security Apple just confirmed new security feature to stop hardware based attacks, Grayshift says they found a way around it

[captain_to_fire]

Source: 9to5 Mac [here] [here], Vice

 

Quote

An Apple spokesperson explains in a statement that the company is constantly looking for ways to improve the security protections of its devices.

 

As we highlighted last week, the new USB Restricted Mode requires that an iPhone be unlocked with a passcode when connected to a computer via USB if the device has not already been unlocked in the last hour.

 

It’s easy to jump to the conclusion that this change is purely an effort to block law enforcement from using brute force tactics to gain access to iOS devices. Apple, however, says it doesn’t design its devices to frustrate those who are trying to do their jobs:

"We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple said in a prepared statement. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”

 

Apple added that when it learned of the techniques being used to gain access to passcode-protected devices, it decided to simply alter existing security measures and that it was working on the feature before it knew how law enforcement was taking advantage of such techniques:

Apple began working on the USB issue before learning it was a favorite of law enforcement. Apple said that after it learned of the techniques, it reviewed the iPhone operating system code and improved security. It decided to simply alter the setting, a cruder way of preventing most of the potential access by unfriendly parties.

So I made a thread just a month ago about how some people spotted a new security feature which stops all data transfer in the lightning port in order to stop attacks like Grayshift box.

It's basically like how IT staff restrict employees plugging in random flash drives picked up from the parking lot. Now Grayshit is claiming that they managed to circumvent Apple's new security feature. In an Vice article, they received an email from a Grayshift employee saying that they found a way to get around it .

Quote

But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.

 

“Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,” a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff.

“They seem very confident in their staying power for the future right now,” the email adds.

 

A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago. Apple’s new feature is still alarming law enforcement, though.

 

“Of course they are concerned,” one source with access to restricted forums used by law enforcement told Motherboard. Motherboard granted several sources in this story anonymity to talk about sensitive industry developments.

 

Motherboard found Grayshift has relationships with federal, state, and local law enforcement agencies, including the FBI, DEA, and Secret Service. New emails show the New York State Police is in contact with Grayshift.

Even if what Grayshift's saying is true, remember that iOS 12 is still in beta 1 so a plethora of bugs are expected. If it's true that they managed to get around it, it's possible that Apple is not totally restricting data. Maybe what they need is a disable feature that completely turns off the lightning port even to power. With USB restricted mode, all it does is turn off data transfer but allow power and it's not like when you disable USB from the device manager which also turns off power transfer.

 

Well, it looks like it will be a long lasting cat and mouse game between Apple and the feds and hackers. When Apple said "Apple said that after it learned of the techniques, it reviewed the iPhone operating system code and improved security.", is it possible that they managed to get snippets of Grayshift's source code and learned how to bypass it? Remember that Grayshift's source code was allegedly stolen and snippets got leaked.

Even if Apple has the resources to put Grayshift to obscurity either by fake news or a cyberattack, Apple's security battles is steep hill to climb considering that the execs of Grayshift is in bed with the feds.

 

Also, here's an interesting video from Black Hat 2016 conference where for the first time, Apple participated in a security conference I think where they showcased the new and improved security features of iOS 10 like hardened WebKit JIT mapping, encryption, etc. And here's the part where you can get angry at me, I think when it comes to security iOS is better than Android but at the expense of customizability and making it personal. It's also possible that Grayshift is just bluffing but who knows.

 

[captain_to_fire]

Just now, VegetableStu said:

could it be because Apple whitelists their own MFi stuff, and the Greybox people spoofs those devices? o_o

From what I read, Apple's USB restricted mode will stop all data transfer in the lightning port and that includes their own peripherals including the bundled lightning EarPods and the only thing that will work is charging. Grayshift claims they found a way around it so who knows? I know Apple is serious when it comes to iOS security and they quickly patch vulnerabilities when reported so there might be a chance that Grayshift is just bluffing. ¯\_(ツ)_/¯

[captain_to_fire]

18 minutes ago, VegetableStu said:

actually thought #2: what would USB restrictions do for invoking DFU mode? o_o

'm not sure since I'm not risking a beta OS on my own iPhone.

[Guest]

Saying is a lot different to demonstrating. I wouldn't hold your breath. 

[ScratchCat]

2 hours ago, RorzNZ said:

Saying is a lot different to demonstrating. I wouldn't hold your breath. 

They did deliver before and what they delivered to an extent forced Apple to implement USB Restricted Mode. It would be interesting to see how they did it though.

