Let's Talk Mobile Encryption/Security

[GSN]

In light of recent events namely involving Apple and the FBI over the San Bernardino shooting, it has come to light the nature of mobile encryption and security. We're questioning how safe our data really is, which smartphone can you safely carry around and not worry about prying eyes, well let's take a look at the market, because do bear in mind, Apple isn't the only manufacturer, and the iPhone isn't the only device to choose from, in fact, there's many.

 

Originally stated by TechCrunch (http://techcrunch.com/2016/03/28/justice-department-drops-lawsuit-against-apple-over-iphone-unlocking-case/ Accessed: 29/03/2016 @00:46GMT)

Quote

The FBI has unlocked Farook’s iPhone 5c involved in the San Bernardino shooting using an alternative method that didn’t involve Apple. Given this new development, the Department of Justice is dropping the case. The government has been evasive about this alternative method and didn’t provide additional details.

This is a really big deal, and especially seeming as the FBI is being evasive regarding the details on how they have managed to unlock the device, although I'm betting it's something really mundane however, and there is no real security vulnerability, but this is yet to be determined.

 

So what phones can we use confidently? Well the answer is purely subjective, like every smartphone debate, it's all down to user-preference. In terms of the current events surrounding Apple and the FBI, Apple are sure to release security patches that will have their users brimming with confidence once again in no time, but there are other choices, take BlackBerry for example, with the latest offering of the PRIV, being an Android smartphone, it's a budding contender in the arena, and BlackBerry have a very strong track-record for security, they have their fingers in all sorts of pies now, including Samsung Knox, an EMM (Enterprise Mobile Management) solution designed to secure smartphones for business, has been made available to the consumer in the form of MyKnox on supported Samsung Devices, I'll talk about Knox more in a later post if people would like to know more about how it works.

 

I'll set the baseline and tell everyone the secure mobile setup I'm using at the moment:

• Samsung Galaxy S7 (Exynos Variant)
• Fingerprint Lock with secure backup password containing upper-case, lower-case, symbols and digits.
• Samsung Knox enabled with FRP (Factory Reset Protection)
• Full device encryption including on the MicroSD card.

You may have a different view of what smartphone you find to be the most secure, please feel free to leave a comment, if you liked this article and wanna hear more from me then please give me a thumbs up. ?

[TechFnatic]

Most main stream phones use very good encryption, take the iphone for example, they use AES-256 bit encryption which has  2^256 different possible keys. In other words, the average Joe isn't going to get into your smart phone, at least not easily. The govt. has supercomputers, but even with those it's very hard to break the encryption, basically you'd have to be important enough for the government to waste resources on cracking your device.

[Cryosec]

My phone (Meizu M2 Note, running Flyme 5 beta) isn't so 'secure' - no fingerprint lock or other biometrics.

Actually I don't really need to secure my phone data, as there is none. At least no sensitive data. IF I need to store sensitive data on my phone, PGP will do the job (26 char password, mixalphanumeric set)

 

All my sensitive data is stored on encrypted disks or my LUKS locked USB (with nuke password), both with different 26 chars passwords.

 

About your thread, I think that mobile pivacy/security is necessary, and should be correctly implemented in every phone.

 

Anyway, whatever your phone might be, security and privacy is always up to the end user. If you use whatsapp to talk about private/businness/illegal stuff, then you might as well write the same thing publicly on facebook, as it will never be aa private conversation (telegram is a valid substitute, with P2P and encrypted chat).

 

2 minutes ago, TechFnatic said:

Most main stream phones use very good encryption, take the iphone for example, they use AES-256 bit encryption which has  2^256 different possible keys. In other words, the average Joe isn't going to get into your smart phone, at least not easily. The govt. has supercomputers, but even with those it's very hard to break the encryption, basically you'd have to be important enough for the government to waste resources on cracking your device.

Even if they use AES-256, the user might be dumb enough to use a dictionary word (maybe with a couple of numbers) as password. bruteforce or dictionary attacks made by anyone could decrypt it.But if you use complex enough password, then yeah, it will take a lot more time and resources to attempt a bruteforce.

[GSN]

Just now, TechFnatic said:

Most main stream phones use very good encryption, take the iphone for example, they use AES-256 bit encryption which has  2^256 different possible keys. In other words, the average Joe isn't going to get into your smart phone, at least not easily. The govt. has supercomputers, but even with those it's very hard to break the encryption, basically you'd have to be important enough for the government to waste resources on cracking your device.

Very good point, I suppose the main thing with the way smartphone encryption works, is that it's kind of "on-the-fly" so if someone can get past the lock-screen then they have access to the data on the device.

 

Some have speculated that the FBI's "third-party" suggested unlocking the device by directly copying the NAND straight off the chip and giving themselves an infinite number of attempts at the passcode, but other suspicions are more mundane, like essentially employing one of many exploits for iOS which hit the ether from time to time.

 

Personally, I like the way Samsung Knox works with ARM Trustzone, but I'm leaving that for another post at some point.

