New York Law Enforcement Officials Operate $10 Million Lab Designed to Crack iPhones

[H2SO4]

So they have a faraday cage ad they use intelligent social engineering to get a start at passwords, okay.
The answer is not a backdoor that he is asking for.
For everyone that reads this you need an alphanumeric passcode.

My current passcode has 12 digits/letters and symbols.
This means that even if they can generate 26 million passcodes a second.

There are 46 keys * 2 functions for each key.
This means that my password will has 3.68x10^23 combinations.
This is 1.4x10^16 seconds to brute force the attack or 3.9x10^12 hours.
So they will never brute force it unless they just get lucky.
Couple that with at the end of every attempt, the enter key must be used.
If you use a 4 digit passcode, a brute force attack renders it useless in 9999 attempts.
Actually it's half that if the approach is either sequential or starts from the middle.
A six digit passcode isn't better.
Use a password that has letters (upper and lower case) numbers and symbols.

A password that is any length is more secure than a passcode.
A password can be any length and makes it much more difficult to brute force.

If you use a less secure 4/6 digit passcode, you should have your phone set to wipe after 10 attempts.

I say don't give them a chance and I'm not doing anything illegal.
My right to privacy, is a right.

I might be misunderstanding how brute force works but I always find posts like yours funny, and ever so slightly disingenuous.
Is it not the case that whilst your passcode has 3.68x10^23, it will in fact take UP TO, 3.9x10^12 hours to crack it?
Whilst I acknowledge that more complex is without a shadow of doubt better. Is it possible, (however unlikely), that the first code they try is the correct one?
[automerge]1579686838[/automerge]

Do you not understand how TouchID and FaceID work? My pass phrase isn’t 32 characters, but it’s substantially more than 10 characters (and isn’t something you could find in any dictionary). And I type it perhaps once a week. I use TouchID the rest of the time. If you’re typing your password every time you want to check your email, you’re doing it wrong.

I find it annoying personally how often you still have to enter your passcode even with Face/Touch ID enabled.

 

[MRrainer]

The irony is that is was IIRC one of the predecessors of DA Vance who called for better phone security because the number of iPhone thefts was messing up their crime statistics and made the politicians look bad because "crime was up".

Maybe somebody from MR staff can look up the article they wrote about that back then.

 

[Morgenland]

what did law enforcement do before there were smartphones?
What a bunch of whiners

You could probably answer that yourself if you thought for a minute what smartphones made obsolete.

Hint: there was much more physical evidence before smartphones...

Most crime happens happened out of the moment. And only chewing gum thieves brag about it or plan/discuss it over the phone.

 

[MacBH928]

I knew there was a way to crack those iphones...I can't believe the gov. does not have the ability to access the files lock with a password.

So they have a faraday cage ad they use intelligent social engineering to get a start at passwords, okay.
The answer is not a backdoor that he is asking for.
For everyone that reads this you need an alphanumeric passcode.

My current passcode has 12 digits/letters and symbols.
This means that even if they can generate 26 million passcodes a second.

There are 46 keys * 2 functions for each key.
This means that my password will has 3.68x10^23 combinations.
This is 1.4x10^16 seconds to brute force the attack or 3.9x10^12 hours.
So they will never brute force it unless they just get lucky.
Couple that with at the end of every attempt, the enter key must be used.
If you use a 4 digit passcode, a brute force attack renders it useless in 9999 attempts.
Actually it's half that if the approach is either sequential or starts from the middle.
A six digit passcode isn't better.
Use a password that has letters (upper and lower case) numbers and symbols.

A password that is any length is more secure than a passcode.
A password can be any length and makes it much more difficult to brute force.

If you use a less secure 4/6 digit passcode, you should have your phone set to wipe after 10 attempts.

I say don't give them a chance and I'm not doing anything illegal.
My right to privacy, is a right.

Didn't Apple implement that thing where they add a minute between every failed attempt, making the time of attempts to crack the phone exponentially grow?

 

[Mr.Bigglesworth]

I am glad that Apple/Google is on the consumers side.