7 hours ago, captain_to_fire said:

Maybe what they need is a disable feature that completely turns off the lightning port even to power. With USB restricted mode, all it does is turn off data transfer but allow power and it's not like when you disable USB from the device manager which also turns off power transfer.

Cutting power would be an unreasonable overreaction as I am fairly certain you cannot "hack" a voltage converter. I would expect that Apple ensured that USB Restricted Mode (URM) will only be activated if the device has not been unlocked in the past hour and no data is currently being transferred - copying 250GB of images could well take that long over a USB 2.0 connection.

[Cheezdoodlez]

40 minutes ago, ScratchCat said:

copying 250GB of images could well take that long over a USB 2.0 connection

No available iPhone can hold 250GB of images though.

 

And you should be able to set a timer for when URM should kick in. Personally I would want it the same moment as my phone is locked. 

[DrMacintosh]

Apple should hire some top of the line security experts and put these Grayshift people in their place once and for all. 

[Zodiark1593]

1 hour ago, huilun02 said:

Stop hardware based attacks you say?

 

 

Doesn't seem like Grayshift needs to do anything to prove their point

Kind of difficult to recover data if the thing won't even boot to decrypt said data.

 

2 hours ago, DrMacintosh said:

Apple should hire some top of the line security experts and put these Grayshift people in their place once and for all. 

I would be surprised if, given Apple's vast financial resources, they haven't been doing this.

[mr moose]

build a better mousetrap and they'll build a better mouse.  If they ever find a way to 100% protect the information on a phone the FBI will find a way to either make you unlock it or make it a federal offense to carry a locked phone. 

[Sniperfox47]

17 hours ago, captain_to_fire said:

It's basically like how IT staff restrict employees plugging in random flash drives picked up from the parking lot. Now Grayshit is claiming that they managed to circumvent Apple's new security feature. In an Vice article, they received an email from a Grayshift employee saying that they found a way to get around it .

Even if what Grayshift's saying is true, remember that iOS 12 is still in beta 1 so a plethora of bugs are expected. If it's true that they managed to get around it, it's possible that Apple is not totally restricting data. Maybe what they need is a disable feature that completely turns off the lightning port even to power. With USB restricted mode, all it does is turn off data transfer but allow power and it's not like when you disable USB from the device manager which also turns off power transfer.

The difference here is that with a Windows computer you've got the device acting solely as a host so you can disable a port entirely, even going so far as shutting down the control chip if you want, and the controller doesn't need to allow being backfed power.

 

With an iPhone you *need* to have a controller that can be backfed. Why? Because if the phone battery drains completely, you need to be able to power the controller so that you can power the charging circuitry and then charge the battery. If there's a hardware cutoff? RIP phone.

 

As soon as the controller is capable of taking in power you can achieve hardware level exploits against the USB controller and go from there. With current iPhones and Ipads theres no hardware cutoff for the data lanes between the controller and the port, it just tells the controller not to attach new devices, so you can just launch any standard USB attack against the controller just not talk to the OS. But even if on future devices they cut off data connection between the controller and port, you could potentially attack the controller over vbus or with other workarounds.

 

Is this for sure what they're doing? No. Do they even for sure have an exploit at all? No. I'm just saying that if they're determined this is one example of an attack vector they could try to implement, and one that can't be patched without a hardware revision or at the very *very* least new firmware for the USB controller.

[vanished]

3 hours ago, DrMacintosh said:

Apple should hire some top of the line security experts and put these Grayshift people in their place once and for all. 

They really should already have top of the line security people as part of normal business.  I mean for a company that size, it would be not only embarrassing, but downright negligent not to.

 

Further, I've tried to read through this story and I still don't really know what's going on or why any of it matters.  Maybe it will help if I explain what I understand to be true and let someone point out where I'm wrong:

 

Last I checked, Android, Windows Phone, and iOS all provide the ability to connect to a computer over USB, and once you've done that, by default it will only charge, but if (and only if) you enter a pin, you can "unlock" additional mode(s), including the ability to transfer files or sync with itunes, etc.

 

So yeah... anyone got some clarification?

[Guest]

On 6/16/2018 at 10:26 AM, ScratchCat said:

They did deliver before and what they delivered to an extent forced Apple to implement USB Restricted Mode. It would be interesting to see how they did it though.

They have a reputation to uphold now that these agencies depend on them. They wouldn't say they can't do it. 

