FBI backs off of Apple

[ShadowCaptain]

4 minutes ago, StarSearch said:

If the FBI wanted to crush the negative media concerning themselves, they would indict Hillary Clinton for her felonies as Secretary of State already.  

Maybe, sadly I dont really know, I find US politics hard to follow (or really any politics)

plus exposing people can also have a negative effect in some ways too

 

was reading this but I dont really know either way

http://abcnews.go.com/Politics/analysis-hillary-clinton-commit-crime-based-today/story?id=36626499

[Sauron]

On 22/3/2016 at 1:27 AM, Ace0100 said:

if the FBI figure out how to unlock it apple would need to update that exploit huge as security risk on peoples phones and people would be mad asf

The general rule of thumb with hardware is that if someone has physical access to your device, it is no longer your device.

[VerticalDiscussions]

All pray that Anonymous destroys the FBI database! . Sneaky fuks!

[LukeTim]

On 3/22/2016 at 10:00 PM, Roawoao said:

And as I've said from the start copying the NAND was the easiest solution and kicks the can down the road. With and FPGA/CPLD bodged with a blob of DRAM you can even emulate a writable NAND or if the boot process doesn't mind a just a simple read only NAND then you will physically disable the automatic wipe or emulate it to trick it into thinking it is erasing while you actually just write the writes to RAM and on reset the flash is just reloaded.

The phone doesn't actually delete any data. It deletes the security keys... making the data effectively irretrievable.

I don't understand what this copying the NAND is all about. Getting at the encrypted data is not the problem. The problem is finding the key to decrypt it. The iPhone uses AES 256 to encrypt the data and uses quite a complicated system of keys (stored in secure ROM on the SoC) to encrypt and decrypt it.

Retrieving the key (or finding the correct pin, which is combined with a key to create the encryption key) is realistically the only way to decrypt the data. AES 256 cannot be brute forced.

[cummerou1]

I dont get why people need to have extremely long discussions about this. Its very simple since FBI does not have the worlds best tech team it would mean criminals that are smart enough will be able to acess the backdoor too. And its not like it will be a one time thing where the backdoor gets patched out. There are thousands of phones like this where the people owning them are murderers, rapists etc. If it happens it wont be a one time thing. Which also means russia and china will be able to acess your phones.

[Roawoao]

8 hours ago, LukeTim said:

The phone doesn't actually delete any data. It deletes the security keys... making the data effectively irretrievable.

I don't understand what this copying the NAND is all about. Getting at the encrypted data is not the problem. The problem is finding the key to decrypt it. The iPhone uses AES 256 to encrypt the data and uses quite a complicated system of keys (stored in secure ROM on the SoC) to encrypt and decrypt it.

Retrieving the key (or finding the correct pin, which is combined with a key to create the encryption key) is realistically the only way to decrypt the data. AES 256 cannot be brute forced.

The phone does not have a secure enclave (it is an older phone) so the volume key encrypted using the user pin code and some device unique salt (UID) and this is stored on the NAND chip as there is no secure element in the phone. By mirroring then emulating the NAND when the phone tries to delete the key on too many failed entries an FPGA/CPLD slapped in can simulate the writes and then ignore them and let them keep on trying.

 

Retrieving the key then is only a matter of guessing what is most likely a 4-6 digit pin code which is trivially weak. The probability they used a >20 character (with all Unicode characters) is very close to zero.

 

4 hours ago, cummerou1 said:

I dont get why people need to have extremely long discussions about this. Its very simple since FBI does not have the worlds best tech team it would mean criminals that are smart enough will be able to acess the backdoor too. And its not like it will be a one time thing where the backdoor gets patched out. There are thousands of phones like this where the people owning them are murderers, rapists etc. If it happens it wont be a one time thing. Which also means russia and china will be able to acess your phones.

There is one way to stop this and it is via a deep hardware backdoor which frankly speaking probably already exists. To exploit it you would have to send the device to a chip foundry test lab to break into the chip very carefully or put it into a specialized bed of nails debugging system which costs tens of millions of dollars not to mention all the trade secret data required to make it work properly. No criminal even if smart enough would bother spending that amount of money to break into one singular phone. If they were to have such resource breaking into a credit card terminal or other high value targets would be a more likely application. Governments would have such resources and could compel the foundries since Apple contracts things out. Now the government must really really want to get into that one phone which also prevents blanket abuse by the government themselves as it would still cost a lot of money/time/resources. 