Do they really think that the public will be alright with the cops being able to get into our devices when ever they feel like it ? There are WAY to many crooked cops out there. Them having access to anyone’s personal device is a bad idea.

hopefully Apple/Google can make these phones even harder to crack.

 

[ThunderSkunk]

I love seeing law enforcement just bludgeon their way forward with zero self-awareness of the arms race they’re escalating, just like they did with small arms and militarization in their “culture war” against the public.

If engaging in criminal behavior, getting a battery pack that’s actually a tamper-proof explosive self-destruct attachment now seems like an appropriate response to these actions.

 

[dwsolberg]

I get their frustration, but there's no good solution that doesn't hurt everyone else. This is new in history where a person carries a device that tracks all their movements and all their communications.

If police had easy access, there is a huge potential for exploitation. And if whole governments had easy access (hello China), that's truly scary. And creating a backdoor that doesn't get into the hands of bad actors is about as likely as California falling into the sea tomorrow from an earthquake.

While they're at it, why don't they require locks makers to have a secret key that can open everyone's door? I'm sure that would never leak either.

 

[Jim Lahey]

I cannot grasp what people keep on their phones that are so precious?

You will grasp it pretty quickly if yours ever gets compromised by bad actors.

 

[gsurf123]

$10 million was probably the start up cost. The ongoing cost probably far exceeds that. Governments are experts at squandering money.

 

[ironpony]

A self destruct App is needed. resets every 12, 24, 48 hours with a code.

 

[nylonsteel]

what? 10mil. how much are the staff getting paid? probably some overseas outfit may do this cheaper

 

[kemal]

They are "whining" about having to do real police work. Time to develop a NAND flash chip that self-sanitizes above 90 Celsius. Put any heat to the board and its gone. Sorry, Jess.

 

[BigOrangeSU]

I knew there was a way to crack those iphones...I can't believe the gov. does not have the ability to access the files lock with a password.



Didn't Apple implement that thing where they add a minute between every failed attempt, making the time of attempts to crack the phone exponentially grow?

I also had that same question. Assuming you are on latest version of iOS and there are no current exploits around the time between failed attempts. i'm not sure how you could brute force a phone. This also assumes the wipe after n number of failed attempts is also off which, i thought was on by default. Lastly how are they actually brute forcing the phone? Do they have a machine which physically taps the phone?

 

[Mr.Bigglesworth]

They are "whining" about having to do real police work. Time to develop a NAND flash chip that self-sanitizes above 90 Celsius. Put any heat to the board and its gone. Sorry, Jess.

EXACTLY. They are upset that they actually have to do detective/police work.

the day that apple/google bends over for the government in terms of all out privacy being exploited, will be the day that people put their phones down.

 

[CarlJ]

I got a 10 digit passcode. Wonder how long it would take them to crack it using this method. One post by macrumours taken from Matthew Green’s Twitter once had these times on average: ...

10 digits is around 5000 days (13.69 years).

Rather than 10 digits, you’d be nearly twice as well off with 6 alphanumeric characters. Easier to remember, too.

digits:
    10^9  =     1,000,000,000
    10^10 =    10,000,000,000
lowercase+digits:
    36^6  =     2,176,782,336
    36^7  =    78,364,164,096
upper/lowercase+digits:
    52^6  =    19,770,609,664
    52^7  = 1,028,071,702,528
upper/lowercase+digits+punctuation:
    94^5  =     7,339,040,224
    94^6  =   689,869,781,056

[automerge]1579712678[/automerge]

I also had that same question. Assuming you are on latest version of iOS and there are no current exploits around the time between failed attempts. i'm not sure how you could brute force a phone. This also assumes the wipe after n number of failed attempts is also off which, i thought was on by default. Lastly how are they actually brute forcing the phone? Do they have a machine which physically taps the phone?

Read this: How modern iPhone encryption works

They're going to extremes to get around the timeouts and such, and then brute-forcing the passphrase. But, the Secure Enclave is still processing those attempts, and it’s designed to do so slowly (not dragging its feet, rather, doing encryption that necessarily takes a long time). Short digit-only passphrases fall in a matter of hours, go to a decent length alphanumeric passphrase and it quickly goes up into decades.

