Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

FBI Used Security Flaw Found by 'Professional Hackers' to Crack San Bernardino Shooter's iPhone

Benjamin Frost said:
So all iPhones and iPads earlier than the 5s are now insecure.

Your move, Tim.
Click to expand...
Tim should immediately stop selling all iPhones and iPads earlier than the 5s.
[doublepost=1460519023][/doublepost]
CFreymarc said:
Actually, when necrosis starts to set in, a fingerprint starts to distort with uneven contraction along body appendates.
Click to expand...
Also, they would have to use the corpse's fingerprint within 48 hours of the last time the owner used Touch ID. After that time limit, the phone reverts to requiring a passcode.

They would have to keep the phone active from that point, for fear of the fingerprint degrading and being unusable. If they restart the phone, it reverts to requiring a passcode, and if they let 48 hours pass, it reverts to requiring a passcode. They can't set a new passcode without knowing the old one.

They need protocols (perhaps they already have them) for dealing with iPhones that are Touch ID enabled, and in many cases the time limit will have expired by the time they have possession of the iPhone.
 
Last edited:
doelcm82 said:
Also, they would have to use the corpse's fingerprint within 48 hours of the last time the owner used Touch ID. After that time limit, the phone reverts to requiring a passcode.

They would have to keep the phone active from that point, for fear of the fingerprint degrading and being unusable. If they restart the phone, it reverts to requiring a passcode, and if they let 48 hours pass, it reverts to requiring a passcode. They can't set a new passcode without knowing the old one.

They need protocols (perhaps they already have them) for dealing with iPhones that are Touch ID enabled, and in many cases the time limit will have expired by the time they have possession of the iPhone.
Click to expand...

That's a good point.

I wonder if Apple should make it an option to reduce that window to 6 hours. Or 3 hours.

I, personally, unlock my phone with TouchID plenty of times during those timeframes. So it wouldn't impede my normal use.

But you're right... the wheels of justice move SLOWLY in these types of cases.

Unless local law enforcement (the first responders) are on top of their game... that window will be closed long before the FBI finally shows up.

If the cops enter a crime scene with a dead guy and an iPhone 5S or later... would they know to mash the dead guy's finger against the TouchID sensor as soon as possible?

They're probably thinking about that now :)


Another option... Apple could make it a requirement to input the passcode once a day... regardless of the last time the owner used TouchID.

So even if the cops unlock the phone with the dead guy's finger immediately... they won't be able to keep the phone unlocked for more than a day.

They will eventually need the passcode.

So basically the FBI would have 24 hours (or less!) to complete ALL forensics work to crack the passcode. I doubt they could do it in that time.

Requiring the passcode once a day would be essentially a "dead man's switch"
rimshot.gif
 
doelcm82 said:
Tim should immediately stop selling all iPhones and iPads earlier than the 5s.
Click to expand...
Even though that's already the case ... and I laughed ... they're still providing software updates to some of those 5S and earlier devices. So they still have a responsibility to patch security holes.
 
MaulRx said:
Them getting into the phone isn't the issue, it's
how it went down. Apple said they didn't want to help because of the risk of the method getting out into the wild. They could have just helped, kept it quiet and we may never have known, instead they practically dared the creation of a method that they now have no control over themselves.
Click to expand...

That method doesn't work on new phones, and people are always trying to crack the iPhone. They didn't need this case to do it. It was pretty clear that Apple believes the NSA might be sitting on a zero day attack themselves that they don't want to share. They didn't "practically dare" them, they told them to hack it themselves, no "practically" involved. I'm not sure why it's difficult to understand that Apple wants nothing to do with writing and signing software that can compromise their own phones.

Yes, they could have just helped, just this one time for just this one phone... and no one would be the wiser. If you truly believe that, I see no sense in debating this.
 
Michael Scrip said:
That's a good point.

I wonder if Apple should make it an option to reduce that window to 6 hours. Or 3 hours.

I, personally, unlock my phone with TouchID plenty of times during those timeframes. So it wouldn't impede my normal use.

But you're right... the wheels of justice move SLOWLY in these types of cases.

Unless local law enforcement (the first responders) are on top of their game... that window will be closed long before the FBI finally shows up.

If the cops enter a crime scene with a dead guy and an iPhone 5S or later... would they know to mash the dead guy's finger against the TouchID sensor as soon as possible?

They're probably thinking about that now :)


Another option... Apple could make it a requirement to input the passcode once a day... regardless of the last time the owner used TouchID.

