Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
captain_to_fire

Apple just confirmed new security feature to stop hardware based attacks, Grayshift says they found a way around it

Recommended Posts

Posted · Original PosterOP

Source: 9to5 Mac [here] [here], Vice

 

image.thumb.png.6e84f05f91580f3b30467a9bbb26f492.png

Quote

An Apple spokesperson explains in a statement that the company is constantly looking for ways to improve the security protections of its devices.

 

As we highlighted last week, the new USB Restricted Mode requires that an iPhone be unlocked with a passcode when connected to a computer via USB if the device has not already been unlocked in the last hour.

 

It’s easy to jump to the conclusion that this change is purely an effort to block law enforcement from using brute force tactics to gain access to iOS devices. Apple, however, says it doesn’t design its devices to frustrate those who are trying to do their jobs:

"We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple said in a prepared statement. “We have the greatest respect for law enforcement, and we don’t design our security improvements to frustrate their efforts to do their jobs.”

 

Apple added that when it learned of the techniques being used to gain access to passcode-protected devices, it decided to simply alter existing security measures and that it was working on the feature before it knew how law enforcement was taking advantage of such techniques:

Apple began working on the USB issue before learning it was a favorite of law enforcement. Apple said that after it learned of the techniques, it reviewed the iPhone operating system code and improved security. It decided to simply alter the setting, a cruder way of preventing most of the potential access by unfriendly parties.

So I made a thread just a month ago about how some people spotted a new security feature which stops all data transfer in the lightning port in order to stop attacks like Grayshift box.

It's basically like how IT staff restrict employees plugging in random flash drives picked up from the parking lot. Now Grayshit is claiming that they managed to circumvent Apple's new security feature. In an Vice article, they received an email from a Grayshift employee saying that they found a way to get around it .

Quote

But forensics experts suggest that Grayshift, the company behind the tech, is not giving up yet.

 

“Grayshift has gone to great lengths to future proof their technology and stated that they have already defeated this security feature in the beta build. Additionally, the GrayKey has built in future capabilities that will begin to be leveraged as time goes on,” a June email from a forensic expert who planned to meet with Grayshift, and seen by Motherboard, reads, although it is unclear from the email itself how much of this may be marketing bluff.

“They seem very confident in their staying power for the future right now,” the email adds.

 

A second person, responding to the first email, said that Grayshift addressed USB Restricted Mode in a webinar several weeks ago. Apple’s new feature is still alarming law enforcement, though.

 

“Of course they are concerned,” one source with access to restricted forums used by law enforcement told Motherboard. Motherboard granted several sources in this story anonymity to talk about sensitive industry developments.

 

Motherboard found Grayshift has relationships with federal, state, and local law enforcement agencies, including the FBI, DEA, and Secret Service. New emails show the New York State Police is in contact with Grayshift.

Even if what Grayshift's saying is true, remember that iOS 12 is still in beta 1 so a plethora of bugs are expected. If it's true that they managed to get around it, it's possible that Apple is not totally restricting data. Maybe what they need is a disable feature that completely turns off the lightning port even to power. With USB restricted mode, all it does is turn off data transfer but allow power and it's not like when you disable USB from the device manager which also turns off power transfer.

5b23cc3c7eb5c_Screenshot(138).png.fd98017b6cfbdf89e459d4e70c93b7f9.png

 

Well, it looks like it will be a long lasting cat and mouse game between Apple and the feds and hackers. When Apple said "Apple said that after it learned of the techniques, it reviewed the iPhone operating system code and improved security.", is it possible that they managed to get snippets of Grayshift's source code and learned how to bypass it? Remember that Grayshift's source code was allegedly stolen and snippets got leaked.

Even if Apple has the resources to put Grayshift to obscurity either by fake news or a cyberattack, Apple's security battles is steep hill to climb considering that the execs of Grayshift is in bed with the feds.