 

Also all this talk about master keys being a bad idea is stupid since there already is one burned into every iPhone in the form of Apple's public signing certificate which is only protected by a master private key they use to sign the software/firmware updates. If that was ever compromised by a criminals then its a pretty big security nightmare as this certificate cannot be changed in existing devices. It is a good enough solution as companies will protect their private keys very well as they are very important.

 

Also I'm sure if Russia/China/Criminals really wanted to be able to access your phone they would just kidnap you and get you to unlock the phone either that or you would disappear forever (executed) or show up confessing to some made up crime (also something that happens). https://xkcd.com/538/

 

 

[EmeraldKiwi]

On 3/22/2016 at 7:08 PM, Roawoao said:

Probably just a random security researcher it doesn't take much to do the NAND dump and emulation most university ECE students with a little bit of FPGA/CPLD knowledge would know how to do it in theory and in practice it just takes a hot air rework gun or even easier just some bodge wires to test pads or traces. I'm sure the iPhone is the subject of a lot of academic security research so it is probably a trivial task for many (Secure enclave phones on the other hand, which this one is not, would require more resources than most researchers would have). The outside part probably doesn't want the PR shitstorm that would result if his name was given out which will likely happen anyway.

I don't mean to start any heat, but if it is so trivial for students to do it, the FBI would definitely not have any problems, and this whole ordeal wouldn't even have happened. I'm just saying that I don't think that your statement is correct, and I completely disagree.

[Roawoao]

57 minutes ago, EmeraldKiwi said:

I don't mean to start any heat, but if it is so trivial for students to do it, the FBI would definitely not have any problems, and this whole ordeal wouldn't even have happened. I'm just saying that I don't think that your statement is correct, and I completely disagree.

FBI are not going to be electrical engineering students taking FPGA/CPLD courses specializing in embedded systems design. Law enforcement != Electrical engineer. It might be hard for them to do it in house as I doubt many ECE students aspire to be part of the FBI.

 

NAND emulation is trivial to the point where even modders can do it to things like a 3DS to spoof the operating system bypass software checks and the such. Hardmodded 3ds only require soldering skills and a customized SD card adapter to carry out NAND emulation. And since the older iPhone does not use PCI-e based flash storage the same/similar hard mod method can be done.

 

I'll write a high level guide for you here if you want it requires good soldering skills and a strong technical background. Also if the boot loader doesn't mind a read only NAND it is much simpler since you can just block the writes in hardware.

 

To start remove the NAND chip using hot air rework,

 

See the exposed pads you are now going to use a dead bug style connection between your FPGA/CPLD dev board and the nand pads and system nand pads. You will want to downclock the flash memory as the signal integrity will be poor with all the wires keep things as close as possible and mount things to a block of wood/plastic.

 

(Might even work the SD card transplant method) but note that the read only switch on an SD card does not enable a hardware read only protection.

 

A full blown FPGA dev board is probably very excessive but it is going to be the most flexible solution something like (Digikey 220-1935-ND) LCMXO3L-6900C-S-EVN is probably sufficient. These are cheap so you can solder things directly to it and have the flash chip hot glued to the devboard.

 

Then you want to go digging for datasheets and obviously you can figure out the Vcc/GND pins easily with a multimeter with micro test probes. If you can't find any public datasheets then take a sacrificial iPhone and do inline signal reverse engineering. Mike's electric stuff has done this on MIPI displays which are going to be much more complex than the flash protocol. Note that just watching the video isn't going to make it work for you as you need the hands on experience.

 

I'm too lazy to dig up the datasheet but once you have the protocol down then you just program (Not as simple as it sounds) the FPGA to interface with say two NAND chips of the same make or use a DRAM buffer to have a ramdisk or even just do things on the fly and buffer things with a tiny SRAM chip as you really are not expecting much write activity other than the erase instructions which you could use to reset the iPhone. You could also get fancy and tie it into the touch screen controller and you can automate the PIN entries directly. (A second reverse engineering and the touch screen controller IC is going to be fairly simple to trick)

 

Unless Apple pots the iPhone and adds tons of hardware anti-tampering stuff right down to the die level it will always be possible to attack the hardware especially if you don't really change anything but just want to peer in or emulate user inputs. Even the touchID sensor can be tricked using novel printing techniques. (This includes self destruct mechanisms, case tamper, ... which would affect reliability and useablity not to mention prevent any chance of repairing)

 

I would not expect the FBI to have the technical and in house skills to carry out such a method. Apple if they were not being so difficult could just copy the NAND for them even easier since they have all the test/repair hardware and techs already. But obviously will not because it is bad PR to help the government break into a terrorists phone. Also Apple also probably has a whole pile of development phones/boards that have none of the production hardware security checks so they could also use those to run the erase disabled or many other possibilities. Tons of different things that Apple could do none of which would compromise overall security. Compared to a third party or university student, Apple has far more resources and pre-existing technical knowledge + hardware to assist and should be the first one a government agency approaches if they wanted help since they already have everything needed.

