Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
You can't say that a) law enforcement wouldn't misuse this tool and b) the vast majority of the cases for which this device is used are crimes against children.

I have over 10 years experience working in the computer forensics industry with government agencies all around the world. I've provided the tools, training, and been part of countless investigations involving crimes against children, terrorism, white collar crime, murder, and more. I'd say I'm pretty well qualified to make the statement I did.

What are your qualifications to say otherwise?
 
I have over 10 years experience working in the computer forensics industry with government agencies all around the world. I've provided the tools, training, and been part of countless investigations involving crimes against children, terrorism, white collar crime, murder, and more. I'd say I'm pretty well qualified to make the statement I did.

What are your qualifications to say otherwise?
None of that proves you're able to make the two statements I referenced.

As for my qualifications I too have computer forensics qualifications with tools such as Encase, SANS SIFT (which is just a conglomeration of other tools), Volatility, and Mandiant just to name a few of the more prevalent tools. I even hold a GFCA certification from SANS.

While I don't practice computer forensics I do have some experience with it.
 
  • Like
Reactions: tooloud10
This assumes the tool is using the same method to submit passcodes as Apple originally intended. With physical access to the device it's possible the device works directly on the encrypted contents. An analogy would be attempting to hack a passcode through a web interface across a network as opposed to hacking it by having the encrypted password file.

Entirely speculation on my part, but it should be possible to design the Secure Enclave to implement the delay for any failure to access the system keys to protect against this kind of attack. Seems like something Apple would or should have considered, since such a function is critical to stopping brute force attacks as we see. But then without knowing how the brute force attack is being carried out, I don't know that the SEP is even involved.

Edit: Specifically, I'm assuming that the only pathway to the passcode is through code and hardware Apple controls.
 
I still struggle with this whole issue.
And feel a LOT of people here, and in general are being VERY two faced, because they are not affected.

Take your son or daughter, being held by a know murderer.
They are going to kill them (send you some body parts for starters) as they have a record of following thru on their threat.
Naturally, you would give up anything to save your child, even your home.

They find the murderers phone, which would probably give the location so your son/daughter can be saved.

I'm assuming everyone would then say, no it's fine, let them die. Privacy of data is far more important than this one individual.

It's funny and very telling how people's views change when something directly affects them
It would depend upon which of my kids the killer has. The boy is a real pain in the derriere, so I might give up a the car for his return, but not the house.o_O I kid, I kid.:p The boy is still a PITA.:mad:
Anyhow, I'm okay with the Graykey thing. Because they need physical access to your phone before they can attempt to crack the password. That's the key. They need to have your phone in order to crack the password. They only reason they would have your phone is if you're a criminal. If the government can start seizing phone without a warrant or Graykey works over wireless, then I would be singing another tune. As it is, I'm okay with it.
 
I missed something. What did Apple screw up?
They built whatever flaw allows the iPhone to be hacked. 4 or 5 digit codes won't work if attackers can try codes quickly, and it's impossible to truly prevent them from doing that. IDK if there's a better way since nobody wants to enter a super long code.
[doublepost=1524677381][/doublepost]
You're right (for the first part of your statement), but it's exactly the example needed to show why the backdoor that government agency's have been asking for is a very bad idea.
This is true. I wouldn't trust the govt or anyone they contract to keep a secret.
 
They built whatever flaw allows the iPhone to be hacked.
I'm not aware of a flaw that allows the iPhone to be hacked.

4 or 5 digit codes won't work if attackers can try codes quickly, and it's impossible to truly prevent them from doing that. IDK if there's a better way since nobody wants to enter a super long code.
That is the compromise of security.

There is no way to prevent a dedicated attack to anything. Lock your house with the strongest locks, the hacker will break a window. Replace all the windows with steel, the hacker will saw through the wall. Build a solid cube of impossible to destroy unobtanium and the hacker will wait until you come home, where you'll kindly let them in through the front door.

You can only make things difficult enough that 99% of the population will not care to go to the effort.

Nothing ( no one ) is unhackable.
 
  • Like
Reactions: BlueBook
I'm not aware of a flaw that allows the iPhone to be hacked.

That is the compromise of security.

There is no way to prevent a dedicated attack to anything. Lock your house with the strongest locks, the hacker will break a window. Replace all the windows with steel, the hacker will saw through the wall. Build a solid cube of impossible to destroy unobtanium and the hacker will wait until you come home, where you'll kindly let them in through the front door.

You can only make things difficult enough that 99% of the population will not care to go to the effort.