Use a decently long alphanumeric passphrase (and not anything that can be found in a dictionary or looked up about you), and “endure” typing it once or twice a week, then use TouchID or FaceID the rest of the time. Extremely secure. Also, learn the sequence to lock out TouchID/FaceID, which will then require your passphrase to unlock the iPhone the next time.

 

[Jim Lahey]

Also, learn the sequence to lock out TouchID/FaceID, which will then require your passphrase to unlock the iPhone the next time.

What is this sequence, please? I have an iPhone 8 Plus if it matters.

 

[techwhiz]

This - source code for crazy encryption has been out in the wild for a long time and you can't get that back. If they put backdoors in the phones for the included apps, then bad folks (and likely lots of good folks too) will simply start using encryption apps that aren't subject to the back doors. We'll have gotten rid of a good and useful thing and be no better off for it.

This is exactly the point.
They can use Wickr Me which uses end to end encryption with auto shred of messages, pictures and voice.
I can implement either RSA or AES in one page of Python code.

Criminals will change how they function.
Giving them a backdoor is the equivalent of giving them a master key to every safe manufactured with the hope that you can trust them with the key.
Nope.

With a safe, they get possession but it is up to them to figure out how to get in.
[automerge]1579716799[/automerge]

I cannot grasp what people keep on their phones that are so precious?
I mean, sure, I use a simple passcode on my phone, just because I can't stand the nagging if I don't.
There is zero stuff on my phone that is not available somewhere else online already.
What I talk about with friends on Messenger, SMS, or other apps is of no interest to anybody, almost not even to me.
I really hope that none of you keep banking information on the phones, now that would be terribly stupid no matter the security.
I hardly think anyone on this forum keep national security stuff on their phones, and therefore the info on your phones are of no interest to anyone. If someone steals your phone, they most probably just want to flog it for some quick cash. A very simple passcode prohibits that. There's no need for Top Secret, For Your Eyes Only, MI6 special agent 007 kind of security. If the thief can't sell the phone, it will end up at the bottom of the closest body of water, not in a lab with million-dollars-worth of high-tech equipment to try and crack your passcode so they can watch your 3-year old eat cake.
So, the security just have to be "good enough" that your average petty criminal can't deal with it, but law enforcement with the right stuff can get in. If you are in the gang who keep very valuable stuff on your phone, you are a lot more likely to get beaten up until you tell them the code rather than they will be thwarted by your amazing 32-character, random password that makes your day a bloody misery since it takes forever to type the password every time you want to check your email.

Wrong.
My phone has strong encryption that you can't get into.
I use a 12 character alpha-numeric password.
I keep personal information on my phone.
I don't worry about losing it, because I have the information elsewhere.

I want the security that's more than good enough.
I want security that is so difficult to break that by the time you get into my device the information is useless. That means after I'm dead.

With my password I'm looking a 7x10^9 days at 26 million attempts per second.
That works for me.

 

[MarkC426]

A self destruct App is needed. resets every 12, 24, 48 hours with a code.

Yep, this reminds me of the ‘original’ Magnum with Tom Selleck Pilot episode, when thief’s try to steal his Ferrari and it just explodes......fantastic.

 

[rpmurray]

I learned long ago to use burner phones for my nefarious deeds and not to put that on an expensive smartphone. Good luck with them trying to get anything on me.

 

[farmboy]

If I were a criminal, I probably would be very circumspect about what I said over an electronic device--phone, computer, etc.

But that's just me, and obviously there are a bunch of morons who transmit all kinds of criminal data/intent, hence the desire by LE to gain access to that info.

 

[bollman]

You will grasp it pretty quickly if yours ever gets compromised by bad actors.