[cummerou1]

4 hours ago, Roawoao said:

The phone does not have a secure enclave (it is an older phone) so the volume key encrypted using the user pin code and some device unique salt (UID) and this is stored on the NAND chip as there is no secure element in the phone. By mirroring then emulating the NAND when the phone tries to delete the key on too many failed entries an FPGA/CPLD slapped in can simulate the writes and then ignore them and let them keep on trying.

 

Retrieving the key then is only a matter of guessing what is most likely a 4-6 digit pin code which is trivially weak. The probability they used a >20 character (with all Unicode characters) is very close to zero.

 

There is one way to stop this and it is via a deep hardware backdoor which frankly speaking probably already exists. To exploit it you would have to send the device to a chip foundry test lab to break into the chip very carefully or put it into a specialized bed of nails debugging system which costs tens of millions of dollars not to mention all the trade secret data required to make it work properly. No criminal even if smart enough would bother spending that amount of money to break into one singular phone. If they were to have such resource breaking into a credit card terminal or other high value targets would be a more likely application. Governments would have such resources and could compel the foundries since Apple contracts things out. Now the government must really really want to get into that one phone which also prevents blanket abuse by the government themselves as it would still cost a lot of money/time/resources. 

 

Also all this talk about master keys being a bad idea is stupid since there already is one burned into every iPhone in the form of Apple's public signing certificate which is only protected by a master private key they use to sign the software/firmware updates. If that was ever compromised by a criminals then its a pretty big security nightmare as this certificate cannot be changed in existing devices. It is a good enough solution as companies will protect their private keys very well as they are very important.

 

Also I'm sure if Russia/China/Criminals really wanted to be able to access your phone they would just kidnap you and get you to unlock the phone either that or you would disappear forever (executed) or show up confessing to some made up crime (also something that happens). https://xkcd.com/538/

 

 

Im talking about mass survalience not about singular phones.

[Roawoao]

4 hours ago, cummerou1 said:

Im talking about mass survalience not about singular phones.

The FBI isn't asking for mass surveillance just access to individual phones as the court approves access even if it means bypassing hardware security. Mass surveillance is already in place Facebook, Twitter, Google, Gmail, Hotmail, .... all have internal teams that literally are out there to catch terrorists, criminals, internal leaks, predators, scams, ...

 

Public court approved access to individual phones != NSA download the internet via national security letters.

There is a large difference between having a difficult bypass method vs. opening the doors (banning encryption) to wholesale access.

 

Also many of these well known companies are the primary applications you have on your phone and are increasingly the main method of communication and social interaction. Don't forget with end to end encryption apps it doesn't take much to disable it server side or force a company to drop it. I don't even see why it matters since companies will resist excessive access due to the PR implications (fatal ones) but that doesn't mean they should never help law enforcement.

 

The only reason why terrorists are not using end to end encryption more widely is because they are not very smart but if all companies were unwilling to help and they eventually wisen up to the operational security end to end encryption provides then it will be also fatal PR for proponents of unassailable privacy. 

[Bajantechnician]

apples gonnna debug the exploit....

[Roawoao]

6 minutes ago, Bajantechnician said:

apples gonnna debug the exploit....

Can't debug debugging. It also isn't really a software exploit mirroring the NAND and bypassing the erase in hardware isn't something this version of the iPhone can prevent. Even with the secure enclave there are much more difficult ways to bypass the hardware still if you just wanted to guess but wanted to disable any counters/auto-erase. Obviously there is no way to magically decrypt anything but the protections around the encryption are not mathematically secure so to speak.

[Bajantechnician]

5 minutes ago, Roawoao said:

Can't debug debugging. It also isn't really a software exploit mirroring the NAND and bypassing the erase in hardware isn't something this version of the iPhone can prevent. Even with the secure enclave there are much more difficult ways to bypass the hardware still if you just wanted to guess but wanted to disable any counters/auto-erase. Obviously there is no way to magically decrypt anything but the protections around the encryption are not mathematically secure so to speak.

i see

[EmeraldKiwi]

On 3/22/2016 at 7:08 PM, Roawoao said:

-snip-

Where did you find this guide? That's pretty impressive. Also I would have to agree that law enforcement != electrical engineering. That kind of invalidates my entire argument. So I stand corrected. This is super interesting though.