[GSN]

1 minute ago, Cryosec said:

My phone (Meizu M2 Note, running Flyme 5 beta) isn't so 'secure' - no fingerprint lock or other biometrics.

Actually I don't really need to secure my phone data, as there is none. At least no sensitive data. IF I need to store sensitive data on my phone, PGP will do the job (26 char password, mixalphanumeric set)

 

All my sensitive data is stored on encrypted disks or my LUKS locked USB (with nuke password), both with different 26 chars passwords.

 

About your thread, I think that mobile pivacy/security is necessary, and should be correctly implemented in every phone.

 

Anyway, whatever your phone might be, security and privacy is always up to the end user. If you use whatsapp to talk about private/businness/illegal stuff, then you might as well write the same thing publicly on facebook, as it will never be aa private conversation (telegram is a valid substitute, with P2P and encrypted chat).

 

Even if they use AES-256, the user might be dumb enough to use a dictionary word (maybe with a couple of numbers) as password. bruteforce or dictionary attacks made by anyone could decrypt it.But if you use complex enough password, then yeah, it will take a lot more time and resources to attempt a bruteforce.

Well said, I think for people at the moment, the focus is on the companies and how well they actually make the effort to protect your data. Apple have always been very forthcoming with their ecosystem in the fact that it's secure and customers should have confidence. If a company is promising excellent security then they should be able to deliver, the fact that the FBI has managed to gain access to the device will raise some questions, sure, but at the end of the day, people will still buy the iPhone.

 

As for online messaging, for my Enterprise solution, I use BBM and BES12 for synchronising email and internal messages, as it's all end-to-end encrypted anyhow, If you could message me about the LUKS locked USB though, that sounds cool, I'd like to know more about that and how to set it up.  Thanks in advance.

[Orangeator]

That Israeli source came through for the FBI and unlocked the San Bernardino shooters iPhone without the help of Apple. 

 

Quote

WASHINGTON (AP) -- The FBI said Monday it successfully used a mysterious technique without Apple Inc.'s help to hack into the iPhone used by a gunman in a mass shooting in California.

I am happy that Apple got off the hook and the FBI got into the phone. However...

 

Quote

The official said federal law enforcement would continue to aid its local and state partners with gaining evidence in cases — implying that the method would be shared with them.

First in line is likely, Manhattan District Attorney Cyrus Vance, who told a U.S. House panel earlier this month that he has 205 iPhones his investigators can't access data from in criminal investigations

This I am pissed off about. FBI swore that they only wanted to get into only one phone, but Tim Cook knew and was right. The FBI didn't want it for just one phone, they lied. They will be sharing this method with local law enforcement to break into the iPhone's they are currently trying to access. Now you know, never trust your governments word. 

 

Edit Source: https://www.yahoo.com/news/justice-department-cracks-iphone-withdraws-220719890.html

[Tyrannosaurs Techs]

ew.

[ALwin]

3 minutes ago, Orangeator said:

That Israeli source came through for the FBI and unlocked the San Bernardino shooters iPhone without the help of Apple. 

 

I am happy that Apple got off the hook and the FBI got into the phone. However...

 

This I am pissed off about. FBI swore that they only wanted to get into only one phone, but Tim Cook knew and was right. The FBI didn't want it for just one phone, they lied. They will be sharing this method with local law enforcement to break into the iPhone's they are currently trying to access. Now you know, never trust your governments word. 

The FBI said they only wanted to get into one phone IF it was Apple that helped them do it.  But now that they've found a method that doesn't rely on Apple, who gives a fuck.

 

I for one am glad they found a way to see what intelligence they can gather from the phones belonging to these terrorists.  Perhaps they'll find something that helps them find other terrorists before more attacks can occur.

[SansVarnic]

4 minutes ago, Orangeator said:

<snip>

Now you know, never trust your governments word. 

Not to sound snotty but Duh.

 

Beside you need to need to fix your post to meet the posting requirements...

[Zodiark1593]

Last I checked, my G2 doesn't have hardware encryption support, thus I opted not to encrypt in favor of keeping the device on person at all times.

[Thomp]

What is the difference between Apple breaking into the phone, or someone else doing it? They need a search warrant to break into a phone, if they have one, they are going to break into it.  Who/what breaks into it is of no importance to the government, they just wanted to be sure that the data wouldn't be erased.  Of fucking course they want to break into lots of phones, there are plenty of confiscated devices of convicted or suspected criminals that could help in investigations.  When you say "FBI swore that they only wanted to get into only one phone" you are misinterpreting the meaning.  They only wanted Apple to disable the security features on that one phone, and that they could keep the method with which they did so to themselves.  As soon as they knew Apple could/would do it, they would obviously start submitting other phones/warrants for them to open up.  Tim Cook's reluctancy to comply has nothing to do with an ill will of the government. He felt that if they created software to break into the iphone, that criminals/hackers would get ahold of it and use it for evil.  And now, with no help of Tim Cook, there's a way to break in, and we'll see how well Cellbrite can protect their methods from the bad guys. 

