Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Di4mondz

macrumors regular
Mar 4, 2012
109
75
The best kind of security is one you can show every aspect (code, mathematical theory, etc.) to everyone, friends and enemies, and everyone agrees, they can't break it. This is why Open Source is so powerful in the area of security: there is no false sense of security through obscurity.

Apple can't break the encryption because they didn't make the encryption. They specifically picked one they can't break. The FBI knows this. They aren't asking Apple to crack encryption. They are asking for a way to circumvent the secure enclave chip that will wipe the phone after 10 failed attempts at guessing the code. There's only 1 million codes to try, if they could try them one every 2 seconds, worst possible case, they would have the code in 23 days.

The iPhone 5C doesn't have a secure enclave.
 

coolfactor

macrumors 604
Jul 29, 2002
6,943
9,470
Vancouver, BC
So is Apple sitting hard on the key, or is there simply no key? The former would indicate Apple is, as accused, using this as an opportunity to generate warm fuzzies from its customers. The latter would be more palatable, to me anyway.

As a megacorp, I've always found it rather unbelievable that Apple doesn't have the ability to crack it's own keys. But if they won't decrypt this phone because they genuinely can't, wouldn't that be a better argument to the Feds?

I'm hearing two things.

  1. That there is no key, period.
  2. That there may have been a key if they didn't change the password already. Apparently the iCloud backups can be accessed, which is interesting? If everything is being backed up, and those backups can be decrypted by Apple, doesn't that defeat the purpose of strong encryption on-device?

One must wonder.
 
  • Like
Reactions: Shirasaki

hiddenmarkov

macrumors 6502a
Mar 12, 2014
685
492
Japan
Isn't that the whole point?

Otherwise... security that can be broken isn't really secure ;)


This. really good security can't be undone. Its not meant to be cracked.

I use a backup software like this. during setup you give it a password. They tell you in no uncertain terms do not forget it as they cannot recover it. Lose the PW, lose the data basically.


Main benefit to this is removes the bad employee in the cloud problem. Old boy at the cloud place wants to take some data and burn bridges and hope the score covers that....your data won't be cracked in theory. Or as readily anyway....


Also enter the 10 tries things....brute force 10 times and done. Simple solution to complex problem.
 

Michael Scrip

macrumors 604
Mar 4, 2011
7,922
12,470
NC
This. really good security can't be undone. Its not meant to be cracked.

I use a backup software like this. during setup you give it a password. They tell you in no uncertain terms do not forget it as they cannot recover it. Lose the PW, lose the data basically.

Main benefit to this is removes the bad employee in the cloud problem. Old boy at the cloud place wants to take some data and burn bridges and hope the score covers that....your data won't be cracked in theory. Or as readily anyway....

Also enter the 10 tries things....brute force 10 times and done. Simple solution to complex problem.

Exactly.

It reminds me of how LastPass works:

"due to our encryption technology, LastPass does not know your Master Password, so we cannot look it up, send it to you, or reset it for you."

If they could... ANYONE could... theoretically.

So they don't even give the option.
 
  • Like
Reactions: centauratlas

jettredmont

macrumors 68030
Jul 25, 2002
2,731
328
So is Apple sitting hard on the key, or is there simply no key? The former would indicate Apple is, as accused, using this as an opportunity to generate warm fuzzies from its customers. The latter would be more palatable, to me anyway.

As a megacorp, I've always found it rather unbelievable that Apple doesn't have the ability to crack it's own keys. But if they won't decrypt this phone because they genuinely can't, wouldn't that be a better argument to the Feds?


Quick recap / summary:

1. Apple does NOT have any "key" to give the FBI or anyone else.
2. The FBI is not asking for a "key", but instead for a special firmware build which will allow them to try each of the 10,000 4-digit passcodes for the device without either activating the soft-lockout (after I think 9 attempts it takes an hour between allowed attempts) or the 10th-failure-data-wipe feature which may or may not be on on the device.
3. Such a firmware build would have to be signed by Apple, and would allow intrusion on any existing iPhone in physical custody.
4. The warrant asks that the specific build be tied to this specific phone, but it is unlikely that this serial-number lock could be engineered as tamper-proof.
5. Finally, if Apple establishes precedent here, that precedent will be applied by various countries around the world (and rumor is that significant pressure to do exactly this has previously been applied by China, and that giving in to the FBI will lead directly to Apple being required to do the same for China as a cost of doing business in that country).