So even if the cops unlock the phone with the dead guy's finger immediately... they won't be able to keep the phone unlocked for more than a day.

They will eventually need the passcode.

So basically the FBI would have 24 hours (or less!) to complete ALL forensics work to crack the passcode. I doubt they could do it in that time.

Requiring the passcode once a day would be essentially a "dead man's switch"
rimshot.gif
Click to expand...

Even better, let's make everyone, even us living outside the Land of the Free, send the FBI our keys, codes, fingerprints, hair, retina scans, blood samples and semen. Would that make them feel better?
 
CarlJ said:
No no, the FBI swore up and down that this whole deal to have Apple create a special one-off version of iOS for them was JUST FOR THIS ONE PHONE, so I'm sure they'll be handing the exploit they used over to Apple, so that Apple can fix it to protect their customers from hackers. After all, the FBI wouldn't want to contribute to evil hackers breaking into citizen's phones.
Click to expand...
…and so it was. You need to be very careful about what you hear, read and the way you interpret it.
I believe what the FBOI have done in this case is request a special version of iOS just for this phone. That is to say, “Tim, we need you to design a build of iOS called iPhone5,4_9.3.1_13E238_SANB_Restore.ipsw, it’ll be exclusive to that phone”. Next time they will be asking “Tim, we need you to design a build of iOS called iPhone5,4_9.3.1_13E238_ALT_Restore.ipsw, it’ll be exclusive to this phone”.

Semantics, which not just the FBI are guilty of. Remember the 64 bit Mac Pro that has a 32 bit kernel?
 
  • Like
Reactions: T Coma
On the next season of Blacklist they need to make hacking an iPhone and FBI vs Apple the plot.

Just throw in some some spy ****, some guns, black ops, cool stuff. (It doesn't matter if its true or not, it'll make this whole thing sound cooler.)
 
  • Like
Reactions: luckydcxx
\-V-/ said:
Even though that's already the case ... and I laughed ... they're still providing software updates to some of those 5S and earlier devices. So they still have a responsibility to patch security holes.
Click to expand...
If those holes are in the software, then Apple can possibly fix the problem. I have a hunch that the hardware architecture is what leaves these devices vulnerable. Just as "bend-gate" and "antenna-gate" were real problems (if overblown), Apple didn't fix them on existing devices. They just addressed the issues in later models.

Also, no patch is going to fix a phone that is currently in evidence (assuming Apple wanted to do that). If the agencies that hold those phones have any sense, they will have the phones in Airplane Mode so that no one can tamper with them over WiFi or cellular data.
 
They're so desperate they're now trying to change their claims.

I have a feeling they didn't actually hack the phone, they're just being that one bully who says that he was part of the navy seals or something.
 
doelcm82 said:
If those holes are in the software, then Apple can possibly fix the problem. I have a hunch that the hardware architecture is what leaves these devices vulnerable. Just as "bend-gate" and "antenna-gate" were real problems (if overblown), Apple didn't fix them on existing devices. They just addressed the issues in later models.
Click to expand...
Yeah that's probably the case ... and also why this crack doesn't work on the newer iPhones.

Also, no patch is going to fix a phone that is currently in evidence (assuming Apple wanted to do that). If the agencies that hold those phones have any sense, they will have the phones in Airplane Mode so that no one can tamper with them over WiFi or cellular data.
Click to expand...
Was just referring to current owners of older phones, not already confiscated ones. But yeah.
 
Osty said:
If it runs code, it's insecure. I wish people would stop believing Apple's marketing machine.
Click to expand...
I don't believe the marketing. I believe the descriptions I have read of the measures that Apple takes to make iOS devices more secure.

Chances are there is a 14-year-old hacker out there in the world who knows a way to get past Apple's latest security. So all the FBI needs to do is find a 14-year-old hacker to help them, right?

The problem with this idea is that they would have to hire every 14-year-old hacker in the world. The vast majority of the 14-year-old hackers DON'T know this secret. If the hacker wants recognition for his secret and shares the hack widely, then most likely the method will get back to Apple, who will fix the vulnerability in a security update or in the next hardware version.

Hacking isn't magic. It requires specific knowledge of vulnerabilities. Even if you have such knowledge, that knowledge may be useless against a device that doesn't have the same vulnerabilities.
 
  • Like
Reactions: spinnyd, Michael Scrip and Osty
Michael Scrip said:
There might be multiple ways to hack the iPhone 5C.

But I'm curious what the hackers would do with my iPhone 6S Plus with alphanumeric passcode of unknown length with 10 attempt wipe turned on.

