Should Apple help government hack into the phone of dead terrorist?

[Dan Druff]

There is a current controversy going on regarding Apple and the FBI.

The FBI wants Apple to open up the phone of Syed Farook, one of the San Bernadino shooters.

Farook had his phone locked via the standard 4-digit Apple passcode. The FBI is afraid to "brute force" every one of the 10,000 passcode combinations, because the iPhone has a feature where the phone can be auto-wiped if a wrong passcode is entered 10 times in a row. It is impossible to tell if Farook had that feature enabled.

Apple is refusing to do this. Here is CEO Tim Cook's statement about it: https://www.apple.com/customer-letter/

Basically, Cook argues that nobody -- even Apple -- can break through a passcode on an iPhone, due to strong encryption. They are afraid that if they create a way, then it can be used to compromise security on all iPhones if the method gets into the wrong hands.

I reject this argument. Cook likens the creation of software to allow this as a "master key" which could break into encryption everywhere. He is way overstating it. First off, this piece of software could be developed under strict supervision, and destroyed after it is used to break into this iPhone. The FBI isn't demanding a way to access all iPhones -- just this very important one. (It is true that the FBI has requested a backdoor be created for them for all iPhones in the past, but Apple refused, and the FBI left it alone at that point.)

Second, Cook is treating their current encryption methodology as the only form of encryption in the world. If he is really worried that this tool could be re-created by someone in the company involved in building it, they can simply re-engineer the phone's encryption, yielding the method useless. For example, say that someone (a hacker or insider) found a way to break the encryption and force their way past phone passcodes. Would Apple be helpless? Or could they release an update to their iOS to render that technique useless? Of course it would be the latter, and the same applies here, where they are basically hacking their own phone.

It sounds to me that Apple is just so ideologically opposed to breaking through their own encryption that they are refusing to look at this from a practical standpoint.

It also sounds like they're being lazy/cheap. They don't want to break their encryption and then be responsible for rebuilding it so it's impenetrable again. They more feel like shooing the FBI away with a simple, "Sorry, can't do it, our customers will all be at risk", and washing their hands of the situation.

Also, in general I don't like the idea of a device as common as the iPhone being able to be locked from EVERYONE (including the FBI) by entering a simple passcode. On the surface it sounds great (keep dat guvmint outta yo bidness), but in reality it protects murderers, child molesters, terrorists, etc. While the truly technical savvy will always find ways to create unbreakable encryption of important data, this power shouldn't be in the hands of the average person. For example, Syed Farook was no computer genius. He did not have the ability to encrypt anything. In fact, I doubt he knew that his phone couldn't be broken into after-the-fact. He probably acted so hastily that he didn't bother destroying his phone, or perhaps he was delusional enough to think he would get away, and somehow could still use the phone without being traced.

Bottom line is that I don't want the average criminal or terrorist being able to successfully hide evidence by just entering 4 numbers.

[sonatine]

They could do it, 100%.

I think this is probably more of a 'we need to push back or we are going to get hundreds of these requests a day eventually' type response, bolstered by the obvious marketing/propoganda benefits of telling the feds to fuck themselves.

[simpdog]

Druff are you starting to warm up to Trump?


"I agree 100% with the courts," Trump said on "Fox and Friends" on Wednesday morning. "In that case, we should open it up. I think security over all -- we have to open it up, and we have to use our heads. We have to use common sense."


IMO the FBI should be able to hack the phone themselves without any Apple intervention.

[sonatine]

Also the issue isnt the master key or encryption at all. The workaround would be to assault the chip that controls the lockout doomsday firmware then bruteforce the PIN.

[sonatine]

Also relevant; the phone doesnt even belong to the shooter apparently, it belongs to his employer, who has given permission to have its encryption broken for this investigation.