Um, ok, let's see. What will they find on my phone that can be of any use...
My Messenger/SMS history? Go ahead, enjoy those snippets of my boring life.
My email? Hardly of any use unless you're out to send spam, in which case you would not bother to steal phones to get email adresses.
My pictures? Enjoy, just don't die from boredom. You won't get any money out of those.
My home adress? Helluva lot easier just to look it up online.
Social security number? Look it up online instead.
My banking stuff? Protected by 10-digit code not related to my phone or anything else. If that gets cracked, they do not need my phone anyways.

I've said it before, this is all false security. If you have to hide everything about you from others, then they will find a way to steal that information, regardless of the security on your phone (perhaps try violence?).

If all information is free, why try to steal it? And when all information is free, it can no longer be abused.

Here you can find out where I live, my phone numbers, info about my house, who I live with and a lot more stuff, just by searching for my name:

Patrik Sonestad, 51 år, Hemmesdynge Byaväg 64-0 Klagstorp | hitta.se

Kontakta Patrik Sonestad, 51 år, Klagstorp. Adress: Hemmesdynge Byaväg 64-0, Postnummer: 231 99, Telefon: 070-321 90 ..

www.hitta.se

Here you can find more stuff about me:

Kolla lön: Patrik Sonestad (51 år) Klagstorp | Ratsit

Patrik är en ogift man som bor i en villa/radhus på Hemmesdynge Byaväg 64-0. Hos Ratsit kan du kolla upp ✓ Telnr. ✓ Adress ✓ Personnr. ✓ samt Lön & inkomster, och mycket mer.

www.ratsit.se

Pay $1 and they will tell you my social security number, my salary and loads more (it's actually free if you ask the right agency, but that is not available online, this site charge $1 for the online service).
They even know what cars I own and their value:

Ägarinformation - Biluppgifter.se

Hitta ägarinformation om fordon, ägare och historik till fordonen. Hitta ägare till fordon, historik över ägare och fordonens historik.

biluppgifter.se

Yet here I am, not being abused.
How is this possible? Well, none of that stuff can be used to enter contracts or other malicious stuff. You need my approval, and that is only possible with a "irl" signature accompanied by a valid photo ID, or digital signing using my "Bank ID" issued by my bank (after checking my identity).

I would suggest that US customers started asking for 21st century security from merchants instead of their phones. To me, all this "encrypt my phone like it contains nuclear codes"-stuff seems more like someone wants to hide embarrasing nude selfies from getting out in the wild. I understand that it works differently in other countries, I've lived in the UK. Basing "trust" on utility bills seems like the most stupid thing ever.
Here, if someone charges you for stuff you didn't buy, you would just ask them to show your valid signature, digital or analogue. If that can't be presented, then they can just put their claims where the sun don't shine. They would not want to drag me to court, since that could mean that they would be charged instead of me.

 

[vvswarup]

With the way this guy talks, all Americans might as well leave a key to their homes under the floor mat so in case the police need to get into their home with a search warrant. The only problem with that is that a key under the mat for the police is also a key under the mat for a thief.

The simple truth is that these folks aren't the only ones trying to crack phones. At least they're doing it with a good intention-to investigate crime. Thousands of bad actors are out there trying to crack phones with far more nefarious purposes.

If you engineer a lock in such a way that it can be broken into when needed, such as when the key is lost or the police need in, it's only a matter of time before someone with not-so-good intentions catches on.

 

[laz232]

This - source code for crazy encryption has been out in the wild for a long time and you can't get that back. If they put backdoors in the phones for the included apps, then bad folks (and likely lots of good folks too) will simply start using encryption apps that aren't subject to the back doors. We'll have gotten rid of a good and useful thing and be no better off for it.

as a history lesson - at the time any encryption stronger than DES or 3DES 56/122 bit, I forget which, was classified as a munition and subject to US Arms Export Licensing. Made international commerce a problem due to security of payments (DES was crackable at state level back then). Phil Zimmerman (PGP) was hounded by the US government for distribution of his PGP code...
[automerge]1579733439[/automerge]

Um, ok, let's see. What will they find on my phone that can be of any use...
My Messenger/SMS history? Go ahead, enjoy those snippets of my boring life.
My email? Hardly of any use unless you're out to send spam, in which case you would not bother to steal phones to get email adresses.
My pictures? Enjoy, just don't die from boredom. You won't get any money out of those.
My home adress? Helluva lot easier just to look it up online.
Social security number? Look it up online instead.
My banking stuff? Protected by 10-digit code not related to my phone or anything else. If that gets cracked, they do not need my phone anyways.

