from the so-simple-that-a-gov't-employee-could-do-it dept.
Russia Today reports
The US public doesn't need a Digital Security Commission; they need the FBI to stop deceiving everyone and tell the truth that it wants to spy on Americans, John McAfee, developer of the first commercial anti-virus program told RT's Ed Schultz.
[...] "The FBI wants Apple to change their software so that it removes the check for security, so that we don't check for security anymore. Once it has that software, they can use that software on any phone. But they say they only need it for one phone."
[...] "You need a hardware engineer and a [software] engineer. The hardware engineer takes the phone apart and copies the instruction set, which are the iOS and applications, and your memory. And then you run a program called a disassembler, which takes all the ones and zeros and gives you readable instructions. Then the coder sits down and he reads through. What he is looking for is the first access to the keypad, because that is the first thing you do when you input your pad. It'll take half an hour. When you see that, then he reads the instructions for where in memory this secret code is stored. It is that trivial--a half an hour.
...The FBI knows this, Apple knows this."[...] "In either case, if they (the FBI) don't know, that is tragic; if they do know it, then they are deceiving the American public and Apple and everyone else by asking for a universal key."
Video
Do you see any flaws in McAffee's explanation?
Previous: Apple Wants Court To Rule If It Can Be Forced To Unlock iPhones
Seems Like Everyone has an Opinion About Apple vs. the FBI
Update: TPP-Exposing Journalist Ed Schultz Lands on His Feet at RT
John McAfee Announces He Will Run For President of the United States
Related Stories
John McAfee running for president
Anti-virus software tycoon John McAfee plans to run for President, the developer confirmed on Tuesday. He will run under his own newly created "Cyber Party."
http://time.com/4025991/john-mcafee-running-for-president/?xid=tcoshare
The self-described "eccentric millionaire," known for a strange run-in with authorities in Belize three years ago, said his primary motivation to enter the race was the government's problems with security and surveillance.
"We are losing privacy at an alarming rate — we have none left. We've given up so much for the illusion of security and our government is simply dysfunctional," he said, adding that he plans to release an explainer for his new Cyber Party.
John McAfee is running [for] president
McAfee, developer of the first commercial anti-virus program, has said he is going to announce a bid for the White House, and will create the Cyber Party to do so. "I have a huge underground following on the web," he told CNN. The website McAfee2016.com has also popped up.
from the truth-tellers-have-a-hard-time-in-some-places dept.
Russia Today reports:
Progressive political journalist Ed Schultz is joining RT America, beginning January 25, 2016, to host his new primetime news program, "NEWS WITH ED SHULTZ" at 8pm EST weeknights. On his new show, Schultz will focus on exploring issues that most affect working Americans, particularly within the context of the upcoming US presidential election.
[...] Said Ed Schultz, "The network is firmly established outside of US corporate media and is not afraid to give a platform to diverse voices, stories and perspectives to its viewers, even if it ruffles some mainstream feathers. I can't think of a better fit than a news broadcaster that bullishly pursues issues that matter to hardworking Americans." Schultz's broadcasting career spans more than two decades. Until recently, he hosted "The Ed Show" on MSNBC; the program was consistently the second-highest rated show on the channel.
Schultz [...] will work out of the RT America studios in Washington, DC.
ABOUT RT — RT is a global TV news network that broadcasts 24/7 in English, Arabic, and Spanish from its studios in Moscow, Washington DC, and London. It is available to 700 million viewers worldwide. RT is the most-watched TV news network on YouTube with more than 3 billion views.
Previous: MSNBC Cans the Only Cable TV Host Who Extensively Covered TPP
Apple has requested a court in New York to rule finally whether it can be compelled to assist investigators to break the passcode of an iPhone 5s belonging to a defendant in a criminal case.
The Department of Justice, citing a statute called the All Writs Act, tried to get help from Apple to bypass the security of the phone in government possession.
Apple's lawyer said in a letter to U.S. Magistrate Judge James Orenstein of the U.S. District Court for the Eastern District of New York that the company would like an order as it has received additional requests similar to the one underlying the case before the court.
The company "has also been advised that the government intends to continue to invoke the All Writs Act in this and other districts in an attempt to require Apple to assist in bypassing the security of other Apple devices in the government's possession," wrote Apple's counsel Marc J. Zwillinger in a letter Friday.
[...]
Apple now also argues that the matter is not moot because "it is capable of repetition, yet evading review." The question of whether a third party like Apple can be compelled to assist law enforcement in its investigative efforts by bypassing the security mechanisms on its device has been fully briefed and argued, according to the letter. "The Court is thus already in a position to render a decision on that question," Apple said.