Nothing ( no one ) is unhackable.
iPhones are being hacked right now by these GreyKey boxes, that's the flaw. There's no backdoor. Also, it's not true that everything is hackable. There are provably secure encryption algorithms that would prevent a locked iPhone from being broken into no matter what hardware the hackers employ, barring quantum computers that don't exist yet (they'll switch to newer security for those later). Of course, you need a key with enough entropy for that. 4 or 5 numeric digits isn't even close.
 
Last edited:
if someone has an x, and doesn't know that upon a non-recognition you can swipe up or just off-the-screen momentarily and re-try the faceid, (sometimes it even retries just by shaking it a moment) -- then, yeah, you are using it wrong. take a second to understand your $900 handheld computer with amazing security before bitching about how it doesn't recognize your face in bright sun or when you're on your side -- laughable.

for the small handful of times my face didn't get recognized (usually i have the phone held way too low, like by my waist, accidentally - quick swipe and lift higher and i'm in, time elapsed: about 600ms...) there are ten, no, a hundred times that many instances where the phone performed miraculously, recognizing me in bright flashing dance lights; in a hat and sunglasses; in many hats and many sunglasses, regular glasses, scarf, no scarf...; in the rain; in the snow; so quickly in a cab, in a store, in an elevator, on the steps; in pitch-black in the bathroom; from like 6 feet away and way off to the side; i could go on for days...... the thing is amazing. as usual.

to bit*h about the couple times you got it to mess up is... well, your life is what you make it. don't forget on default settings it's looking for you to direct your eyes at the camera to unlock, so gotta glance its way at the same time. this can be turned off if desired. i found it poses no hindrance to quick functioning and accurate usage while upping the level of security and timeliness quite a bit. thanks to first touch- and now face-id i've had a 12 digit alpha passcode for a few years now, and the revelation of brute force type boxes like graykey loses me not one minute of sleep -- sure fellas, have at it. knock yourself out. i'll be over here.
Uh oh, somebody got offended when a complaint was made about his precious iPhone! Apple can do no wrong, all Apple products work perfectly for everyone, close thread immediately!
 
You know, when you see that message about entering your passcode you can often just hit cancel and try Face ID again. I only enter my passcode the once a week required by Apple for the most part. There is no reason you should be having to enter your passcode that often unless you are doing something very odd.
Something odd like using my iPhone on a desk or table? LOL. Ok, sure.

As for not recognizing me, when I first wake up it always has trouble. I'm not wearing my glasses and my face isn't at the perfect angle it needs. Sometimes during the day it will also have trouble, or when I pull it out of my pocket it will say "You need to enter your passcode to unlock your phone." because it had tried unlocking itself in my pocket or something weird. I also have issues with it calling my emergency contacts while inside my pocket because they made it wake on touch and it senses my leg through my pocket and it thinks I'm trying to tap it. I'm trying to change my habit of having my phone display face outward in my pocket. I usually place it against my leg out of habit to protect it from potential impacts.

Furthermore, it will not unlock if I'm not holding it at the right angle. I even disabled the feature that only unlocks the device if you're looking at it. The thing with trying over again is that it starts going bad if you do that. It was awful for me until I started putting in my passcode to force the machine learning to take the current attempt's facial scan into consideration for building the recognition model. I have a fairly regular looking face, lightly tanned caucasian skin tone, blue eyes, dirty blonde hair with a short trimmed beard and glasses. But sometimes I get lazy and just let it scan again, and in those situations it usually scans again successfully somewhere between half and two thirds of the time. Sometimes after multiple scan attempts it has me enter my passcode so it's not even an option.

Maybe I got one of those "lower quality" Face ID sensors that were rumored a few weeks before launch as Apple's supplier was allegedly struggling to meet demand for the high tolerances needed.
[doublepost=1524685866][/doublepost]
I would do a complex password either way. My Mac has a 23-character password, and I type it a few times today, if MacID does not work well/as expected.
Yeah, a Mac is different though because it has a full keyboard and it's pretty quick to tap something out you have to enter all the time. I don't find myself needing to enter my password much though because my Apple Watch unlocks my MacBook Pro. I very rarely ever have problems with that unlocking. I also use 1Password which on iOS uses Touch ID or Face ID so I can autofill my complex passwords. On the Mac I've got the 1Password vault password in muscle memory now so even though it's complex I can rattle it out in two seconds because my fingers seemingly move faster than my brain.
[doublepost=1524685954][/doublepost]
Firstly I own an iPhone X and I can say it hardly ever fails to recognise my face, because you know..your using it wrong lol. Seriously though it had a few times to start with where it failed but over time it got better at seeing my face. Next, if it fails to see your face then I just press the side button to lock the screen, wait a couple of seconds and then press it again and hey presto it unlocks. or you can hold the bottom bar on the screen and drag it up slightly just a tad then let go so that it drops down again and that makes IOS try to unlock the phone.
That helps a lot. As to the big point, I have an alphanumeric passcode that is 16 digits long and I would rather do this then use 4 numbers as you seem to want to use because i do to want anyone hacking my iPhone. if it is an inconvenience for me then it will be a pain in the bum for any hacker etc.
See what I wrote above. Also I use six digits currently. Perhaps I could change it to 8 as a middle ground?
 