[Mintjewlips]

Just another case of our intelligence agency's not sharing information. I'm sure the NSA has everything they need to know about this individual, but its very common(even after the patriot act) for these intelligence agency's to not share information and even lie to each other. I don't know why they do it but it happens still after the Patriot act was passed and even bulked up to more extremes.

http://m.nextgov.com/defense/2012/08...ctivity/57496/

[Mintjewlips]

The CEO of apple is just grandstanding at best, apple has been shitting the bed so news of cooperation would look bad to the people who are concerned about privacy. But the reality is we're already spied on relentlessly, everything we do is monitored by one agency or another. This idea of companies "assuring" the public that their products aren't comprimised is total bullshit. Google and apple both work with the government and they get major tax breaks to do so along with billions in compensation.

[TheXFactor]

There is a current controversy going on regarding Apple and the FBI.

The FBI wants Apple to open up the phone of Syed Farook, one of the San Bernadino shooters.

Farook had his phone locked via the standard 4-digit Apple passcode. The FBI is afraid to "brute force" every one of the 10,000 passcode combinations, because the iPhone has a feature where the phone can be auto-wiped if a wrong passcode is entered 10 times in a row. It is impossible to tell if Farook had that feature enabled.

Apple is refusing to do this. Here is CEO Tim Cook's statement about it: https://www.apple.com/customer-letter/

Basically, Cook argues that nobody -- even Apple -- can break through a passcode on an iPhone, due to strong encryption. They are afraid that if they create a way, then it can be used to compromise security on all iPhones if the method gets into the wrong hands.

I reject this argument. Cook likens the creation of software to allow this as a "master key" which could break into encryption everywhere. He is way overstating it. First off, this piece of software could be developed under strict supervision, and destroyed after it is used to break into this iPhone. The FBI isn't demanding a way to access all iPhones -- just this very important one. (It is true that the FBI has requested a backdoor be created for them for all iPhones in the past, but Apple refused, and the FBI left it alone at that point.)

Second, Cook is treating their current encryption methodology as the only form of encryption in the world. If he is really worried that this tool could be re-created by someone in the company involved in building it, they can simply re-engineer the phone's encryption, yielding the method useless. For example, say that someone (a hacker or insider) found a way to break the encryption and force their way past phone passcodes. Would Apple be helpless? Or could they release an update to their iOS to render that technique useless? Of course it would be the latter, and the same applies here, where they are basically hacking their own phone.

It sounds to me that Apple is just so ideologically opposed to breaking through their own encryption that they are refusing to look at this from a practical standpoint.

It also sounds like they're being lazy/cheap. They don't want to break their encryption and then be responsible for rebuilding it so it's impenetrable again. They more feel like shooing the FBI away with a simple, "Sorry, can't do it, our customers will all be at risk", and washing their hands of the situation.

Also, in general I don't like the idea of a device as common as the iPhone being able to be locked from EVERYONE (including the FBI) by entering a simple passcode. On the surface it sounds great (keep dat guvmint outta yo bidness), but in reality it protects murderers, child molesters, terrorists, etc. While the truly technical savvy will always find ways to create unbreakable encryption of important data, this power shouldn't be in the hands of the average person. For example, Syed Farook was no computer genius. He did not have the ability to encrypt anything. In fact, I doubt he knew that his phone couldn't be broken into after-the-fact. He probably acted so hastily that he didn't bother destroying his phone, or perhaps he was delusional enough to think he would get away, and somehow could still use the phone without being traced.

Bottom line is that I don't want the average criminal or terrorist being able to successfully hide evidence by just entering 4 numbers.

You would.

If Apple did unlock this phone even if it's a iPhone belonging to terrorists, the legal argument could allow the U.S. government to do it to any other iPhone.

Why can't the FBI illegally use the dead terrorists fingerprints to open the iPhone?

[abrown83]

People are literally retarded and don't use random pins.