Also: White House Petition to Side With Apple in FBI Fight
 

arogge

macrumors 65816
Feb 15, 2002
1,065
33
Tatooine
The FBI should bring the phone to Apple and hire the iPhone product team to see what they can do, just as they would do when they need a data recovery service to recover information from damaged media. What the FBI bureaucrats are doing instead is demanding that Apple send them information and new, as-yet undeveloped product code for purposes of cracking the phone. This information will presumably be used by the same stupid people who have already screwed up once in this case to possibly screw up the phone further, for which Apple could be blamed for not doing a good enough job.

Any Non-Disclosure Agreement that may have existed will become forgotten and information about a new backdoor will go to the alphabet-soup of federal bureaucracies, then down to the "joint task force" organizations at the State and city levels, and so on down until some county cop who wants to unlock a kid's iPhone, only because he might have a photo of a friend who smokes the wrong plant, is suddenly able to apply a crack and get in through a backdoor. That's I think where the government is trying to go, while attacking encryption as a new form of "protecting terrorists" and demanding that everyone turn over their encryption keys in case some government bureaucrat wants to peek into your affairs. Then some federal office with the backdoor information on the Internet will be found by China or another government, and then that goes around the world along with the rest of our federal employee data, fingerprint charts, biometric information, medical information, fighter jet plans, and on and on through the list of things marked secret/proprietary that the government has leaked to other countries.

Of course there's a way to stop this problem from continuing once iOS has been compromised, but the damage to Apple's product and reputation will have been done.
 

sshambles

macrumors 6502a
Oct 19, 2005
766
1,127
Australia
FBI: Hey Apple, can you open this iPhone for us?

Apple: *looks at iPhone* Well we could have, but did you change the password as soon as you got it?

FBI: Yeah, umm, maybe, so, err, why?

Apple: Well, that would have been the only way to do so, so no we can't now.

FBI: Oh. :( So, uh, we ****ed up then?

Apple: Yep. :cool:

FBI: *contacts court* Now open it up for us! :mad:

Apple: o_O No! *writes open letter to the internet advising of invasion of decades of security advancement*

Trump: They should listen to the government, the government knows all.

Apple: F*** off Trump.
 

bennibeef

macrumors 6502
May 22, 2013
340
161
The sad thing is they wont find anything important on that phone. Its just about getting in.

The argument can be made, that Apple could make a custom version of iOS, update this one phone to it and DESTROY the custom version of ios so that there is no possibility of anyone other using it again. But then again its the US government and this thing is not about getting into THIS ONE phone, its about getting easy in all phones in the future. Sad sad.

I like my privacy.

And this would only work in the perfect world where no engineer and no politician and FBI agents is bribable and this software is never getting in any other hands. This software would be worth millions.
 
Last edited:

sshambles

macrumors 6502a
Oct 19, 2005
766
1,127
Australia
This is definitely the biggest technological and security court case that will define a lot of what goes on from now on.

I only hope that they realise that civil liberties are more important than destroying everything that people have fought to protect and invest their time and money in. Then again, this is the U.S. government we're talking about. I've ZERO faith in it as far as doing the right thing is involved. As Godspeed put it 'the government is corrupt'.
 

sir1963nz

macrumors 6502a
Feb 9, 2012
735
1,215
What kills me is the fact that if Apple chose to rewrite iOS, this device in question would need to be updated or restored, therefore possibly destroying evidence. After all, they can't back up and restore the device because the password is different now. FBI just might be screwed in this case.

THAT'S the whole point.
They will next claim that Apple somehow "destroyed evidence" and the FBI should be given unfettered access to the code to ensure it was not deliberate.

Now they have the code, they are well on their way to making their own hack to get into some ones phone while they are using it.
 