[captain_to_fire]

5 minutes ago, Ryan_Vickers said:

Last I checked, Android, Windows Phone, and iOS all provide the ability to connect to a computer over USB, and once you've done that, by default it will only charge, but if (and only if) you enter a pin, you can "unlock" additional mode(s), including the ability to transfer files or sync with itunes, etc.

 

So yeah... anyone got some clarification?

From what I read about Grayshift, they do dictionary based attacks that can get around Apple’s anti brute force features including the one asking for a PIN once connected to a new computer. What URM supposed to do is after not unlocking the iPhone/iPad for an hour, URM kicks in and tells the USB controller to deny all read and write in the lightning port so it wouldn’t matter if Grayshift is leveraging an unpatched vulnerability. Grayshift however claims otherwise and say they found a way around it. 

 

Given that Grayshift is in bed with the feds, maybe they’re looking for other ways to hack iPhones maybe through spearphishing emails or whatever.  

[vanished]

5 minutes ago, captain_to_fire said:

From what I read about Grayshift, they do dictionary based attacks that can get around Apple’s anti brute force features including the one asking for a PIN once connected to a new computer. What URM supposed to do is after not unlocking the iPhone/iPad for an hour, URM kicks in and tells the USB controller to deny all read and write in the lightning port so it wouldn’t matter if Grayshift is leveraging an unpatched vulnerability. Grayshift however claims otherwise and say they found a way around it. 

 

Given that Grayshift is in bed with the feds, maybe they’re looking for other ways to hack iPhones maybe through spearphishing emails or whatever.  

So iOS accepts receiving the pin you must enter in order to unlock it and transfer data over USB?  I had always just assumed it and the other platforms would only accept typing it on the screen as a viable input.  Accepting it over USB seems like a huge design flaw, both because there's no reason that should ever be necessary, and because it opens the doors for attacks exactly like this.

[ScratchCat]

9 hours ago, Cheezdoodlez said:

No available iPhone can hold 250GB of images though.

 

And you should be able to set a timer for when URM should kick in. Personally I would want it the same moment as my phone is locked. 

Maybe 220GB if you include the OS and formatting but my point still stands.

[captain_to_fire]

5 minutes ago, Ryan_Vickers said:

So iOS accepts receiving the pin you must enter in order to unlock it and transfer data over USB?  I had always just assumed it and the other platforms would only accept typing it on the screen as a viable input.  Accepting it over USB seems like a huge design flaw, both because there's no reason that should ever be necessary, and because it opens the doors for attacks exactly like this.

Well it should be unlocked by either biometrics (Face/Touch ID) or PIN in order to unlock the phone and enable data transfer in the USB controller. It’s possible that Grayshift managed to be sneaky and mask data transfer as power charging. 

 

But from your earlier comment, I agree that Apple should have the best security experts given that the iPhone has become the new Blackberry. Remember the days when Blackberry by RIM means business including end to end encryption with BBM and others? 

[Sniperfox47]

24 minutes ago, Ryan_Vickers said:

They really should already have top of the line security people as part of normal business.  I mean for a company that size, it would be not only embarrassing, but downright negligent not to.

 

Further, I've tried to read through this story and I still don't really know what's going on or why any of it matters.  Maybe it will help if I explain what I understand to be true and let someone point out where I'm wrong:

 

Last I checked, Android, Windows Phone, and iOS all provide the ability to connect to a computer over USB, and once you've done that, by default it will only charge, but if (and only if) you enter a pin, you can "unlock" additional mode(s), including the ability to transfer files or sync with itunes, etc.

 

So yeah... anyone got some clarification?

 

8 minutes ago, Ryan_Vickers said:

So iOS accepts receiving the pin you must enter in order to unlock it and transfer data over USB?  I had always just assumed it and the other platforms would only accept typing it on the screen as a viable input.  Accepting it over USB seems like a huge design flaw, both because there's no reason that should ever be necessary, and because it opens the doors for attacks exactly like this.

I'm not super clear how Greyshift works, but it functions in peripheral mode, not host mode afaik. It's more akin to plugging a keyboard or USB stick into your phone than it is to plugging your phone into a computer.

 

It then makes use of a number of hardware and software vulnerabilities to get the pins and unlock the device. Again entirely undocumented, I don't know details of how this all works.

 

But to be clear this isn't an iOS problem, it's a computer problem. As I mentioned above, as soon as you have a device with some kind of public bus and a controller on that bus you should assume your device can be compromised by physical access. Not easily. Not trivially. But it can be done.