[Roawoao]

52 minutes ago, EmeraldKiwi said:

Where did you find this guide? That's pretty impressive. Also I would have to agree that law enforcement != electrical engineering. That kind of invalidates my entire argument. So I stand corrected. This is super interesting though.

The guide is written by me as a high level outline of what a technically inclined person would do to carry out the NAND emulation/mirroring. Experience in the subject material and Google are all you need to build high level game plans because if you know what your looking for it is pretty simple to find existing videos of people doing the step you propose and images of various steps. It isn't a very novel technique but it does require electrical engineering knowledge to actually get a viable plan formulated and steps like (program the FPGA) are entire subjects in themselves.

[cummerou1]

On 24/3/2016 at 7:11 AM, Roawoao said:

The FBI isn't asking for mass surveillance just access to individual phones as the court approves access even if it means bypassing hardware security. Mass surveillance is already in place Facebook, Twitter, Google, Gmail, Hotmail, .... all have internal teams that literally are out there to catch terrorists, criminals, internal leaks, predators, scams, ...

 

Public court approved access to individual phones != NSA download the internet via national security letters.

There is a large difference between having a difficult bypass method vs. opening the doors (banning encryption) to wholesale access.

 

Also many of these well known companies are the primary applications you have on your phone and are increasingly the main method of communication and social interaction. Don't forget with end to end encryption apps it doesn't take much to disable it server side or force a company to drop it. I don't even see why it matters since companies will resist excessive access due to the PR implications (fatal ones) but that doesn't mean they should never help law enforcement.

 

The only reason why terrorists are not using end to end encryption more widely is because they are not very smart but if all companies were unwilling to help and they eventually wisen up to the operational security end to end encryption provides then it will be also fatal PR for proponents of unassailable privacy. 

In that case if its that easy you are saying china and Russia already have acess to all our phones since they DO have smart people. The whole discussion is that FBI wants an universal backdoor, even if you need to be insanely smart to acess it other people can. Criminals and enemy countries have just as smart if not smarter people than the FBI/Apple. You cant make a backdoor only FBI can acess.

[Roawoao]

6 hours ago, cummerou1 said:

In that case if its that easy you are saying china and Russia already have acess to all our phones since they DO have smart people. The whole discussion is that FBI wants an universal backdoor, even if you need to be insanely smart to acess it other people can. Criminals and enemy countries have just as smart if not smarter people than the FBI/Apple. You cant make a backdoor only FBI can acess.

FBI does not want a universal open back door, if you have to be insanely smart, require apple, require a chip foundry/test lab, ... sure a select few governments and corporations can access it but not anyone. Criminals would just kidnap and beat your password out of you.

 

You certainly can make a backdoor only government+corperation backed groups could access by making a physically complex path that would make simpler means more preferable. https://xkcd.com/538/

 

Total privacy and its polar opposite total transparency are not a good idea. Good enough security is a practical solution and I don't really understand why it is a population vs government issue since the public as a whole can just push for the issue to be a major sticking point and elect based on it or if the government ignores a mandate they could just up and riot across the entire country. If this does not occur then one could conclude that it is the majority decision to care about having perfect secrecy for everyone even if they are terrorists or criminals.

 

[Mew]

For OP:

http://abc7.com/news/fbi-breaks-into-gunmans-iphone-without-apples-help-ending-court-case/1266473/

 

FBI has breached the gates

[BuckGup]

If you look into John Mcafee and his little group of hackers he has was paid a large amount of money to show them how to do it. After he was quoted saying his team could do it in under a day then the FBI backed off and said they got it with a 3rd party company 

[suicidalfranco]

1 hour ago, kurahk7 said:

For OP:

http://abc7.com/news/fbi-breaks-into-gunmans-iphone-without-apples-help-ending-court-case/1266473/

 

FBI has breached the gates

and they found nothing useful but due to national security won't tell the public a thing and keep it a secret

[aisle9]

33 minutes ago, SamStrecker said:

If you look into John Mcafee and his little group of hackers he has was paid a large amount of money to show them how to do it. After he was quoted saying his team could do it in under a day then the FBI backed off and said they got it with a 3rd party company 

Even when someone makes a stand, there's always a sheep ready to be sheared.