  • Like
Reactions: mariusignorello

Mums

Suspended
Oct 4, 2011
667
559
"No, but we really, REALLY want you to compromise the security of all your devices to satisfy this one whim. Just this one timeeee... We promiseee."

In spite of my disagreement with this guy on a lot of issues, Tim has been absolutely heroic in this issue of privacy. Just fantastic.

That's because it's scripted with Tim Cook made to look like the good cop.
 

paul4339

macrumors 65816
Sep 14, 2009
1,442
726
The sad thing is they wont find anything important on that phone. Its just about getting in.
...
and DESTROY the custom version of ios so that there is no possibility of anyone other using it again. But then again its the US government and this thing is not about getting into THIS ONE phone, its about getting easy in all phones in the future. .....

it's also about setting precedence... Once Apple gives in to this demand, other governments (such as China) will demand the same thing, not only from Apple for but from ALL device makers.

The US government has no control of what other governments will demand.

All this for the possibility that they might be able to find more info on a crime that already has been solved.

.
 
Last edited:

jettredmont

macrumors 68030
Jul 25, 2002
2,731
328
I'm hearing two things.

  1. That there is no key, period.
  2. That there may have been a key if they didn't change the password already. Apparently the iCloud backups can be accessed, which is interesting? If everything is being backed up, and those backups can be decrypted by Apple, doesn't that defeat the purpose of strong encryption on-device?

One must wonder.

Or, one must do some research and stop wondering.

There is no key that Apple can provide, period. That isn't to say there isn't a key; obviously there is. It is on the device, encrypted using a 4-digit or 6-digit password.

That key is not what the FBI is asking for at all. The FBI is asking Apple to change the firmware so they can try each of the 10,000 4-digit (or 1,000,000 6-digit) passwords possible on the device (using automated means, obviously) without locking or erasing the device. When the proper passcode is put in, the data-encryption key is retrieved using that passcode and used to unlock all of the data on the device itself.

So, that's your first thing you are hearing. Now the second.

Per https://www.apple.com/privacy/approach-to-privacy/ :
Apple retains the encryption keys in our own data centers, so you can back up, sync, and share your iCloud data. iCloud Keychain stores your passwords and credit card information in such a way that Apple cannot read or access them.

That is, all iCloud data is encrypted using Apple's keys which are stored on their servers. iCloud Keychain (your saved passwords etc) are encrypted by the device using keys that only exist on your devices (which is why if there are authentication problems between iCloud-connected devices it is almost always the keychain that needs to be turned off and back on).

Not everything is backed up. First, obviously, iCloud Keychain is backed up but not retrievable from that backup without at least one participating device. Second, though, many apps specifically exclude their data from backups - this includes iMessage and Facetime as examples, which also employ (256-bit AES) end-to-end encryption similar to iCloud Keychain so only the participating devices can read the messages.

Getting at this non-backed-up data is the stated rationale for the FBI wanting to get into the phone itself rather than just getting access to the most recent backup (which they can't get because they borked the backups themselves anyway).

Of course, the more pertinent facts are that (1) the murderers in this case used their own personal phones and a laptop, all of which they thoroughly destroyed before going on their rampage; (2) the phone in question was a work-issued phone. It is highly unlikely, knowing what has been revealed to this point, that there will be any remotely usable information on the device in question. However, we do have to admit that we don't know everything about the case. That said, the FBI is charged with doing everything legally possible to track down every lead to the crime; it is not charged with caring about privacy or overall system security. They also almost assuredly have many less-devastating avenues to pursue in the physical world rather than compromising security for everyone in the world.

I'd also add that (3) we are not talking about massive terrorist attacks here. We are talking about a lone-wolf attack which killed a small number of people and by all evidence to date (most compelling: that there have not been related follow-up attacks) was an isolated event. This is hardly the type of event which should rationally lead the public to freak out and grant the FBI massive new powers to invade our privacy.
 

sir1963nz

macrumors 6502a
Feb 9, 2012
735
1,215
But they know how the internals work. So they would have the best chance at breaking it.

You clearly don't understand how encryption works.