[captain_to_fire]

6 minutes ago, ScratchCat said:

Maybe 220GB if you include the OS and formatting but my point still stands.

iOS 11 plus drivers only take up around five gigs of storage 

[vanished]

3 minutes ago, Sniperfox47 said:

 

I'm not super clear how Greyshift works, but it functions in peripheral mode, not host mode afaik. It's more akin to plugging a keyboard or USB stick into your phone than it is to plugging your phone into a computer.

 

It then makes use of a number of hardware and software vulnerabilities to get the pins and unlock the device. Again entirely undocumented, I don't know details of how this all works.

 

But to be clear this isn't an iOS problem, it's a computer problem. As I mentioned above, as soon as you have a device with some kind of public bus and a controller on that bus you should assume your device can be compromised by physical access. Not easily. Not trivially. But it can be done.

Ah ok thank you, that explains what is going on here and why it's a problem

[captain_to_fire]

2 minutes ago, Sniperfox47 said:

Not easily. Not trivially. But it can be done.

As I’ve said in the OP it’ll be a long lasting game of cat and mouse chase between Apple vs hackers/feds. 

 

As someone said earlier, Apple can get cunning and cutthroat and hack into Grayshift’s database and exfiltrate their source code and reverse it and that will send Grayshift into obscurity which will then lead to bankruptcy 

[ScratchCat]

3 minutes ago, captain_to_fire said:

iOS 11 plus drivers only take up around five gigs of storage

256 * 0.93 - 6 = 232GB. Everyone happy now that an iPhone can store approximately 250GB of data?

 

35 minutes ago, RorzNZ said:

They have a reputation to uphold now that these agencies depend on them. They wouldn't say they can't do it. 

Would a self respecting company blatantly lie to their customers? The statement "We broke the new mode in Beta" would allow them to say Apple patched further exploits later however a more common and reasonable response would be "We are working and are making progress" just like most other companies (look at Meltdown).

[Guest]

On 6/16/2018 at 9:03 PM, ScratchCat said:

256 * 0.93 - 6 = 232GB. Everyone happy now that an iPhone can store approximately 250GB of data?

 

Would a self respecting company blatantly lie to their customers? The statement "We broke the new mode in Beta" would allow them to say Apple patched further exploits later however a more common and reasonable response would be "We are working and are making progress" just like most other companies (look at Meltdown).

Yes they would lie. Their whole business relies on being able to do this. They aren't going to say they are working on it, what use is that. 

 

On a side note, I have a 256GB iPhone 7, and (At least on iOS 12 checking right now) I can use all 256GB to store files. I've got 238.2GB free so I don't see how your math stacks up. 

[captain_to_fire]

2 hours ago, mr moose said:

FBI will find a way to either make you unlock it or make it a federal offense to carry a locked phone. 

If the iPhone is protected by a passcode only I don’t think they can’t because passwords are protected by the fifth amendment but biometrics are not.

 

Although Jon just said in today’s WAN show that a Louisiana judge considers Apple’s new security feature as obstruction of justice and that they’re protecting criminal activity. I always believe that laws should be updated to be in sync with new technology so who knows? Maybe with the current administration in the US they might amend laws and could eventually lead to an authoritarian decree where companies handling sensitive information must have backdoors upon a subpoena request. Only time will tell. 

[captain_to_fire]

10 minutes ago, VegetableStu said:

do they suspect us yet?"

"haven't got to giving the shell company details, but I'm sure they'll never give any second thoughts this soon now"

I hope the British guy of Apple design Jony Ive can fake a Russian accent when buying the Grayshift black box. ??—>??

[mr moose]

7 minutes ago, captain_to_fire said:

If the iPhone is protected by a passcode only I don’t think they can’t because passwords are protected by the fifth amendment but biometrics are not.

 

Although Jon just said in today’s WAN show that a Louisiana judge considers Apple’s new security feature as obstruction of justice and that they’re protecting criminal activity. I always that laws should be updated to be in sync with new technology so who knows? Maybe with the current administration in the US they might amend laws and could eventually lead to an authoritarian decree where companies handling sensitive information must have backdoors upon a subpoena request. Only time will tell. 

I've always been a proponent of laws that give a judge the power to force a person to unlock their phone where sufficient evidence/case situation exists to suggest their is evidence on the phone.    We have laws like that in Australia (no 5th amendment) and to date it hasn't been abused and is quite a transparent process.  Generally if there is enough evidence to arrest someone over a crime then that is sufficient to warrant forcing them to unlock their phone.