I've said it before, this is all false security. If you have to hide everything about you from others, then they will find a way to steal that information, regardless of the security on your phone (perhaps try violence?).

If all information is free, why try to steal it? And when all information is free, it can no longer be abused.

Here you can find out where I live, my phone numbers, info about my house, who I live with and a lot more stuff, just by searching for my name:

Patrik Sonestad, 51 år, Hemmesdynge Byaväg 64-0 Klagstorp | hitta.se

Kontakta Patrik Sonestad, 51 år, Klagstorp. Adress: Hemmesdynge Byaväg 64-0, Postnummer: 231 99, Telefon: 070-321 90 ..

www.hitta.se

Here you can find more stuff about me:

Kolla lön: Patrik Sonestad (51 år) Klagstorp | Ratsit

Patrik är en ogift man som bor i en villa/radhus på Hemmesdynge Byaväg 64-0. Hos Ratsit kan du kolla upp ✓ Telnr. ✓ Adress ✓ Personnr. ✓ samt Lön & inkomster, och mycket mer.

www.ratsit.se

Pay $1 and they will tell you my social security number, my salary and loads more (it's actually free if you ask the right agency, but that is not available online, this site charge $1 for the online service).
They even know what cars I own and their value:

Ägarinformation - Biluppgifter.se

Hitta ägarinformation om fordon, ägare och historik till fordonen. Hitta ägare till fordon, historik över ägare och fordonens historik.

biluppgifter.se

Yet here I am, not being abused.
How is this possible? Well, none of that stuff can be used to enter contracts or other malicious stuff. You need my approval, and that is only possible with a "irl" signature accompanied by a valid photo ID, or digital signing using my "Bank ID" issued by my bank (after checking my identity).

I would suggest that US customers started asking for 21st century security from merchants instead of their phones. To me, all this "encrypt my phone like it contains nuclear codes"-stuff seems more like someone wants to hide embarrasing nude selfies from getting out in the wild. I understand that it works differently in other countries, I've lived in the UK. Basing "trust" on utility bills seems like the most stupid thing ever.
Here, if someone charges you for stuff you didn't buy, you would just ask them to show your valid signature, digital or analogue. If that can't be presented, then they can just put their claims where the sun don't shine. They would not want to drag me to court, since that could mean that they would be charged instead of me.

this isn't about YOU. There are plenty of examples of the judicial and law enforcement branches abusing their powers both in the USA and in many other countries.
At the same time there are also many things that are perfectly legal but that can be used as blackmail - Consider for example judges on cases that might be having illicit affairs, or that might be into kinky sex etc - J Edgar Hoover - President of theHe was found to have exceeded the jurisdiction of the FBI,[2]and to have used the FBI to harass political dissenters and activists, to amass secret files on political leaders,[3]and to collect evidence using illegal methods.[4]Hoover consequently amassed a great deal of power and was in a position to intimidate and threaten others, including sitting presidents of the United States.[5]"

 

[MacGekko]

So they have a faraday cage ad they use intelligent social engineering to get a start at passwords, okay.
The answer is not a backdoor that he is asking for.
For everyone that reads this you need an alphanumeric passcode.

My current passcode has 12 digits/letters and symbols.
This means that even if they can generate 26 million passcodes a second.

There are 46 keys * 2 functions for each key.
This means that my password will has 3.68x10^23 combinations.
This is 1.4x10^16 seconds to brute force the attack or 3.9x10^12 hours.
So they will never brute force it unless they just get lucky.
Couple that with at the end of every attempt, the enter key must be used.
If you use a 4 digit passcode, a brute force attack renders it useless in 9999 attempts.
Actually it's half that if the approach is either sequential or starts from the middle.
A six digit passcode isn't better.
Use a password that has letters (upper and lower case) numbers and symbols.