[Continues...]
John McAfee offers to unlock killer's iPhone
McAfee says that he and his team can break into the phone within three weeks. McAfee states his motive for the offer is because "he didn't want Apple to be forced to implement a 'back door'".
Bill Gates Takes Middle Road in FBI iPhone Unlock Dispute
Bill Gates has apparently sided with the FBI in the dispute over the unlocking of a "specific" iPhone, breaking with other technology industry leaders:
Apple should comply with the FBI's request to unlock an iPhone as part of a terrorism case, Microsoft founder Bill Gates says, staking out a position that's markedly different from many of his peers in the tech industry, including Facebook founder Mark Zuckerberg. The two titans aired their views on what's become a public debate over whether Apple should be compelled to unlock an iPhone used by San Bernardino shooter Syed Rizwan Farook. "This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case," Gates told the Financial Times.
However, in a follow-up interview with Bloomberg, Gates said he was disappointed by reports (such as my original submission #2 below) that he had sided with the FBI in its legal dispute with Apple:
In an interview with Bloomberg, Bill Gates says he was "disappointed" by reports that he supported the FBI in its legal battle with Apple, saying "that doesn't state my view on this." Still, Gates took a more moderate stance than some of his counterparts in the tech industry, not fully backing either the FBI or Apple but calling for a broader "discussion" on the issues. "I do believe that with the right safeguards, there are cases where the government, on our behalf — like stopping terrorism, which could get worse in the future — that that is valuable." But he called for "striking [a] balance" between safeguards against government power and security.
[Continues.]
I just heard some sad news on talk radio - Horror Software creator John McAfee was found dead in his Spanish jail cell Wednesday evening. There weren't any more details. I'm sure everyone in the SoylentNews community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.
Netcraft confirms it, as does NYPost - an "apparent suicide".
John McAfee was found dead in his cell in a prison near Barcelona on Wednesday. McAfee was awaiting extradition in a Spanish prison after being charged with tax evasion in the United States last year. McAfee was arrested in Spain in October after being indicted in the United States for tax evasion months earlier. He allegedly failed to file taxes for four years despite earning millions in income between 2014 and 2018 from promoting cryptocurrencies.
Also at the Associated Press, The Register, CNN, and CNBC.
See also: How To Uninstall McAfee Antivirus
Previously: John McAfee Announces He Will Run For President of the United States
On TV, John McAfee Says Cracking an iPhone is Trivial
Johnny Depp to Star in Movie About John McAfee
John McAfee's "Unhackable" Cryptocurrency Wallet Has Been Hacked (Again)
John McAfee Indicted for Tax Evasion
Original Submission #1 Original Submission #2 Original Submission #3 Original Submission #4
(Score: 2, Disagree) by Covalent on Sunday March 06 2016, @02:59AM
But it does seem remarkably unlikely that the FBI can't crack this phone. I don't normally go in for conspiracy theories of this kind, but I would not be surprised if this were true.
Honestly, I'd be surprised if the FBI didn't have a system for dismantling a phone and reading the contents of the drives directly. Is such a thing really protected against by Apple? Experts, please feel free to highlight my ignorance. But memory is memory...once the phone has been physically dismantled, then survey the 10-tries-and-you're-out system can be circumvented, no?
You can't rationally argue somebody out of a position they didn't rationally get into.
(Score: 3, Funny) by Covalent on Sunday March 06 2016, @03:00AM
Bah! Survey = surely. It's my damned iPhone! Autocorrect probably hacked by the FBI...
You can't rationally argue somebody out of a position they didn't rationally get into.
(Score: 2) by Non Sequor on Sunday March 06 2016, @03:56AM
It's questionable to me whether the FBI has staff that can desolder and construct an interface for an arbitrary memory chip. I also think that when the FBI starts to think it needs that, it's going to have more hoops to jump through to develop procedures for handling this kind of evidence, compared to the relative ease of handling hard drives.
I think this handwringing is both because they have a short-term problem that they really aren't equipped to deal with this type of evidence, and the long-term problem that they see themselves as losing an arms race with security features. (I'll note that I think they should lose that arms race).
Write your congressman. Tell him he sucks.
(Score: 5, Interesting) by anubi on Sunday March 06 2016, @05:02AM
I do not know if my experience is typical, but when I was working for a government aerospace contractor, it seemed like the most creative and intelligent techie types were the first to go, as the higher paid people who made the decisions of who stays and who goes seemed to feel threatened by them.