 

Also, here's an interesting video from Black Hat 2016 conference where for the first time, Apple participated in a security conference I think where they showcased the new and improved security features of iOS 10 like hardened WebKit JIT mapping, encryption, etc. And here's the part where you can get angry at me, I think when it comes to security iOS is better than Android but at the expense of customizability and making it personal. It's also possible that Grayshift is just bluffing but who knows.

 


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
Posted · Original PosterOP
Just now, VegetableStu said:

could it be because Apple whitelists their own MFi stuff, and the Greybox people spoofs those devices? o_o

From what I read, Apple's USB restricted mode will stop all data transfer in the lightning port and that includes their own peripherals including the bundled lightning EarPods and the only thing that will work is charging. Grayshift claims they found a way around it so who knows? I know Apple is serious when it comes to iOS security and they quickly patch vulnerabilities when reported so there might be a chance that Grayshift is just bluffing. ¯\_(ツ)_/¯


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
4 minutes ago, captain_to_fire said:

From what I read, Apple's USB restricted mode will stop all data transfer in the lightning port and that includes their own peripherals including the bundled lightning EarPods and the only thing that will work is charging.

actually thought #2: what would USB restrictions do for invoking DFU mode? o_o

Link to post
Share on other sites
Posted · Original PosterOP
18 minutes ago, VegetableStu said:

actually thought #2: what would USB restrictions do for invoking DFU mode? o_o

'm not sure since I'm not risking a beta OS on my own iPhone.


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
2 hours ago, RorzNZ said:

Saying is a lot different to demonstrating. I wouldn't hold your breath. 

They did deliver before and what they delivered to an extent forced Apple to implement USB Restricted Mode. It would be interesting to see how they did it though.

7 hours ago, captain_to_fire said:

Maybe what they need is a disable feature that completely turns off the lightning port even to power. With USB restricted mode, all it does is turn off data transfer but allow power and it's not like when you disable USB from the device manager which also turns off power transfer.

Cutting power would be an unreasonable overreaction as I am fairly certain you cannot "hack" a voltage converter. I would expect that Apple ensured that USB Restricted Mode (URM) will only be activated if the device has not been unlocked in the past hour and no data is currently being transferred - copying 250GB of images could well take that long over a USB 2.0 connection.

Link to post
Share on other sites
40 minutes ago, ScratchCat said:

copying 250GB of images could well take that long over a USB 2.0 connection

No available iPhone can hold 250GB of images though.

 

And you should be able to set a timer for when URM should kick in. Personally I would want it the same moment as my phone is locked. 

Link to post
Share on other sites

Apple should hire some top of the line security experts and put these Grayshift people in their place once and for all. 


Laptop: 2016 13" nTB MacBook Pro Core i5 | Phone: iPhone 8 Plus 64GB | Wearables: Apple Watch Sport Series 2 | CPU: R5 2600 | Mobo: ASRock B450M Pro4 | RAM: 16GB 2666 | GPU: ASRock RX 5700 8GB | Case: Apple PowerMac G5 | OS: Win 10 | Storage: 480GB PNY SSD & 2TB WD Green HDD | PSU: Corsair CX600M | Display: Dell 27 Gaming Monitor S2719DGF 1440p @155Hz, Dell UZ2215H 21.5" 1080p, ViewSonic VX2450wm-LED 23.6" 1080p | Cooling: Wraith Prism | Keyboard: G610 Orion Cherry MX Brown | Mouse: G303 | Audio: Audio Technica ATH-M50X & Blue Snowball
Link to post
Share on other sites

Stop hardware based attacks you say?

 

riga-latvia-february-iphone-back-pocket-

images?q=tbn:ANd9GcSKn0CJChS5GD4cLG0HAp-

 

Doesn't seem like Grayshift needs to do anything to prove their point


Awareness is key. Never enough, even in the face of futility. Speak the truth as if you may never get to say it again. This world is full of ugly. Change it they say. The only way is to reveal the ugly. To change the truth you must first acknowledge it. Never pretend it isn't there. Never bend the knee.