A password that is any length is more secure than a passcode.
A password can be any length and makes it much more difficult to brute force.

If you use a less secure 4/6 digit passcode, you should have your phone set to wipe after 10 attempts.

I say don't give them a chance and I'm not doing anything illegal.
My right to privacy, is a right.

I gather this is the same advice for the password to unlock your Macbook, God forbid my Macbook was stolen, I would like to make it tough for the average criminal to see all of my info, if they want to reformat the drive and resell it, OK I can live with that, so I gather the same applies, total of 12, with a combo of digits/letters/symbols?

 

[Mr.Bigglesworth]

Um, ok, let's see. What will they find on my phone that can be of any use...
My Messenger/SMS history? Go ahead, enjoy those snippets of my boring life.
My email? Hardly of any use unless you're out to send spam, in which case you would not bother to steal phones to get email adresses.
My pictures? Enjoy, just don't die from boredom. You won't get any money out of those.
My home adress? Helluva lot easier just to look it up online.
Social security number? Look it up online instead.
My banking stuff? Protected by 10-digit code not related to my phone or anything else. If that gets cracked, they do not need my phone anyways.

I've said it before, this is all false security. If you have to hide everything about you from others, then they will find a way to steal that information, regardless of the security on your phone (perhaps try violence?).

If all information is free, why try to steal it? And when all information is free, it can no longer be abused.

Here you can find out where I live, my phone numbers, info about my house, who I live with and a lot more stuff, just by searching for my name:

Patrik Sonestad, 51 år, Hemmesdynge Byaväg 64-0 Klagstorp | hitta.se

Kontakta Patrik Sonestad, 51 år, Klagstorp. Adress: Hemmesdynge Byaväg 64-0, Postnummer: 231 99, Telefon: 070-321 90 ..

www.hitta.se

Here you can find more stuff about me:

Kolla lön: Patrik Sonestad (51 år) Klagstorp | Ratsit

Patrik är en ogift man som bor i en villa/radhus på Hemmesdynge Byaväg 64-0. Hos Ratsit kan du kolla upp ✓ Telnr. ✓ Adress ✓ Personnr. ✓ samt Lön & inkomster, och mycket mer.

www.ratsit.se

Pay $1 and they will tell you my social security number, my salary and loads more (it's actually free if you ask the right agency, but that is not available online, this site charge $1 for the online service).
They even know what cars I own and their value:

Ägarinformation - Biluppgifter.se

Hitta ägarinformation om fordon, ägare och historik till fordonen. Hitta ägare till fordon, historik över ägare och fordonens historik.

biluppgifter.se

Yet here I am, not being abused.
How is this possible? Well, none of that stuff can be used to enter contracts or other malicious stuff. You need my approval, and that is only possible with a "irl" signature accompanied by a valid photo ID, or digital signing using my "Bank ID" issued by my bank (after checking my identity).

I would suggest that US customers started asking for 21st century security from merchants instead of their phones. To me, all this "encrypt my phone like it contains nuclear codes"-stuff seems more like someone wants to hide embarrasing nude selfies from getting out in the wild. I understand that it works differently in other countries, I've lived in the UK. Basing "trust" on utility bills seems like the most stupid thing ever.
Here, if someone charges you for stuff you didn't buy, you would just ask them to show your valid signature, digital or analogue. If that can't be presented, then they can just put their claims where the sun don't shine. They would not want to drag me to court, since that could mean that they would be charged instead of me.

so you’re okay with this because you live a boring life ?

sorry that some of us actually have exciting things going on. I get Noods sent to me all the time and I am more than certain that many, many of others on here are getting the same.

my phone has a lot of stuff in it that I do not want ANYONE to see. Why ? Because I can. It’s MY phone. I paid $1000+ For. So hell no do I want some shmuck who doesn’t even like his job to have access to my phone, my memories, my videos, my messages and where I have been. The day this happens is the day that the smart phone will die.