I would bet I could unlock the phone in less than eight attempts if given all of his personal information

[SrslySirius]

I reject this argument. Cook likens the creation of software to allow this as a "master key" which could break into encryption everywhere. He is way overstating it. First off, this piece of software could be developed under strict supervision, and destroyed after it is used to break into this iPhone. The FBI isn't demanding a way to access all iPhones -- just this very important one. (It is true that the FBI has requested a backdoor be created for them for all iPhones in the past, but Apple refused, and the FBI left it alone at that point.)

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

How does Apple comply with this request without revealing how it was done? Would the FBI simply hand over the phone and not observe Apple's people doing the work? After Apple returns the phone, would the FBI be able to see what was done and repeat it? If the workaround involves fiddling with the hardware, could an iOS update actually prevent it from being done again? Does encryption really serve any purpose if we actively work on circumventing it?

These are not rhetorical questions (except maybe the last one). I really don't know much about infosec.

[sonatine]

Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.

In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.

How does Apple comply with this request without revealing how it was done? Would the FBI simply hand over the phone and not observe Apple's people doing the work? After Apple returns the phone, would the FBI be able to see what was done and repeat it? If the workaround involves fiddling with the hardware, could an iOS update actually prevent it from being done again? Does encryption really serve any purpose if we actively work on circumventing it?

These are not rhetorical questions (except maybe the last one). I really don't know much about infosec.

I believe the court order was for the unencrypted data and/or PIN, not to produce a viable backdoor, so I doubt there would be any FBI involvement beyond signing for the output once handed off. And Apple could, in theory, cover their tracks with regards to specific breach techniques, but probably the FBI could figure out how things went down by visually inspecting the circuitry and seeing which chips had their pins exposed by having the protective enamel burnt off with acid (SOP, generally).

That said, I think the only reason this dust up is taking place is because the NSA already has the tools to get the data and those tools are classified, so it makes sense to at least try to get Apple to do it.

As for IOS updates 'fixing' the backdoor, I seriously doubt it. A lot of those chips are deliberately installed 'read-only' with hardware mitigations to enforce it, but those hardware mitigations go out the window completely when you expose the actual inner guts of the chip and know what youre doing. Plus a lot of them checksum their image and verify integrity against another read-only source so youre now compromising two chips, or dedicating a lot of work to modifying the image in a way that doesnt impact the checksum, which we've already seen in the wild with MD5 in the form of discreet bit modifications (and hash collisions (hence file integrity checks, SSL certs, binary keys etc no longer using MD5 or worse)). And maybe they use that checksum as a salt for the encryption of the data, at which point you now need to intercept that signal in real time and MITM it both ways during the decrypt'ish() calls.

And honestly I dont think Apple even has the tools to do that.
edit: this ^^^ is retarded, of course they do.


The NSA should, however.

Again, just spitballing, this isnt my strength.

[devidee]

No, Apple should not.

[Sanlmar]

Perfectly willing to sacrifice a few pawns for me freedom & privacy. Many guys gave their lives in conventional warfare for such things.

Snowden informed us that the government is already pretty well equipped. A little brushback from Apple is a healthy check.

I coulda scripted your response Sonatine. Everything but an opinion. Shooting for par.

[Baron Von Strucker]

I have a iPhone 6s and have been able to unlock my iPhone finger print id with latex gloves on, i can only do this when they are newly fitted but will work most times, they are not super thin either I wonder if the phone can read through them or the latex is working with my finger print that is likely already on the button?

i would think the powers that be can unlock any ones phone but are trying to set president so they can force apple and other phone company to create programs so they can hack phones at will remotely.

[simpdog]

I have a iPhone 6s and have been able to unlock my iPhone finger print id with latex gloves on, i can only do this when they are newly fitted but will work most times, they are not super thin either I wonder if the phone can read through them or the latex is working with my finger print that is likely already on the button?

i would think the powers that be can unlock any ones phone but are trying to set president so they can force apple and other phone company to create programs so they can hack phones at will remotely.

Did you use a new pair of gloves or the same ones you used to massage your prostate?