[EpicGeekonFire]

Hopefully, Apple is able to patch whatever method was used. Have they publically responded yet?

[Thomp]

1 minute ago, EpicGeekonFire said:

Hopefully, Apple is able to patch whatever method was used. Have they publically responded yet?

 

Cellbrite and the FBI sure as hell aren't going to give Apple the method they used.

[awesomeness10120]

It's a slippery slope, man. A slippery slope.

[SansVarnic]

I use a Lumia 950XL with the device encryption turned ON.

Device encryption for Windows Phones are built in and optional [Default is OFF].

 

Thing is if you have anything of a personal nature stored on your phone device encryption should be turned on.

I use my phone for a multitude of things including access to a cloud with work documents and other stuff so this is a must for me.

[Orangeator]

4 minutes ago, Thomp said:

 

Cellbrite and the FBI sure as hell aren't going to give Apple the method they used.

I honestly don't know if Apple should have the legal right to the knowledge of a major security breach of their product. I am sure that Apple will try their absolute hardest to figure it out. I wouldn't even be surprised if they paid that Israeli team for the method. I am sure Apple has a few million bucks to spare, and I am sure the Israeli company could use it. 

[Tech_Dreamer]

[SansVarnic]

1 minute ago, Orangeator said:

I honestly don't know if Apple should have the legal right to the knowledge of a major security breach of their product. I am sure that Apple will try their absolute hardest to figure it out. I wouldn't even be surprised if they paid that Israeli team for the method. I am sure Apple has a few million bucks to spare, and I am sure the Israeli company could use it. 

Apple should have the legal right to the information. At least if Apple did not attempt to get their hands on the information they would be liable to their investor base for knowingly having a breached product.

[AlTech]

32 minutes ago, Orangeator said:

That Israeli source came through for the FBI and unlocked the San Bernardino shooters iPhone without the help of Apple. 

 

I am happy that Apple got off the hook and the FBI got into the phone. However...

 

This I am pissed off about. FBI swore that they only wanted to get into only one phone, but Tim Cook knew and was right. The FBI didn't want it for just one phone, they lied. They will be sharing this method with local law enforcement to break into the iPhone's they are currently trying to access. Now you know, never trust your governments word. 

 

Edit Source: https://www.yahoo.com/news/justice-department-cracks-iphone-withdraws-220719890.html

Nope. Just don't trust the FBI.

[vetali]

Maybe they finally took John Mcafee's advice. 

[Stuff_]

41 minutes ago, Thomp said:

 

Cellbrite and the FBI sure as hell aren't going to give Apple the method they used.

Unless the Justice Dept has to tell Apple based on the White House's Vulnerability Equities Process.

 

 

I find this a bit fishy. So the FBI makes the claim that there is absolutely no way to get inside that phone without Apples support. They spend a month saying this to the media, and lawyers. 

Then, suddenly, they withdraw. And within a day, it's cracked. That is all too fishy to me, and on top of that, they lied saying that the only way in was through Apple. 

 

It's pretty easy to guess that they used a replay attack on the NAND flash, and I'm sure Apple already assumes that could be the case (and has been fixed on the A7 processors).

If it is simply this, then we know that the iPhone 5C's processor is vulnerable. So, don't buy that.

 

If it's something else, then Apple should be told that way they at least know whats happening and someone doesn't mimic the exploit later on. 

[Trik'Stari]

Well what do you know, when you give a task to someone who knows what they're doing, instead of giving it to a mindless, self serving bureaucrat, shit gets done.

 

Who'da thunk it?

[KingUnicorn]

24 minutes ago, Trik'Stari said:

Well what do you know, when you give a task to someone who knows what they're doing, instead of giving it to a mindless, self serving bureaucrat, shit gets done.

 

Who'da thunk it?

The government is still probably gonna do it because they can. That's what the government does!

 

As for the FBI randomly backing out, I agree it's a bit fishy. It's like saying "only you could save the world"(like in every single video game) and 1 day later saying "hey check this out! We did it ourselves! Cool right?"

 

Just the government doing government things.

[Trik'Stari]

39 minutes ago, Potato_King said:

The government is still probably gonna do it because they can. That's what the government does!

 

As for the FBI randomly backing out, I agree it's a bit fishy. It's like saying "only you could save the world"(like in every single video game) and 1 day later saying "hey check this out! We did it ourselves! Cool right?"

 

Just the government doing government things.

They're backing out, until the public loses interest. Just like congress did with the so-called "internet freedom act". Now they've been under-funding the FCC in an attempt to secretly stop them from doing their job.

 

God our government is full-retard. Why we don't recall all of them, is beyond me.

[Bensemus]

7 minutes ago, huilun02 said:

Now they be breaking into everyone's iphone... 

As far as we know this exploit only works on iPhones that don't have the secure enclave so 5/5c and older. The 5s and newer may be safe due to more hardware based security.