Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
FBI Enlists Israeli Firm Cellebrite to Unlock Shooter's iPhone
- Thread starter MacRumors
- Start date
- Sort by reaction score
That's exactly what happened.
The FBI saw that they had a chance of losing the public support, so they went to do what they should have in the first place.
Keep in mind the level of work that Cellebrite is going to have to put in here is staggering. Clean rooms, decapping chips without breaking traces, etc. This is high precision work needed that no random thief is ever going to be able to to replicate.
If a third party finds a method of hacking in.... then it clues Apple in to the existence of a vulnerability... and they can try to fix it. If they did it themselves... this vulnerability would in fact still exist, they just may or many not discover it as soon. So while i understand the point you are trying to make... i don't think i agree with your conclusion.
I would wager the NSA bought the company... along with most VPN services in Sweden.
I have no idea why you consider this extreme or believe they will have little luck. The FBI wanted a test case for forcing a backdoor that they believed would have public support. The phone of a dead terrorist that killed a bunch people is about as good as they are going to find. They then found out it wasn't quite as smooth sailing as they had hoped. They don't want to look bad by saying "oops, we could have done this ourselves the whole time". So it arguably looks better to the public if they use a third party firm. (Arguably the FBI would also like to downplay to the public what their capabilities actually are) And as someone else mentioned, a foreign company can sometimes be easier from a legal standpoint.
AFAIK what you're addressing is completely speculation. I haven't seen anything verifying Cellibrite is using a replay attack or de-capping. I've seen tons of people saying that those are two possible methods. Maybe you've seen something definitive. To assume a replay attack is being used, minus any supporting evidence, is a bit presumptuous. Builiding a narrative about the security of the Enclave based on that presumption doesn't make sense without evidence.
To my knowledge we don't know 1) the method being used, and 2) how it will impact the security of current and future iOS builds. Until we know the method we can't say one way or the other.
Very good point you've made there and as time move on you will almost certainly be proved correct.
Apparently the FBI never bothered to ask NSA for help. And they went very public with this whole affair, which destroys any tactical advantage for surveilling/cracking other terrorist iPhones, because now (assuming this Cellebrite process works) they'll just use some other methods. If it had been kept quiet the agencies would hold the advantage.
Hmmm. $15,000. It appears more than 40x-200x that has already been spent by folks responding to the FBI and DoJ overreach.
Funny...but at this point the FBI will never admit to what was on that phone. People have told them that nothing will be on the phone, as it was the work phone owned by the county. I'm pretty sure even the FBI was smart enough to figure that out. They were solely using this as a legal precedent to force Apple to their knees and to succumb to government pressure. Pretty sure the FBI doesnt give to poops as to what is on the phone. The attack is over and the perps are dead.
Is 'decapping chips without breaking traces' a process needed because all data would be lost once certain hardware is removed.? and hardware will need to be removed to get at the data?
cheers
Odd right? The telecom company already has all the metadata the FBI needs to figure out who that phone was contacting.
Now, call me crazy, but you'd think the two personal phones the attacker destroyed would be the really important thing here....but they already know who all these phones have contacted.
America is in the final stages of setting up it's own security/police state, and these blatant lies are bringing it to at least some of the public's attention.
Apple wanted $30,000 to do the job, so actually it's a good deal for taxpayers.
HA! as a tax payer i would like if they talked them down from free..
This is a crazy complicated process, and it really depends on how Apple's software interacts with the memory of the phone, but here's a video if you'd like to know the knitty-gritty from people that actually do this kind of thing: [DEFCON 21] Decapping Chips the [Easy] Hard Way ...
http://arstechnica.com/security/201...asers-to-access-data-stored-on-seized-iphone/
Since it was the guy's work phone (he destroyed his own personal smartphone and computer, but chose not to destroy this), and he knew his boss had access to its contents - I doubt it'll even contain those things.
This was all about setting precedent so that the govt could order any computer maker to back door their security (essentially let the FBI win the Clipper Chip battle). Unfortunately for the govt, the late 1700's law they are using to compel Apple in this case, states that if there is any other way (besides forcing the person or company to do this), then the government has to the alternatives 1st (its part of that old law). About a week ago Rep Issa (from CA and very computer literate) described this exact method of attack on capital hill to FBI Director Comey (who pleaded ignorance) and asked if they had tried this....makes one wonder if he compelled this.
The problem is how the data is encrypted in iOS 8, and what the FBI wants has limited options for extraction. While locked, things like the text message database are encrypted and the decryption keys are not available. So methods of bypassing the lock screen don't actually decrypt the data I want. The two methods for getting the decryption keys are:
1) Brute force the PIN to generate the decryption key.
2) Mount an attack on AES256, attacking the encrypted filesystem key directly.
That they've found an attack on AES256 that isn't already known is unlikely, so we can reasonably speculate they intend to brute force the PIN. To do that, I need the UID burned into each SoC which is unique to each if I want to do it on some more powerful computer. If I want to do it on the iPhone, I have two methods:
1) Attack the attempt counter, using a replay attack.
2) Use a jailbreak esque exploit to take control of the CPU and do the attack that way, but I still need a mechanism for doing a replay attack, or taking over the unlock mechanism to allow me to do the brute force myself by implementing an alternate unlock code path.
And here's the thing, the Enclave is totally relevant, because it is built to stop (or severely hinder) the attacks I've mentioned above, minus the attack on AES itself which is the strongest part in the whole system. Apple does have a whitepaper on iOS security that describes in detail how all this stuff is put together. So while we don't know for a fact what they have, we do know what they need to decrypt the communcations data that the FBI is most interested in.
[doublepost=1458750220][/doublepost]
Anything with Touch ID does.
If it is successful they likely can't patch this approach with 100% confidence in this instance. Success on the FBI's part would end the case and Apple would not have an opportunity to use discovery rules to understand what was done. However, if it is used again in the future against a living suspect then that suspect can use discovery to bring the method to light and Apple can patch. Also, there have been many security experts theorizing about how such an attack would take place and Apple can certainly take steps to prevent vectors like replay attacks (probably the most likely approach this company intends to take) or further hardening firmware even against themselves with a signed update.
I can't *know* but I'd certainly put money on this group using a replay attack. Want to take a wager for a $100 donation to the charity of the winner's choice payable if and when the method becomes public?
That's because this is a method that's been used for decades. Unless we change what kind of materials chips are made out of (that are somehow impervious to lasers and acid) then this is always a way.
That said, it takes significant (millions of dollars) amounts of corporate or state/agency funding to even set up a facility to do this right in. So the long and short is this has ALWAYS been a way, it's just far too expensive for any small crime organization to do so, so the only real players to watch out for are state actors or nefarious corporations that don't care who they contract to.