In order to test your theory why not have someone else attempt to press the button?

[Dan Druff]

Apple must have the ability, because they are refusing to comply. If they lacked the ability, that would be an easy way out (plus it would make them look good to the privacy fanatics).

For the most part, whether software or hardware, if you built it, you also know how to break into it.

I believe that's the case here.

I don't believe the FBI will be able to reproduce the technique unless they are standing over the Apple techs watching every move, which I doubt they would be allowed to do.

[Gordman]

[Sanlmar]

The paper shredding companies are required to reproduce the original document so there is already precedence

If Apple provides a back door, if you think only the good guys will eyeball your stuff you are naive.

[Sanlmar]

How does Apple comply with this request without revealing how it was done? Would the FBI simply hand over the phone and not observe Apple's people doing the work? After Apple returns the phone, would the FBI be able to see what was done and repeat it? If the workaround involves fiddling with the hardware, could an iOS update actually prevent it from being done again? Does encryption really serve any purpose if we actively work on circumventing it?

These are not rhetorical questions (except maybe the last one). I really don't know much about infosec.

I believe the court order was for the unencrypted data and/or PIN, not to produce a viable backdoor, so I doubt there would be any FBI involvement beyond signing for the output once handed off. And Apple could, in theory, cover their tracks with regards to specific breach techniques, but probably the FBI could figure out how things went down by visually inspecting the circuitry and seeing which chips had their pins exposed by having the protective enamel burnt off with acid (SOP, generally).

That said, I think the only reason this dust up is taking place is because the NSA already has the tools to get the data and those tools are classified, so it makes sense to at least try to get Apple to do it.

As for IOS updates 'fixing' the backdoor, I seriously doubt it. A lot of those chips are deliberately installed 'read-only' with hardware mitigations to enforce it, but those hardware mitigations go out the window completely when you expose the actual inner guts of the chip and know what youre doing. Plus a lot of them checksum their image and verify integrity against another read-only source so youre now compromising two chips, or dedicating a lot of work to modifying the image in a way that doesnt impact the checksum, which we've already seen in the wild with MD5 in the form of discreet bit modifications (and hash collisions (hence file integrity checks, SSL certs, binary keys etc no longer using MD5 or worse)). And maybe they use that checksum as a salt for the encryption of the data, at which point you now need to intercept that signal in real time and MITM it both ways during the decrypt'ish() calls.

And honestly I dont think Apple even has the tools to do that.



The NSA should, however.

Again, just spitballing, this isnt my strength.

Break out the soldering iron and solder sucker and perform a little chip/pal surgery and write some complementary code.

It's done. But fuck em.

[El Gallo]

It's a fucked up situation because Apple and other companies have their customers best interest in mind, or at least they should because that's how you get them to buy more stuff. I get the need to be able to break into phones that belong to terrorists. For example, if a bomb is set to go off somewhere or if what's on a phone could stop a mass murderer.

The issue is that you just can't trust that kind of power to the government. They have shown time and time again that if you give them a tiny opening... an inch... they will take 1000 miles. They have shown blatant disregard for the rights of everyday civilians in terms of privacy. They go so far as to flat out lie. If not for Snowden I think I might be ok with the Apple giving the government the ability to gain access to encrypted information. Things are different now and Apple was put in the very difficult situation of having to set precedent for the smaller guys.

The alternative is leaving the decision as to whether or not to break into someones phone to the corporations like Apple, and that seems counter intuitive. Can you imagine the FBI or CIA having to lay out why they need access to the phone each time? Having to prove someone is a terrorist or if an attack is eminent. So you have to choose and stand firm. Once you grant access the government will abuse it, we know this.... but it could save lives... maybe... someday.

I side with simply never giving them a way to access the information. It's technically illegal, but someone like Apple might help make a stand.

Google caves on all this BTW... like right away. If Steve Jobs was still around I'm sure he would have sent a strongly worded letter telling them to go fuck themselves.