Ideally, it seemed they were trying to engineer a business model of a few very highly paid people at the top, with below them lots of completely interchangeable minions.
To do this, they used "compartmentalization", "need-to-know", "charge numbers", and a high rate of turnover to keep any one minion from becoming knowledgeable enough to pose any sort of threat to the job security of the ones hiring him at minimal salary to do a minimal function.
Showing any sort of curiosity or inner drive to do something seemed a surefire way to get to the top of the next week's layoff list. The "motivational" and "inspirational" training they sent the managers to had the opposite effect on me, as they just seemed to be management's way of telling how unimportant and meaningless my life under them was.
It seemed all about how to find people who would work for cucumber while they got the grape. And they did not mind flaunting it. Fancy offices, preferred parking, catered gatherings that only they were invited to, getting to spend half every day on "management training", and other perks. We sure were not important enough to train, especially "on the clock".
Who would want a curious engineer around when they could shake the hand of the man earning a million dollars a year who hires the men that determine whether that engineer has a job next week?
As for desoldering the chip, the way I do those is do a quick rough solderwick w/ lots of flux to remove what solder will remove that way. Then I dab on plenty of Sn42/Bi58 solder cream then heat the whole shebang up under a infrared source like a high power halogen. This bismuth based solder paste has a much lower melting point than standard solder - it will quickly alloy with the remaining solder and the whole pad area will liquefy, leaving the chip easily removable by suction cup or tweezer.
An entrepreneur markets something like this solder paste under the name "ChipQuik", but I found the Sn42/Bi58 that works just as well much cheaper in China... Google up some solder alloy charts regarding bismuth/tin/lead to get a good idea of what your mix melts at. Once removing your chip, wick off the bismuth solder. Although it has wondrous low temperature melting point, it is quite brittle. In the lab, OK, but I would not want to ship it to a customer that way. Rosin flux cleans up nicely with industrial ethanol.
I have on several occasions used this technique to remove 24Cxxx EEPROMS from boards I am reversing so I can solder the EEPROM back onto a memory board read by an Arduino, which then sends either a binary or Intel HEX file through the serial/USB port back the the PC, that's running the disassembler...
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Interesting) by Anonymous Coward on Sunday March 06 2016, @06:53AM
Most chips in phones are BGA. Much less fun to desolder, and even less fun to re-ball and then resolder onto a testbed.
I do both hw and sw and I think the sw approach would be easier.
That said, it would be good to do the hw approach and copy the FLASH contents before hacking the IOS.
(Score: 1) by anubi on Sunday March 06 2016, @07:17AM
Quite true... I have yet to successfully do a BGA.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Interesting) by Anonymous Coward on Sunday March 06 2016, @06:52PM
BGAs require either a focused hot air system (shaped nozzles, shields, etc.), or a heat plate. Either way, much care is needed regarding other parts which can't take the heat, such as: connectors, buttons, pots, switches, etc, which are made with plastics - you try to shield them, heatsink clip them, or just remove them first.
An art professor friend of mine, who is very technologically savvy, had an Apple laptop fail (I don't know the model.) He learned it was a common problem with his model, that some of the BGAs weren't properly soldered (probably rushed through the IR oven) and the fix he found was to bake the motherboard in his home oven. I'm not sure the temp, maybe 450? Anyway, he removed vulnerable parts, baked it, reassembled it all, and it still works. He's an amazing teacher too.
(Score: 1, Informative) by Anonymous Coward on Sunday March 06 2016, @01:05PM
I have on several occasions used this technique to remove 24Cxxx EEPROMS from boards I am reversing so I can solder the EEPROM back onto a memory board read by an Arduino
I just use clamps: http://www.ebay.com/sch/i.html?_nkw=sop%208%20clamp [ebay.com]
For the eMMCs, stuff like this is used: http://www.teeltech.com/mobile-device-forensic-software/coded-read-emmc-chips-without-soldering/ [teeltech.com]
(Score: 2) by RamiK on Sunday March 06 2016, @01:06PM
Though I personally only tried the SOP8 clamps ;)
compiling...
(Score: 3, Interesting) by Bobs on Sunday March 06 2016, @01:23PM
I do not know if my experience is typical, but when I was working for a government aerospace contractor, it seemed like the most creative and intelligent techie types were the first to go, as the higher paid people who made the decisions of who stays and who goes seemed to feel threatened by them.
This has been my experience as well with less competent managers. Good leaders will figure out how to encourage and use the creative and intelligent, the poor ones will purge them as threats.