This is why it isn’t good to have an official product like this. Thankfully for third party tools like this if hackers get access to it and leak it Apple likely does too and can patch the flaws they are exploiting.
 
The box has been sold to multiple law enforcement agencies across the country . . .

. . . all of whom are presumably adhering to the 4th Amendment by procuring a search warrant prior to spying on one's due privacy? Unlikely.

Per the misfortunes of Grayshift, couldn't have happened to a nicer bunch of scumbags.

Then there is the matter of Mr. Cook in this, who seems to have remained remarkably silent on this blatant breach of customer privacy Apple is said to value so much.
 
Making an Internet connected version is just plain stupid.

No, it's not. Look at the box. Do you see a UI? Do you know how much work it is to make a hardware UI relative to how much it is to add a web server?

What they should have done is restricted access to the box to the local subnet by default. Network level access restriction, however, is an alien concept to most developers and product managers.
 
  • Like
Reactions: 960design
iPhones are being hacked right now by these GreyKey boxes, that's the flaw.
If NAND cloning is a flaw, your definition is correct. This can be done to any mobile device. You probably know more than me about this, but my small definition of hacking includes taking advantage of software / hardware errors. NAND cloning is not taking advantage of an error, it is copying the data and trying again after failed attempts.

There are provably secure encryption algorithms that would prevent a locked iPhone from being broken into no matter what hardware the hackers employ../
I believe you are mistaken... NAND cloning has been around for a couple of years now. Can you name a secure encryption algorithm that is uncrackable? Again, it just seems that if there is a lock and a key. With enough brute force you can always find the key. Sure you cannot do it on your home computer in your lifetime, but there are more powerful computers available. There are also other ways.

Simple example:
You could write a free software that hashes data in the background. Now you have 50,000 computers working for you.

Check this video recorded using a potato, paper linked in video description:

GreyKey boxes cost about $50 to make.
[doublepost=1524707708][/doublepost]
No, it's not. Look at the box. Do you see a UI? Do you know how much work it is to make a hardware UI relative to how much it is to add a web server?

What they should have done is restricted access to the box to the local subnet by default. Network level access restriction, however, is an alien concept to most developers and product managers.
But then they couldn't charge a premium.
 
If NAND cloning is a flaw, your definition is correct. This can be done to any mobile device. You probably know more than me about this, but my small definition of hacking includes taking advantage of software / hardware errors. NAND cloning is not taking advantage of an error, it is copying the data and trying again after failed attempts.

I believe you are mistaken... NAND cloning has been around for a couple of years now. Can you name a secure encryption algorithm that is uncrackable? Again, it just seems that if there is a lock and a key. With enough brute force you can always find the key. Sure you cannot do it on your home computer in your lifetime, but there are more powerful computers available. There are also other ways.
NAND cloning isn't the hack, only the data extraction. What hardware stores the data is irrelevant because there's always a way to access it. The data ought to be encrypted to the point where you can't crack it.

For example, over public wifi, anyone can easily capture others' data packets. Not an issue in theory* because the 128-bit AES encryption of HTTPS would take over a million years for the fastest supercomputer to crack. The iPhone's 5 base-10 digits only provide 10^5 possible keys, not 2^128, so it can be cracked easily unless you use a stronger password.

* IRL there are occasionally vulnerabilities like encryption downgrades that allow attackers to disable this on affected systems, so to be extra safe, I still use a VPN to my house if I'm doing banking or something on an untrusted network.
 
Last edited:
I disagree, I think the message is don't F with private citizens' right to privacy. it's in the MF constitution. Why EFF and the ACLU have not brought suit against them...
Fourth Amendment doesn't protect against searches with a warrant or probable cause. We're talking about a criminal's phone that was found, not snooping on phone users. Wiretapping is also exempt anyway.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.