 

Please quote my post in your reply, so that I will be notified and can respond to it. Thanks.

Link to post
Share on other sites
1 hour ago, huilun02 said:

Stop hardware based attacks you say?

 

riga-latvia-february-iphone-back-pocket-

images?q=tbn:ANd9GcSKn0CJChS5GD4cLG0HAp-

 

Doesn't seem like Grayshift needs to do anything to prove their point

Kind of difficult to recover data if the thing won't even boot to decrypt said data.

 

2 hours ago, DrMacintosh said:

Apple should hire some top of the line security experts and put these Grayshift people in their place once and for all. 

I would be surprised if, given Apple's vast financial resources, they haven't been doing this.


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites

build a better mousetrap and they'll build a better mouse.  If they ever find a way to 100% protect the information on a phone the FBI will find a way to either make you unlock it or make it a federal offense to carry a locked phone. 


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Sometimes I miss contractions like n't on the end of words like wouldn't, couldn't and shouldn't.    Please don't be a dick,  make allowances when reading my posts.

Link to post
Share on other sites
17 hours ago, captain_to_fire said:

It's basically like how IT staff restrict employees plugging in random flash drives picked up from the parking lot. Now Grayshit is claiming that they managed to circumvent Apple's new security feature. In an Vice article, they received an email from a Grayshift employee saying that they found a way to get around it .

Even if what Grayshift's saying is true, remember that iOS 12 is still in beta 1 so a plethora of bugs are expected. If it's true that they managed to get around it, it's possible that Apple is not totally restricting data. Maybe what they need is a disable feature that completely turns off the lightning port even to power. With USB restricted mode, all it does is turn off data transfer but allow power and it's not like when you disable USB from the device manager which also turns off power transfer.

5b23cc3c7eb5c_Screenshot(138).png.fd98017b6cfbdf89e459d4e70c93b7f9.png

The difference here is that with a Windows computer you've got the device acting solely as a host so you can disable a port entirely, even going so far as shutting down the control chip if you want, and the controller doesn't need to allow being backfed power.

 

With an iPhone you *need* to have a controller that can be backfed. Why? Because if the phone battery drains completely, you need to be able to power the controller so that you can power the charging circuitry and then charge the battery. If there's a hardware cutoff? RIP phone.

 

As soon as the controller is capable of taking in power you can achieve hardware level exploits against the USB controller and go from there. With current iPhones and Ipads theres no hardware cutoff for the data lanes between the controller and the port, it just tells the controller not to attach new devices, so you can just launch any standard USB attack against the controller just not talk to the OS. But even if on future devices they cut off data connection between the controller and port, you could potentially attack the controller over vbus or with other workarounds.

 

Is this for sure what they're doing? No. Do they even for sure have an exploit at all? No. I'm just saying that if they're determined this is one example of an attack vector they could try to implement, and one that can't be patched without a hardware revision or at the very *very* least new firmware for the USB controller.

Link to post
Share on other sites
3 hours ago, DrMacintosh said:

Apple should hire some top of the line security experts and put these Grayshift people in their place once and for all. 

They really should already have top of the line security people as part of normal business.  I mean for a company that size, it would be not only embarrassing, but downright negligent not to.

 

Further, I've tried to read through this story and I still don't really know what's going on or why any of it matters.  Maybe it will help if I explain what I understand to be true and let someone point out where I'm wrong:

 

Last I checked, Android, Windows Phone, and iOS all provide the ability to connect to a computer over USB, and once you've done that, by default it will only charge, but if (and only if) you enter a pin, you can "unlock" additional mode(s), including the ability to transfer files or sync with itunes, etc.

 

So yeah... anyone got some clarification?


