Data Extraction Company Cellebrite Touts New Software for Cracking iPhones and iPads Running up to iOS 12.3

[riverfreak]

As long as Apple continues to have bugs that allow people to break in, how can Apple claim the high ground with regard to privacy. At the end of the day, it does not matter whether its a bug (in Apple's case) or a feature (in Google's case) it still puts our devices at risk.

As long as humans write software, there will be bugs. And some of those bugs will be features.

 

[jweinraub]

Since I use an actual password to unlock my phone, would my phone be safer from these forensic tools? How much data can be transferred while the phone remains locked?

 

[riverfreak]

That's not quite true. An 8 digit numeric passcode has a fixed number of possibilities (100K), whether or not numbers are duplicated.

Now, what is true behaviorally is some are very unlikely to be chosen, and others more likely; it's like the lottery where fewer people would pick 123456 since they think that will never come up but it's just as likely as any other 6 digit number.

It's all about what people think and how that influences behavior; especially to make passcodes easy to remember. For example, a passcode all of the same digit may be more likely than a random set since such a passcode is easy to remember; or some combination of the 4 corners for a 4 digit code. In my own anecdotal experience, I worked for a company that made you change your pw every 3 months and not reuse one of last 6. They didn't however, prevent you from resetting the password 7 times in a row; thus one really never needed a new password.
[doublepost=1560776611][/doublepost]

The difference is in how companies respond. Appe appeaers to attempt to block exploits after they are discovered; otehr companies not so much so.

An 8 digit numeric passcode has 10^8 possibilities, not 100k.

I believe the suggestion that it was okay to use repeating numbers in a long(er) passcode was a way to overcome people’s reticence about remembering/typing something long.

At the end of the day, most security breaches take advantage not of intelligence or lack thereof; everyone knows to use a “strong password”. They exploit laziness.

 

[jlc1978]

An 8 digit numeric passcode has 10^8 possibilities, not 100k.

Correct. It was a typo when I tried to shorten the number. Should have just written 10C8 I've corrected it. Thanks

I believe the suggestion that it was okay to use repeating numbers in a long(er) passcode was a way to overcome people’s reticence about remembering/typing something long.

Perhaps that was the OP's intent, but was not what it said, at least not how I interpreted it.

At the end of the day, most security breaches take advantage not of intelligence or lack thereof; everyone knows to use a “strong password”. They exploit laziness.

Very true. No one likes to have to remember a strong password.

 

[AdonisSMU]

As long as companies continue to find ways to break into devices, there is no need for legislation requiring manufacturers to provide law enforcement with back doors.

That isnt a need. People need the freedom to be whatever they are going to be and snooping in on conversations is a quick way to get a ton of false positives. The government is going to far with crime prevention efforts and we all know its going to be totally abused. Privacy protects everyone from unwarranted government behavior.

 

[ThunderSkunk]

I hope it’s worth it to them, because the cost this tech comes at is far greater than the price tag.

 

[pika2000]

I hope it’s worth it to them, because the cost this tech comes at is far greater than the price tag.

Their buyers are governments, and governments don't pay too much attention to cost since the taxpayers are the ones paying for it.
[doublepost=1560780498][/doublepost]

An 8 digit numeric passcode has 10^8 possibilities, not 100k.

I believe the suggestion that it was okay to use repeating numbers in a long(er) passcode was a way to overcome people’s reticence about remembering/typing something long.

At the end of the day, most security breaches take advantage not of intelligence or lack thereof; everyone knows to use a “strong password”. They exploit laziness.

And social engineering. Most "hacks" today are done through scams and phissing where users are providing their own credentials, not actual hacking.

 

[BGPL]

Every time there's a thread for cracking iOS devices, I get a good laugh. So many people think the government cares enough about them to want to get on their phone. I see similar behavior in schizophrenics. If you're not doing extraordinarily illegal activity, you could have a flip phone from 2001 and your personal data would be safe from any government.

Unless one of you was the San Bernardino shooter, no one cares. Does anyone fall into that category? Didn't think so.

You may now return to your government conspiracy theories and delusions and grandeur.

 

[Rorosbutt]

That’s great. I’m on 12.3.1

 

[dontwalkhand]

It’s funny because Apple Stores use Cellebrite machines to transfer data from device to device. I don’t think they use them much anymore, but stores definitely have them.

I still see them being used daily, they just keep them in drawers because, Aesthetic.

 

[newyorksole]

I still see them being used daily, they just keep them in drawers because, Aesthetic.

Yeah they’re bulky and ugly. Only thing they really match with are those LG Ultrafine Displays haha.

 

[stylinexpat]

Now what if it were China,Russia,Iran or North Korea doing this? Anyone reckon sanctions would have been applied? Apple most likely has a spy or mole working for them. Employees probably need better security clearances and background checks. I think it is not just China stealing tech and info from American companies. Either that or we got one amazing hacker on hand that can literally pull a bunny out of their ass when asked to do so.

 

[iBluetooth]

That’s great. I’m on 12.3.1

But, have you updated to 6 digit passcode?

 

[steve62388]

I bet they have a mole inside Apple.

Why would they need one?
[doublepost=1560785975][/doublepost]

it's like the lottery where fewer people would pick 123456 since they think that will never come up but it's just as likely as any other 6 digit number.

Nope. Loads of people pick series of numbers like that in lotteries. They would be a bad choice, you will end up sharing your winnings with lots of people.

https://www.theguardian.com/uk-news...tery-numbers-20-years-katie-price-win-jackpot

 

[alleggerita]

Not fake, but not what Apple claims either.