(Score: 1) by bitstream on Sunday March 06 2016, @01:45PM
And the market place will hopefully purge the corporations run by less than competent managers ;)
It's however quite sad how much talent that is wasted for idiotic reasons or people.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @09:36PM
Nah, big org's always degenerate this way. Either work for a smaller org, or learn to play the game.
(Score: 4, Interesting) by frojack on Sunday March 06 2016, @06:14AM
It's questionable to me whether the FBI has staff that can desolder and construct an interface for an arbitrary memory chip.
Agreed, they probably can't do it. And neither can Joe Random programmer and Bob Random EE working together.
John McAfee seems unlike to be of much help either. The chip was invented long after John was well and truly out of the computing in any real way.
I've done a small amount of dis-assembly, trying recover source code for a program where the source code was lost, and all there was left was an executable. It can be months of work, and you can not easily discern the path through the code that will be taken at execution time. This was true back in 486 days, and its more true today with multi-core processors. And it wasn't with the amount of code in a whole operating system.
I think this is more of Big John's buffoonery and talking out his ass.
No, you are mistaken. I've always had this sig.
(Score: 1) by anubi on Sunday March 06 2016, @06:29AM
It was hard enough in the days of the 8086, I began really taking a long time to do this under '286, especially under protected mode such as Phar-Lap. I do not even try on the later stuff anymore. Out of my league.
I will still reverse and modify microcontroller stuff though. You know - stuff based on 8051 or similar. Often the source code is long gone by the time it gets to me. And someone just wants it to work again.
If not that, I just replace the whole shebang with an Arduino-compatible and any interfaces I may need to conjure up. Its amazing what can be done with "propeller" chips slaved to an Arduino via I2C.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by frojack on Monday March 07 2016, @05:45PM
Oh look, he lied
http://www.dailydot.com/politics/john-mcafee-lied-iphone-apple-fbi/ [dailydot.com]
No, you are mistaken. I've always had this sig.
(Score: 2) by Non Sequor on Monday March 07 2016, @06:57PM
I ended up reading his backstory after posting that and exaggerating to get attention and then playing it off as a carefully calculated move after the fact is completely in character for McAfee.
Write your congressman. Tell him he sucks.
(Score: 5, Insightful) by mth on Sunday March 06 2016, @04:15AM
While the approach McAfee outlined most likely won't work (I'd be very surprised if Apple stored the PIN rather than use it as input for a one-way function), I agree that the FBI could probably crack the phone.
If they can dump the flash (via JTAG or perhaps even via the update protocol), they could copy all the data to multiple new iPhones and brute force the PIN. They could even avoid having to do a full re-image of those phones by figuring out where the failed PIN entry counter is stored and resetting the counter when it is one attempt below the wipe limit.
The most benign explanation I can think of is that bureaucracy led to the wrong people being assigned to the project. A more cynical explanation would be that the FBI wants to (ab)use a terrorism case to set a precedent that manufacturers have to break encryption when asked to do so because the FBI is worried that they might not be able to crack future phones. Or perhaps they want a quicker way of cracking phones so they can afford to do it on more cases.
(Score: 1) by baldrick on Sunday March 06 2016, @05:15AM
Yes - I would have expected them to have copied the full data and run it in an emulator by now.
the FBI/CIA/NSA/CNTS must have the ability to do a raw dump of most of the popular smartphones
... I obey the Laws of Physics
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @09:32AM
If you ask me, all of this is about trying to save face. Make things look like you could use the products of a US company without immediately becoming the bitch of the US gov.
(Score: 4, Insightful) by q.kontinuum on Sunday March 06 2016, @10:14AM
If they can dump the flash (via JTAG or perhaps even via the update protocol), they could copy all the data to multiple new iPhones and brute force the PIN.
Unlikely. The encryption/decryption key is most likely stored on a separate TPM chip and can't be reasonably copied. It would be decrypted by entering the right pin and then used to decrypt the flash.
In an insecure system the firmware of the device deletes the flash after N attempts. In a better system, the firmware deletes the encrypted key from the TPM chip. In an even better system, the TPM chip has a checksum of the decrypted key and deletes the key after N attempts within the TPM chip, with this part of the software of that chip being immutable.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 3, Insightful) by Anonymous Coward on Sunday March 06 2016, @11:00AM
You are correct.
The correct pin code and half of the larger (and more entropic) key to decrypt the drive are stored inside a security chip on the iPhone.