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
On 6/16/2018 at 10:26 AM, ScratchCat said:

They did deliver before and what they delivered to an extent forced Apple to implement USB Restricted Mode. It would be interesting to see how they did it though.

They have a reputation to uphold now that these agencies depend on them. They wouldn't say they can't do it. 

Link to post
Share on other sites
Posted · Original PosterOP
5 minutes ago, Ryan_Vickers said:

Last I checked, Android, Windows Phone, and iOS all provide the ability to connect to a computer over USB, and once you've done that, by default it will only charge, but if (and only if) you enter a pin, you can "unlock" additional mode(s), including the ability to transfer files or sync with itunes, etc.

 

So yeah... anyone got some clarification?

From what I read about Grayshift, they do dictionary based attacks that can get around Apple’s anti brute force features including the one asking for a PIN once connected to a new computer. What URM supposed to do is after not unlocking the iPhone/iPad for an hour, URM kicks in and tells the USB controller to deny all read and write in the lightning port so it wouldn’t matter if Grayshift is leveraging an unpatched vulnerability. Grayshift however claims otherwise and say they found a way around it. 

 

Given that Grayshift is in bed with the feds, maybe they’re looking for other ways to hack iPhones maybe through spearphishing emails or whatever.  


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
5 minutes ago, captain_to_fire said:

From what I read about Grayshift, they do dictionary based attacks that can get around Apple’s anti brute force features including the one asking for a PIN once connected to a new computer. What URM supposed to do is after not unlocking the iPhone/iPad for an hour, URM kicks in and tells the USB controller to deny all read and write in the lightning port so it wouldn’t matter if Grayshift is leveraging an unpatched vulnerability. Grayshift however claims otherwise and say they found a way around it. 

 

Given that Grayshift is in bed with the feds, maybe they’re looking for other ways to hack iPhones maybe through spearphishing emails or whatever.  

So iOS accepts receiving the pin you must enter in order to unlock it and transfer data over USB?  I had always just assumed it and the other platforms would only accept typing it on the screen as a viable input.  Accepting it over USB seems like a huge design flaw, both because there's no reason that should ever be necessary, and because it opens the doors for attacks exactly like this.


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
9 hours ago, Cheezdoodlez said:

No available iPhone can hold 250GB of images though.

 

And you should be able to set a timer for when URM should kick in. Personally I would want it the same moment as my phone is locked. 

image.png.53ad5e27ac651736ae78bf733ffc5216.png

Maybe 220GB if you include the OS and formatting but my point still stands.

Link to post
Share on other sites
Posted · Original PosterOP
5 minutes ago, Ryan_Vickers said:

So iOS accepts receiving the pin you must enter in order to unlock it and transfer data over USB?  I had always just assumed it and the other platforms would only accept typing it on the screen as a viable input.  Accepting it over USB seems like a huge design flaw, both because there's no reason that should ever be necessary, and because it opens the doors for attacks exactly like this.

Well it should be unlocked by either biometrics (Face/Touch ID) or PIN in order to unlock the phone and enable data transfer in the USB controller. It’s possible that Grayshift managed to be sneaky and mask data transfer as power charging. 

 

But from your earlier comment, I agree that Apple should have the best security experts given that the iPhone has become the new Blackberry. Remember the days when Blackberry by RIM means business including end to end encryption with BBM and others? 


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
24 minutes ago, Ryan_Vickers said:

They really should already have top of the line security people as part of normal business.  I mean for a company that size, it would be not only embarrassing, but downright negligent not to.

 

Further, I've tried to read through this story and I still don't really know what's going on or why any of it matters.  Maybe it will help if I explain what I understand to be true and let someone point out where I'm wrong:

 

Last I checked, Android, Windows Phone, and iOS all provide the ability to connect to a computer over USB, and once you've done that, by default it will only charge, but if (and only if) you enter a pin, you can "unlock" additional mode(s), including the ability to transfer files or sync with itunes, etc.

