SoylentNews is people
SoylentNews
Security researcher Sergei Skorobogatov has bypassed the iPhone 5c's firmware using NAND mirroring. The achievement comes too late for the FBI to save some money:
The FBI told Congress it couldn't hack the San Bernardino shooter's phone without Apple's aid, but a researcher has proved that claim was inaccurate. "The process does not require any expensive and sophisticated equipment," wrote University of Cambridge researcher Sergei Skorobogatov. "All needed parts are low cost and were obtained from local electronics distributors."
Security firm Trail of Bits argued earlier this year that it would be possible to replace the iPhone firmware with a chip that doesn't block multiple password attempts. You could then try every single one until you're in, a process that would take less than a day with a four-digit code, and a few weeks with a six-digit one.
[...] "Despite government comments about feasibility of the NAND mirroring for iPhone 5c it was now proved to be fully working," the paper says. That again lends credence to FBI critics who said that the FBI was only pushing for Apple's assistance to create a precedent in court. A magistrate judge ruled against Apple, so law enforcement could use that decision to make other companies cooperate in encryption cases.
Update: The Associated Press, Vice Media and Gannett, the parent company of USA Today, have sued the FBI for information about how the agency accessed the locked iPhone 5c.
(Score: 2, Interesting) by Anonymous Coward on Saturday September 17 2016, @01:25AM
it seems that it's more a matter of doing the bare minimum necessary to get the government off your ass rather than keeping the guts of your technology out of the wrong hands.
I've been a part of anti-tamper designs for restricted military hardware. Ultimately it comes down to time. If the adversary has physical possession the only thing you can design for is the minimum amount of time until the hardware is compromised. But if the adversary has a technique that you did not take into account during design, then all bets are off.
(Score: 3, Interesting) by Anonymous Coward on Saturday September 17 2016, @02:30AM
I have been watching the MAME and emu scene people pick apart hardware for years. It really is just a mater of time. If you have a microcontroller with a bit of ram to run a cpu in one package they are not happy until they have extracted the program and have fully simulated the whole cpu even the instructions you didnt use.
I remember in the 90s arguing with people on USENET about what would be needed to emulate a computer. They were talking 30ghz quantum computers. Turns out most things do not need to be 100% emulated for most stuff to work good enough. At this point the biggest arguments are about who did the dump and who gets credit. The actual technical issues is more about latency at this point.
I saw a few vids a couple of years ago of a guy completely compromising a bluray player. The thing had 3 CPUs and he 100% controlled the whole stack and could execute any code he wanted on each of them. He could also extract the code and reverse engineer the whole bluray stack.
These are guys who do it as a hobby because they like it. If you have a real dedicated group to doing it? Nothing would be safe.
(Score: 3, Interesting) by Hyperturtle on Saturday September 17 2016, @01:34PM
I agree completely.
Let's take for example the Atari Jaguar. Some very dedicated individuals cracked the encryption scheme on it by writing their own decryption routine and networking 8 or so of them together via network links supported by the Jaguar but never really utilized by Atari (look up the Catbox for the fancy one, JagLink for the one people generally have seen if they have seen a networked Jaguar at all).
They were able to crack the encryption so that they could then crank out their own cartridges.
Likewise, there is a retro-hobbiest named Kevin Horton (I have a signed cartridge of Kevtris [#10! woo] from when I met him years ago) who clearly is motivated, interested, capable, and probably should be hired by the highest bidder to do cool things. I believe he recently released a retro-console that plays original NES games that look better now than they did then, due to his cleaning up a lot of the signal noise by using modern parts and efficient redesign.
I can't hold a candle (or figure out how to turn it on) compared to people like Kevin, although, I do modify equipment once I am either really sure I won't brick or break something, or I happen to have a few spares to learn from... you never know what you can find inside a sealed network device no one has poked around with... sometimes one can find that which can be exploited or used as a cost-savings feature when appropriately chipped or enabled. Firmware is meant to be flashed!
I harbor great respect for the MAME enthusiasts that open things up and look inside. There are no script kiddies among them.
(Score: 2) by JNCF on Saturday September 17 2016, @05:22AM
I've been a part of anti-tamper designs for restricted military hardware.
Do you have any opinions about the ORWL, [pcworld.com] especially but not exclusively with regards to how long it might take an APT to get inside one without triggering the key erasing mechanism?
(Score: 1, Interesting) by Anonymous Coward on Saturday September 17 2016, @05:52PM
The OWLR contains a modern Intel processor, which means it requires running unauditable binary software blobs supplied by Intel to even boot, and it contains a dedicated coprocessor with full control over the system, running unauditable code that can only be supplied by Intel.
(Score: 2) by JNCF on Saturday September 17 2016, @08:05PM
Yeah, that's a totally valid concern. I think their "three dimensional active shield" [youtube.com] is interesting, and might be very difficult to work around if the signals were timed correctly, which is why I was interested in the other (?) AC's take on how long it would take to gain physical access without triggering the key erasing mechanism. Even if this implementation has flaws, it's a promising design for a computer. I knew systems like this existed, but I didn't know they could be manufactured that cheap. I don't remember the linked video mentioning it, but that shell is made from a plastic that is highly prone to shattering when cut or drilled. I'm sure that a state actor could gain physical access if they really cared, but I don't know how long it would take them.