When the correct pin is entered the software is given the other half of the key and then it decrypts the device. McAfee is wrong, it's not called "instruction set". It's called "software", specifically "firmware". Once the phone's firmware image is obtained, you can change it all you want. You can even load in into a virtual machine / emulator on a super computer and try to brute force the drive encryption -- but you only have 1/2 of a large random key. That's what the FBI wants to avoid.
The FBI wants to bruteforce the pin code, since that will be significantly faster. It doesn't help them to brute force the pin code when not running on the device because the part of the key they're trying to unlock is not stored in firmware or software. The changes the FBI wants made to the firmware / software would be to not erase the keys after 10 wrong attempts. What McAfee is suggesting the changes to the firmware are trivial. This is correct. However, the changes made can not be re-uploaded to the phone, as McAfee assumes. The firmware / OS software is signed and any changes will then fail a fingerprint test.
The way the firmware is signed is that a hash of the payload is encrypted with an asymmetric public key, and the output stored right next to the hash. Only Apple (and probably the NSA, or CIA) has the private key that can sign a firmware payload.
The FBI is lying. Once they get their hands on a modified firmware that's signed, they can flash it onto any compatible device and crack the pincode in short order. However, the FBI is not lying in that they will permit the entire unlocking and cracking procedure to happen inside Apple, and the FBI only be given the device data. The FBI is correct that this would only affect one phone. However, it will set a legal precedent via which subsequent requests to judges will have them rubber stamping requests for Apple to perform the phone hack and turn the data over to the FBI.
Apple is protesting because this will force them to do a bunch of work for the FBI, and that's unconstitutional. Apple could avoid all of that work if they just hand over the modified and signed firmware for that phone. Apple's signing system is not as secure as it could be in that they do not generate a new signing key for each device. This would require each update to be signed uniquely for every phone they are installed on. So Apple just has one signing key for many devices and that means a hacked firmware is available to all.
In the future Apple will likely place the unlock counter into the security chip which has the key -- it would be trivial to make a 4 bit adder, and that chip already has a delete key feature...
What's fishy to me is that all the FBI had to do was take the phone into the environment it typically operated under, and it would have initiated a backup to "cloud" storage -- Except the FBI had the iCloud key changed to prevent this. So, they locked themselves out of the device, and they don't want to have to rely on the NSA to unlock the phone for them. Were I the judge I'd tell them, "Tough Titties, Ya Blew it! Get outta 'ere! Go make nice with your agency friends and stop harassing Apple."
(Score: 0, Disagree) by Anonymous Coward on Sunday March 06 2016, @05:24PM
First this....
Then...
I should stop there since you apparently think the digital key is stored in the magical fairy dust apple dusts under the touchscreen.
However this seems naive and highly speculative about the intentions and capabilities of the FBI
This entire discussion is stupid security theater (I have no proof, that is my opinion). The face is that securing your device with a 4 digit pin is token security. There is always a way to get engineer a work-around, as evidenced by the device deleting the keys after 10 attempts. With the correct equipment and reverse engineering you can hack the hardware and then trivially hack the 4 digit pin, as many many comments on this site and elsewhere have pointed out.
(Score: 0) by Anonymous Coward on Monday March 07 2016, @01:17AM
I should stop there since you apparently think the digital key is stored in the magical fairy dust apple dusts under the touchscreen.
The pin code isn't stored there. It's stored in a secure chip off the main CPU. This is covered in their security specification. The only way to get at the pincode without brute forcing it would be to peel off layers of silicon and hope that you don't destroy the keys in that chip in the process. You are legitimately a moron.
(Score: 0) by Anonymous Coward on Monday March 07 2016, @01:21AM
First this....
it's not called "instruction set".
Confirmed retarded. An instruction set is the set of instruction opcodes that a processor accepts. It is not the actual set of software for the device. By your logic "digits" and operations are algorithms. No, algorithms are made of many digits and operations but digits and operations themselves are not Algorithms. Algorithms are to software what digits and symbols are to an instruction set.
(Score: 3, Funny) by physicsmajor on Sunday March 06 2016, @03:19AM
The people who built the device don't know what they're talking about, but this guy definitely does! He's got an antivirus suite named after him and everything!
Believe everything you see on TV, folks!
(Score: 4, Touché) by khchung on Sunday March 06 2016, @03:42AM
If it was that easy, why doesn't he stage a demonstration with an iPhone 5c? After all, it would take just 1 hour or so, entirely possible for a single uncut video shot, right?
If cost is a problem, then just setup a crowdfunding, and do it only if the funding goal is met.