 

So yeah... anyone got some clarification?

 

8 minutes ago, Ryan_Vickers said:

So iOS accepts receiving the pin you must enter in order to unlock it and transfer data over USB?  I had always just assumed it and the other platforms would only accept typing it on the screen as a viable input.  Accepting it over USB seems like a huge design flaw, both because there's no reason that should ever be necessary, and because it opens the doors for attacks exactly like this.

I'm not super clear how Greyshift works, but it functions in peripheral mode, not host mode afaik. It's more akin to plugging a keyboard or USB stick into your phone than it is to plugging your phone into a computer.

 

It then makes use of a number of hardware and software vulnerabilities to get the pins and unlock the device. Again entirely undocumented, I don't know details of how this all works.

 

But to be clear this isn't an iOS problem, it's a computer problem. As I mentioned above, as soon as you have a device with some kind of public bus and a controller on that bus you should assume your device can be compromised by physical access. Not easily. Not trivially. But it can be done.

Link to post
Share on other sites
Posted · Original PosterOP
6 minutes ago, ScratchCat said:

Maybe 220GB if you include the OS and formatting but my point still stands.

iOS 11 plus drivers only take up around five gigs of storage 

630163AE-50FF-4AB4-A47D-0F50354FA5E3.jpeg


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
3 minutes ago, Sniperfox47 said:

 

I'm not super clear how Greyshift works, but it functions in peripheral mode, not host mode afaik. It's more akin to plugging a keyboard or USB stick into your phone than it is to plugging your phone into a computer.

 

It then makes use of a number of hardware and software vulnerabilities to get the pins and unlock the device. Again entirely undocumented, I don't know details of how this all works.

 

But to be clear this isn't an iOS problem, it's a computer problem. As I mentioned above, as soon as you have a device with some kind of public bus and a controller on that bus you should assume your device can be compromised by physical access. Not easily. Not trivially. But it can be done.

Ah ok thank you, that explains what is going on here and why it's a problem xD


Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to post
Share on other sites
Posted · Original PosterOP
2 minutes ago, Sniperfox47 said:

Not easily. Not trivially. But it can be done.

As I’ve said in the OP it’ll be a long lasting game of cat and mouse chase between Apple vs hackers/feds. 

 

As someone said earlier, Apple can get cunning and cutthroat and hack into Grayshift’s database and exfiltrate their source code and reverse it and that will send Grayshift into obscurity which will then lead to bankruptcy 


There is more that meets the eye
I see the soul that is inside

 

Making Windows Defender as good or even better than paid options

Link to post
Share on other sites
3 minutes ago, captain_to_fire said:

iOS 11 plus drivers only take up around five gigs of storage

256 * 0.93 - 6 = 232GB. Everyone happy now that an iPhone can store approximately 250GB of data?

 

35 minutes ago, RorzNZ said:

They have a reputation to uphold now that these agencies depend on them. They wouldn't say they can't do it. 

Would a self respecting company blatantly lie to their customers? The statement "We broke the new mode in Beta" would allow them to say Apple patched further exploits later however a more common and reasonable response would be "We are working and are making progress" just like most other companies (look at Meltdown).

Link to post
Share on other sites
17 minutes ago, captain_to_fire said:

As someone said earlier, Apple can get cunning and cutthroat and hack into Grayshift’s database and exfiltrate their source code and reverse it and that will send Grayshift into obscurity which will then lead to bankruptcy 

"hi I'd like to get towards acquiring some of your equipment on behalf of my company"

"sure, how may I address you?"

"Steve Jobs"

 

...

 

"HAHAHAHAHAHHAA" "HAHAHAHAHAHAHAHA"

"Nice whatever we'll need more info about your company anyway, so hang on while we arrange our specialist to handle your request"

"ok sure"

-------

"do they suspect us yet?"

"haven't got to giving the shell company details, but I'm sure they'll never give any second thoughts this soon now"

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×