After suddenly dropping Apple case, FBI now defeating security on iPhones in other cases


#1

[Read the post]


#2

DMCA to the rescue!


#3

Dick pics for everybody!!!


#4

So the FBI learned that Apple’s claims of airtight security are grossly exaggerated. I’m wondering if Apple leadership is quietly relieved. They couldn’t very well say our products are imperfect, but they knew it and really the only people who seemed not to were the FBI. Did someone at the Hoover building finally swallow their pride and take a trip up to Fort Meade to ask for help?


#5

“What’s clear is that the FBI does not have the in-house capability to develop exploits,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an encrypted phone call.

Yeah, you heard that right. VICE is hip! nyah nyah nyah nyah nyah!


#6

yeah isn’t this illegal under the DMCA? Can’t Apple sue the Feds for this?

Where’s my popcorn?


#7

If the FBI had an intern who’d taken the first semester of the Intro to Computer Science course at his college, they knew that neither Apple nor anyone else had built “airtight security” into a physical device.

Obviously they’d have preferred to establish a precedent where Apple could be compelled to create exploits as needed and on demand, but I don’t think anyone thought that this phone would stay at the lock screen forever if the FBI really and truly wanted in.


#8

Well, Apple came out the loser here. Although the FBI didn’t get the court ruling they wanted, it appears they don’t need it. But for Apple, they’re now branded as the maker of phone with poor security.


#9

and yet

But for many of the remaining American smartphone users, strong data encryption was never really an option. Most Android phones don’t encrypt the data that’s stored on the device, and many come with messaging services that don’t encrypt data that’s sent back and forth between devices.
Unlike iPhones, which are exclusively made by Apple, Android phones are produced by many different manufacturers. That’s made it much more difficult for Google—the company that designs Android software—to turn on device encryption by default. Many of the devices that run Android software have cheap or out-of-date hardware that can’t handle continuous encryption and decryption. Google recently required that all new Android devices encrypt device data by default—but exempted slower (and therefore cheaper) phones, making encryption a de-facto luxury feature

so yes. Apple needs to go back the drawing board. But that doesn’t mean that Android can be legitimately described as the secure alternative.


#10

I guess, if you don’t know anything about encryption or security…

But there’s no such thing as perfect security, especially if the attacker has physical access to the device.


#11

I think that you may be overestimating the curriculum of Intro CS 1.


#12

We still don’t know what mysterious ‘outside assistance’ the FBI received, and rumors that an Israeli firm sold them an exploit remain unverified. The government says it won’t share the method it used to access the San Bernardino iPhone, but it feels safe to assume that however they did it, they bought the rights to do it again and again.
Or, they bought the rights to do it once. What are the chances of the Israeli firm successfully suing them if they do it again and again?


#13

Maybe. But it can’t be that obscure a computing/security concept if I know it.


#14

Correct. Because that title belongs to Windows. Yeah.


#15

NAND mirroring, sucka. It’s not rocket science.


#16

the FBI is just like all of us who can’t stop eating salty snacks.


#17

https://technet.microsoft.com/en-us/library/hh278941.aspx

The ten immutable laws of security, law #3 in effect here. Once they have physical access to you device, it’s not your device.


#18

In the end, it may be as simple as making a mock fingerprint and using that. Remember that you may not be forced to reveal your password, but law enforcement can take your fingerprints and use them. It just requires a special printer to make a usable copy, and is a known hack.

In other words, the whole cracking the PIN thing might be a smokescreen.


#19

At least not when you pit a consumer-priced widget against a nation-state budget. Commercial software may actually be of higher quality than all but the formally-verified-at-great-expense specialty stuff; because development costs get spread over a zillion units; but pretty much the only resistance to physical attacks in consumer toys is either a side effect of miniaturization and integration and devices built to be user-serviceable only by nanites; or because some DRM scheme demands it.

I’m not sure whether offense or defense is currently the winner in the world of nation-state budget secure hardware; but that’s a lot scarcer and harder to get physical access to.


#20

The 5c didn’t include a fingerprint sensor, so that was vanishingly unlikely to be the attack in this case; but in general fingerprint readers are a pure convenience feature against all but the most casual of attackers. Lifting a print just isn’t all that hard, and sensors just aren’t all that picky. Better than nothing against a nosy roommate or something; but that’s a low bar to clear.