(Score: 5, Insightful) by jasassin on Sunday March 06 2016, @03:46AM
The hardware has its own DSA (iirc) key that combines with the pin/passphrase to decrypt. It's like saying you can use a disasembler to crack an encrypted GPG message. No. The pin/passphrase is the missing part, a fucking disassembler isn't going to magically produce a string of data that is necessary to decrypt the encrypted data. This guy is a fucking idiot! Just YouTube him!
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @11:26AM
Absolutely - it's called Kerckhoffs Law, all of the security is in the key, not in the code.
(Score: 2, Informative) by Anonymous Coward on Sunday March 06 2016, @03:47AM
As someone who is currently stepping blindly through assembly code at work, all I can say is... hahahahaha!!! Even assuming you had the private symbols, figuring out optimized assembly code from a large code base is not even close to trivial. It requires a lot of trial and error and stepping through the same code over and over. What does he mean by "the first access to the keypad" anyways, it's not like functions are arranged in calling order in memory. And this completely ignores the issue of one way hash functions for storing the password. Basically, McAfee is a crackpot.
(Score: 2, Insightful) by redneckmother on Sunday March 06 2016, @03:54AM
Err... s/pot/head/ , perhaps?
Mas cerveza por favor.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @04:54AM
Are we still going through disassembled code one line at a time while jotting stuff down on a scratchpad with a pen? Surely there must be tools.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @12:58PM
For unoptimized assembly, yes. For optimized assembly, even with full source code and symbols, it's often tricky to figure out what's what. Code is inlined, re-ordered, intertwined, it's a mess. Now imagine not having any symbols. All you see is a never ending series of jumps and nested calls. You have no clue what they're for and you can't search for anything, and there are millions upon millions of assembly instructions. The kind of reverse engineering McAfee is talking about worked back when you could install your entire operating system from one floppy.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @01:46PM
If you, a layman, believe this, you are just a regular lamer. No surprise.
If you're an app programmer and believe this, it is rather sad but still understandable.
But if FBI "experts" do believe this, they are incompetents wasting the taxpayers' money.
Google "IDA Pro" and stop spreading stupidity around.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @04:50PM
Yes, IDA is nice. You didn't think I disassembled opcodes in my head, I hope. But you certainly can't just "read through the instructions" to find "the first access to the keypad", as McAfee suggests. You need to execute and trace the code, and yes you will need several passes through it. It takes several weeks, certainly not 30 minutes. That kind of arrogance is common, but I find it's inversely proportional to experience.
(Score: 0) by Anonymous Coward on Monday March 07 2016, @02:25AM
Plus there is a huge difference between disassembling a single thread in an app and multiple multi-threaded processes and the kernel at the same time.
(Score: 3, Informative) by anubi on Sunday March 06 2016, @05:30AM
100% agree! It never was easy for me to reverse either. Very time consuming.
The main things were that there usually certain patterns off-the-shelf compilers would do ( like system calls ) that would give you waypoints.
The earlier things were much easier.
There were two really good people on the net a few years ago.... Old Red Cracker (+ORC) and +Fravia. I do not know what happened to the Old Red Cracker, but +Fravia ( the "+" in honor of the "High Cracking University +Fravia and +ORC set up ) is pushing up daisies. I have given you their names... google them and read the stuff they left behind. Its one helluva education.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by Snotnose on Sunday March 06 2016, @03:56AM
who fucked his accountant while his tranny hooker did his taxes? Or run like hell from some country cuz his neighbor got murdered and he didn't pay enough into the campaign re-election fund?
Not saying he's full of shit, but I would sure as hell look for peanuts before I trusted anything he said.
Relationship status: Available for curbside pickup.
(Score: 1, Informative) by Anonymous Coward on Sunday March 06 2016, @04:15AM
FTFY
(Score: 4, Interesting) by jmorris on Sunday March 06 2016, @04:39AM
So that wraps it up for any remaining question of whether this guy is a fraud.
The crypto engine and the keys are in the SoC itself so reading the flash is pointless. If you are awesome and have real resources you could go for the RAM but that doesn't help since the pin isn't going to be readable from the ram. If you were awesome though you could boot the thing, inject malware directly into the ram of the running computer via ram access and have it wake up the USB port and dump the flash in decrypted form. Not sure whether that gets you the text message history and the other info they need without getting the PIN and using it to obtain the keyring. But you blow the chain of evidence right to heck doing it in that sort of brutal fashion so you could spy on the contact but good luck bringing them to a court based on it.
You might try sawing off the top of the SoC and trying to get at the info in the SoC that way but they put countermeasures in and when that sort of reverse engineering is done in industry they expect to lose a couple of test units and they have to get this one right the first try.