For example, they claim to be very privacy minded. For example, your data in iCloud is encrypted. This encryption has keys that only Apple has, but that you as the owner cannot control. So this encryption is for marketing only. At the end of the day, Apple, NSA, FBI, criminals, and any other government agency that wants to forge up a court order to look at anything they want.

The technology exists, and has for years, to allow users full control of the encryption on iCould. But Apple has not implemented it. Why? Because it is an additional cost and Apple's marketing is working right now without it. Most people believe Apple's marketing and would never question the company.

The result is that we get fantastic claims and mediocre delivery. Now I agree that Apple's delivery is better than the alternatives, but that does not mean that we, as users, should not be demanding more. We need to force Apple to live up to its marketing claims.

You might want to find out more about iCloud end-to-end encryption. As the name “end-to-end” suggests, you’re the only one holding the encryption key, not even Apple has it. So only you have access to all your iCloud data. You said “the encryption has keys that only Apple has”, I think you got that confused with “the encryption has keys that only YOU have”.

 

[steve62388]

Since I use an actual password to unlock my phone, would my phone be safer from these forensic tools? How much data can be transferred while the phone remains locked?

It depends on what method they use. If it’s some sort of brute forcing the password and your password is strong enough then you’re safe. But it could be an unknown exploit which completely bypasses the password. We just don’t know.
[doublepost=1560786681][/doublepost]

You might want to find out more about iCloud end-to-end encryption. As the name “end-to-end” suggests, you’re the only one holding the encryption key, not even Apple has it. So only you have access to all your iCloud data. You said “the encryption has keys that only Apple has”, I think you got that confused with “the encryption has keys that only YOU have”.

There are a number of apps which don’t use end to end.

https://support.apple.com/en-us/HT202303

 

[miniyou64]

Every time there's a thread for cracking iOS devices, I get a good laugh. So many people think the government cares enough about them to want to get on their phone. I see similar behavior in schizophrenics. If you're not doing extraordinarily illegal activity, you could have a flip phone from 2001 and your personal data would be safe from any government.

Unless one of you was the San Bernardino shooter, no one cares. Does anyone fall into that category? Didn't think so.

You may now return to your government conspiracy theories and delusions and grandeur.

Thank you for touting your ignorance. If you ever are unlucky enough to be falsely accused of a crime, I’m sure you’ll change your tune... quickly

This has everything to do with potential and what an overreaching government is able to do

 

[citysnaps]

The problem is that with a closed system like Apple, we really don't know if it was a bug or a feature. The FBI really backed off Apple and that is not like the government, unless they have negotiated something else in private.

This dance could go on forever, "Ops here is another bug (we won't tell what exactly it was, but we fixed it)". Then wash and repeat for the next Apple NSA feature that gets exposed.

Apple seems to have better security, but after all Apple is also the best marketing company and prefers marketing over real technology, so we really don't know do we?

"The FBI really backed off Apple and that is not like the government, unless they have negotiated something else in private."

So... since you have zero evidence, just stir up a big bowl of FUD and post some fake news?



"but after all Apple is also the best marketing company and prefers marketing over real technology,"

Apple's phones, computers, watches, etc are not real technology? Kind of hilarious coming right after the introduction of the new Mac Pro and Pro HDR display.

 

[alleggerita]

It depends on what method they use. If it’s some sort of brute forcing the password and your password is strong enough then you’re safe. But it could be an unknown exploit which completely bypasses the password. We just don’t know.
[doublepost=1560786681][/doublepost]

There are a number of apps which don’t use end to end.

https://support.apple.com/en-us/HT202303

Apps or websites that do not support end-to-end are only that 3 listed there. I think most importantly is our iCloud backup, which is end-to-end.

 

[MisterSavage]

There's no such thing as "bug free software", and there's no such thing as "100% secure" software. Security is, and always will be a game of cat and mouse and there's no way around it.

Exactly! Even the most well written software with the best of intentions can have unintended errors that people can exploit.

 

[jlc1978]

Why would they need one?
[doublepost=1560785975][/doublepost]

Nope. Loads of people pick series of numbers like that in lotteries. They would be a bad choice, you will end up sharing your winnings with lots of people.

https://www.theguardian.com/uk-news...tery-numbers-20-years-katie-price-win-jackpot

Fair enough, but the broader question is how many people pick other combinations and how often. My point, however, was most people would not expect a sequence to show up with the same probability as a random set. 123456 may have been a bad example, I could have said 7 8 9 10 11 12; so a more interesting analysis would be out of the total number of potential numeric sequences how often does a numerical sequence get picked? How often do the current date get picked?

My main point is most people do not understand probability and thus often make irrational choices. A common example is a homework assignment to flip a coin 500 times. Most people won't do that and simply mark heads or tails but won't do a long string of heads or tails or repeat pattern because they just don't think that will happen when in fact you'd expect that in random coin tosses.
[doublepost=1560788482][/doublepost]

Thank you for touting your ignorance. If you ever are unlucky enough to be falsely accused of a crime, I’m sure you’ll change your tune... quickly

This has everything to do with potential and what an overreaching government is able to do

Good points. A friend who is a prosecutor once told me he could charge anyone with conspiracy with a string evidence, even if every individual piece was innocent of any criminal intent; his point being protections are important to shield people from those who would abuse the system, even if he wouldn't.

 

[Sodium Chloride]

It doesn’t matter. All they need to do is pointing your iPhone to your face.

 

[NickName99]

A software update will come out before long that will once again render that expensive hacking tool worthless. Risky business model.

 

[steve62388]

It doesn’t matter. All they need to do is pointing your iPhone to your face.

If you’re in a jurisdiction which would consider that an illegal search anything they find would be inadmissible.

 

[MacBH928]

How come Israelis are really good at cracking code?
It seems like all the security breaching software is coming from over there.