannyyankou

    Joined:
    Mar 2, 2012
    #22
    This thread is a waste of Internet bandwidth.

    *fades out*
     
  23. I7guy macrumors G5

    Joined:
    Nov 30, 2013
    Location:
    Looking at Central Park@550 feet
    #23
    This. If the government wants access they can get it. Having said that, the more difficult apple makes it, the happier I am.
     
  24. X-X macrumors 6502

    Joined:
    Aug 22, 2014
    #24
    Actually the USA is only the 5th wealthiest country in the world.
     
  25. cjmillsnun, Sep 28, 2014
    Last edited: Sep 28, 2014

    cjmillsnun macrumors 68020

    Joined:
    Aug 28, 2009
    #25
    1. Why would Tim Cook openly and brazenly lie about it? He wouldn't. If the product could be unlocked without user permission, he would've just kept his mouth shut. It avoids embarrassment later. Especially with all the paranoia going around.

    2. Hi Alex. How is infowars? Still selling gold at vastly inflated prices with Ted Anderson?

    3. You can't push out an update to an individual. Other people using the same equipment would receive it.

    4. If a government wants to see your internet browsing (with the exception of SSL) all they need to is ask your cellular and home internet providers. The know it all.

    5. WASTELAND

    6. The OP registered this month... Do I smell a troll? Yes I do. Guess what. His/her only posts are to this thread!

    ----------

    Anything approved by governments by default loses your argument, because you're talking about Apple unlocking your device through a government request.

    Definitely a troll. Definitely a thread for wasteland.
     
Thread Status:
Not open for further replies.

Share This Page