(Score: 2, Insightful) by itn on Sunday March 06 2016, @07:42AM
If only they had the resources to buy multiple(!) iPhones to perfect their technique first...? :-)
(Score: 2) by jmorris on Sunday March 06 2016, @05:38PM
When your plan is to saw up chips until you get lucky, just because you finally get lucky doesn't mean you can then grab the subject phone and know you will succeed with it. It will raise the odds because you have a better idea what is inside, not assure success. They have exactly one attempt to get it right is still the limitation, unlike industrial snooping where you just have to get one chip's package sawed off without destroying it.
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @10:45AM
have it wake up the USB port
iPhones have a USB port? Someone should tell Apple about that.
(Score: 5, Informative) by Gravis on Sunday March 06 2016, @05:00AM
i've done some embedded development and reverse engineering, so i'm qualified to at least say that his plan might work but only if Apple fucked up their software security implementation (which has been broken multiple times already). Apple did do one thing that was smart which is put in a dedicated core that is specifically for security. However, if Apple fucked up the hardware security, it could be accessible via JTAG (for hardware based debugging) which would be a near instant security fail and even easier than that John suggested.
HOWEVER, even if Apple managed not fuck up the software for a third time or the hardware at all, it's still trivial for them to get the info they need. Andrew Zonenberg, a Grad student versed in silicon reverse engineering wrote this up back in 2014.
Why Apple's iPhone encryption won't stop NSA (or any other intelligence agency) [blogspot.com]
excerpt from the post:
If Apple did their job properly, however, the UID (device encryption key) is completely inaccessible to software and is locked up in some kind of on-die hardware security module (HSM). This means that even if Eve is able to execute arbitrary code on the device while it is locked, she must bruteforce the passcode on the device itself - a very slow and time-consuming process.
In this case, an attacker may still be able to execute an invasive physical attack. By depackaging the SoC, etching or polishing down to the polysilicon layer, and looking at the surface of the die with an electron microscope the fuse bits can be located and read directly off the surface of the silicon.
Since the key is physically burned into the IC, once power is removed from the phone there's no practical way for any kind of self-destruct to erase it. Although this would require a reasonably well-equipped attacker, I'm pretty confident based on my previous experience that I could do it myself, with equipment available to me at school, if I had a couple of phones to destructively analyze and a few tens of thousands of dollars to spend on lab time. This is pocket change for an intelligence agency.
Once the UID is extracted, and the encrypted disk contents dumped from the flash chips, an offline bruteforce using GPUs, FPGAs, or ASICs could be used to recover the key in a fairly short time.
(Score: 5, Funny) by Anonymous Coward on Sunday March 06 2016, @05:31AM
Given all of that, one thing is clear to me now: you and I have drastically different definitions of the word "trivial."
(Score: 2) by jasassin on Sunday March 06 2016, @06:36AM
Assuming an alphanumeric passphrase with symbols on the number row, that is 16 characters long... (assuming you have the 256bit AES key and uuid) how long would it take? I know it depends on the hardware you're using, so let's say you have the top supercomputer in the world (Tianhe-2, which means Milky Way-2, with a performance of 33.86 petaflop/s [quadrillions of calculations per second or Pflop/s] on the Linpack benchmark). How long would it take? Can someone do the math on that? I can't but I'm very curious.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @10:52AM
How long would it take? Can someone do the math on that? I can't but I'm very curious.
Let's see ... carry the 1 ... exactly 1/2 hour. Hey, McAfee was right!
(Score: 2) by inertnet on Sunday March 06 2016, @11:43AM
That's an interesting approach. But could it be possible without physically going into the chip, by scanning it with some kind of high definition x-ray device, something that can penetrate and make an image of the IC?
(Score: 1) by bitstream on Sunday March 06 2016, @06:41AM
One can't get the key using software because the hardware keeps it to itself. So no amount of disassembly would solve it. Thus to extract the key one needs to do the de-cap and probe route which is very risky. And the the code signed system software that handles the user passcode attempts will order the destruction of one of the required keys if too many attempts are made.
(presumed Apple didn't fuckup)
One could perhaps get the key to sign custom system software as this is the same for all phones with the same group key. Probably using the decap route on other phones of the same model. A new custom system software could then allow the passcode tries without attempting to erase anything. Writing it would require a lot of reverse engineering of course.