Lets make it very simple, they "key" is 256 bits long, that means there is over 1.15 x10^77 possible combinations, each one of those bit is either a 0 or a 1. Now guess what the combination is.

Now consider a lottery where they have 40 balls and you have to select 6 of them, there is a 1 chance in 3.8 Million

The lottery easy, VERY easy in comparison, so how many times have you won a major prize ?

So decrypting it is NOT an option.
 

AnthonyHarris

Cancelled
Jun 4, 2009
510
580
Cambridge, England
Or, one must do some research and stop wondering.

There is no key that Apple can provide, period. That isn't to say there isn't a key; obviously there is. It is on the device, encrypted using a 4-digit or 6-digit password.

That key is not what the FBI is asking for at all. The FBI is asking Apple to change the firmware so they can try each of the 10,000 4-digit (or 1,000,000 6-digit) passwords possible on the device (using automated means, obviously) without locking or erasing the device. When the proper passcode is put in, the data-encryption key is retrieved using that passcode and used to unlock all of the data on the device itself.

So, that's your first thing you are hearing. Now the second.

Per https://www.apple.com/privacy/approach-to-privacy/ :


That is, all iCloud data is encrypted using Apple's keys which are stored on their servers. iCloud Keychain (your saved passwords etc) are encrypted by the device using keys that only exist on your devices (which is why if there are authentication problems between iCloud-connected devices it is almost always the keychain that needs to be turned off and back on).

Not everything is backed up. First, obviously, iCloud Keychain is backed up but not retrievable from that backup without at least one participating device. Second, though, many apps specifically exclude their data from backups - this includes iMessage and Facetime as examples, which also employ (256-bit AES) end-to-end encryption similar to iCloud Keychain so only the participating devices can read the messages.

Getting at this non-backed-up data is the stated rationale for the FBI wanting to get into the phone itself rather than just getting access to the most recent backup (which they can't get because they borked the backups themselves anyway).

Of course, the more pertinent facts are that (1) the murderers in this case used their own personal phones and a laptop, all of which they thoroughly destroyed before going on their rampage; (2) the phone in question was a work-issued phone. It is highly unlikely, knowing what has been revealed to this point, that there will be any remotely usable information on the device in question. However, we do have to admit that we don't know everything about the case. That said, the FBI is charged with doing everything legally possible to track down every lead to the crime; it is not charged with caring about privacy or overall system security. They also almost assuredly have many less-devastating avenues to pursue in the physical world rather than compromising security for everyone in the world.

I'd also add that (3) we are not talking about massive terrorist attacks here. We are talking about a lone-wolf attack which killed a small number of people and by all evidence to date (most compelling: that there have not been related follow-up attacks) was an isolated event. This is hardly the type of event which should rationally lead the public to freak out and grant the FBI massive new powers to invade our privacy.

Can you no longer select an option to use a longer 'alphanumerical' passcode?!
 

haravikk

macrumors 65816
May 1, 2005
1,499
21
I don't envy Apple their position in this; if they help the FBI to crack even a single iPhone from someone who deserves it, it implies that their cryptography isn't properly implemented.

I know that the FBI are "only" asking to circumvent the PIN attempts lockout, but assuming that it's implemented in a similar fashion to FileVault then only part of the OS should unencrypted (the bare minimum part needed to provide the PIN screen and decryption), and with total control of the hardware Apple should be placing that somewhere that it can't simply be overwritten, otherwise someone could add any code they like to either prevent lock-out or expose the encrypted key for brute force attacks on a different system.

Either way, if the FBI gets into the iPhone without significant computational power then Apple has done something wrong and iOS isn't properly secure. Even then, it should still take months to brute force, otherwise we can't be confident in the strength of the encryption scheme either.
 

hybroid

macrumors regular
Aug 12, 2010
180
433
What kills me is the fact that if Apple chose to rewrite iOS, this device in question would need to be updated or restored, therefore possibly destroying evidence. After all, they can't back up and restore the device because the password is different now. FBI just might be screwed in this case.

Not really, have you never had a corrupt Windows that wouldn't boot so installed another copy of Windows on another partition then accessed the old windows files? It's easy.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.