If I'm alive... the FBI could force me to use my fingerprint for TouchID. But I would just use the wrong finger a few times and make the phone require the passcode.

If I'm dead... that's no longer a problem.

But the FBI still has my phone with a zillion possible passcode combinations.

Good luck!
Click to expand...

In quite positive the average joe will use the right finger when confronted by FBI agents. ;)

Though thier preference would be unconscious , and they get to try all your fingers.

Why is dead not a problem anymore? They can still use your fingers to access the Touch ID.

You might as well disable touchid if your plan to play hardball in the future :)
 
It appears that MR is obsessed with FBI APPLE story. Sure..it's apple related, but i'm sure they could put up articles about macs...especially mac pros. Either they have no articles to hunt down mac computer subject or they are planning to make MR a new online newspaper site...."MR times."
 
  • Like
Reactions: TrowaNY
doelcm82 said:
I don't believe the marketing. I believe the descriptions I have read of the measures that Apple takes to make iOS devices more secure.

Chances are there is a 14-year-old hacker out there in the world who knows a way to get past Apple's latest security. So all the FBI needs to do is find a 14-year-old hacker to help them, right?

The problem with this idea is that they would have to hire every 14-year-old hacker in the world. The vast majority of the 14-year-old hackers DON'T know this secret. If the hacker wants recognition for his secret and shares the hack widely, then most likely the method will get back to Apple, who will fix the vulnerability in a security update or in the next hardware version.

Hacking isn't magic. It requires specific knowledge of vulnerabilities. Even if you have such knowledge, that knowledge may be useless against a device that doesn't have the same vulnerabilities.
Click to expand...

Well.....since the first phone, apple have not stopped jailbreaking, and that's the most publicised method , with hackers getting credit. As the previous poster said, if it runs code it can be hacked, as shown by apple never making the device jailbreak proof. If there is enough demand out there, it will happen, the smartest devs do not work for apple :)
 
MH01 said:
In quite positive the average joe will use the right finger when confronted by FBI agents. ;)

Though thier preference would be unconscious , and they get to try all your fingers.

Why is dead not a problem anymore? They can still use your fingers to access the Touch ID.

You might as well disable touchid if your plan to play hardball in the future :)
Click to expand...

Apparently dead fingers don't work... something about bloodflow or something.

I don't think anyone has tested this on a fresh iPhone-owning corpse.

But yeah... turn off TouchID if you plan to do bad things and think you'll be killed ;)
 
Pure BS. First it was Celebrate, now it's hackers. The story changes every week.

Apple capitulated with the (most beta tested iOS release ever) flaw that affected iPad 2, oh and the 5c - the temporary fix allowed a restore without passcode!
9.3.1 should have removed Government OS, but since the only reason FBI would drop the case against Apple was if Government OS is still around in some form in 9.3.1, I suspect all users are still vulnerable.

Apple had to fold or the FBI was going to get laws passed that forced Apple to give the signing for all iPhones to the FBI forever.

Now look at Tim Cook's little speech at the March 'event' with different eyes - we lost this one, but we're going to keep fighting for privacy.
 
aaronvan said:
FBI hacked the iPhone but they still can't decide what to do about Hillary's email server...
Click to expand...

Yeah! And when will we finally see Obama's real birth certificate too?! :rolleyes:

Anyway, now that the contents of the phone are accessible, maybe they can show us all the nefarious plans hidden within so we know we're all safer now and they can justify the stupidity of wanting Apple to do their job for them.

Yeah, I won't be holding my breath on that one.
 
This really is the best result for both parties.

The FBI wanted a precedent here, and thought that this was an extreme enough case that the PR would put the heat on Apple. They weren't ready for the pushback the got from the tech industry and citizens of all stripes and losing the judgement here would have ended their route to a precedent. Now they can go back to trying to expand the precedent incrementally.

Apple didn't want to get into the business of cracking people's phones, didn't want to look like they were abetting terrorists, and didn't want their hardware to look insecure. Turns out the FBI got what they needed, without Apple turning into a hacker collective, and the FBI method required special hardware so it's not something that can be used remotely or by run-of-the-mill crooks. Also, it's publicly stated that no currently selling hardware is vulnerable.

Basically, they hit reset on the whole mess and everyone is much more aware of where public opinion sits.
 
Wasn't the ability to "hack" the phone just the ability to clone the iOS image so it could run in some type of emulator? You could then run multiple copies of the image and try as many possible PINs as you could until you unlocked one of the clones.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back