(Score: 1) by anubi on Sunday March 06 2016, @07:13AM
Speaking of unique "keys" that each user creates for himself... have the phone "marry" its purchaser by having its purchaser speak a key to it. Digitize the voice - 16bit codec? Add every sample, with 16-bit rollover, then every 64'th sample sum to append to the key. The result of a couple of seconds of speech results in a couple of kilobytes of key. It would be damned hard for someone else to come up with that same key.
Even if you played the key, it would not sound like speech because of all the rollovers. It would sound like white noise.
It doesn't make any difference what you said - as neither you nor anyone else will ever be able to say it in exactly the same way again.
The phone now has a unique array of numbers in it now... an array unlike any other phone will ever have.
Reflash the phone? Fine. Its like new again. Gotta speak it another key. Forget all about anything in the phone already. Its a past life. Gone. Forever. The new stuff goes right over the old stuff as if it were never there.
Digitized FM hiss has been a favorite way of mine to get random keys.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by bitstream on Sunday March 06 2016, @07:59AM
Your key creation scheme seems good. But I doubt that even the same person can generate the same key again with that method. So it's only good for creating it one time to use as a system key etc. Still some assumptions can be made on amplitude and frequencies to narrow any brute force attempts.
So what matters is how that key is used. If it can be eavesdropped or used when not intended it would still be defeated even if the attacker wouldn't know it.
(Score: 1) by anubi on Sunday March 06 2016, @09:35AM
I'm counting on that! Even the guy who made the key can't duplicate it.
Yup, the only thing this is good for.... a generator of an absolutely unique block of numbers.
Even if you got an exact recording of the guy marrying his phone... even in a precision recording studio, it wouldn't help. Not the same digitizer. Not the same microphone.
Now, as far as the phone leaking out its system key, once it has been assigned by its purchaser by "marriage vow"... that's out of my league.
What I had in mind is "how do I easily generate some string of random stuff, easily, without possibility of anyone recreating the generation - given any "eavesdropping" while the key generation was taking place?"
With this technique, I could marry my phone right at the point of purchase, with anyone taping me, photographing me, whatever. After I marry my phone, it has a key unique to me, and no-one, no matter what technology they used to watch me do it, could re-create the same key. Even I couldn't. All I could do is re-create a new key, which could be used to protect new content, but could not be used to decrypt anything encoded with the old key.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by bitstream on Sunday March 06 2016, @10:33AM
My thoughts on eavesdropping was when moving bits inside the device itself in digital form. Like from the CPU to memory etc.
(Score: 1) by anubi on Sunday March 06 2016, @10:58AM
That's where it starts getting snicky.... where system-on-chip comes into play. Gotta keep that golden nugget completely under wraps where no one - even armed with a logic analyzer on all circuit paths to the chip - can deduce the key.
I have come to the conclusion its impossible to really secure my stuff... so I mostly do open-source Arduino-based stuff. I can generally harden it against outside attack ( my stuff is way too dumb to execute anything coming in - if its not the right format, it just gets confused and ignores it. ). But if the attacker ever gets physical possession of my stuff... game over. Its wide open.
When I was in Aerospace, it was an interest of mine to secure stuff, but it was almost impossible to have other people take me seriously. I could rant and rave till I was blue in the face about mixing code and data - and all it would get me is a high ranking on a layoff list.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1) by bitstream on Sunday March 06 2016, @11:49AM
My tip: When "idiots" wants to be just that. Let them! You job is the get the cash ;)
The downside is that one accommodate bad habits so it's a good idea to look for a new job. Being able to be proud of ones work is a life quality by itself.
And the reason is just as you pointed out. Negative feedback and nothing to compensate for it. Even if you would get a bonus for a secure product but would be sacked for trying to correct errors. The cost of being without a salary would negate the bonus very easily. The laws of perverted incentives are quite pervert.
Regarding security. One have to take a cost/benefit analysis.
(Score: 2) by q.kontinuum on Sunday March 06 2016, @10:48AM
Basically you'd try to find a new way to generate "random" numbers. Only the input is not 100% random really. It might work due to the longer key, but other than that you wouldn't need to reproduce the exact sound patterns, you'd just have to narrow down the key -space by finding the right assumptions for possible samples. If that is possible, start brute forcing.
You trade good random/short length against poor random/long key. Not sure this is safer or unsafer, or how it impacts performance. But one ground-rule of Cryptography is afaik "never role out your own crypto".
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1) by anubi on Sunday March 06 2016, @11:21AM
So true! That's why I won't even try to generate the numbers mathematically.
And also why I posted.
Personally, I think - given the lack of any deterministic procedure for generating the numbers - it would be extremely difficult, if not impossible, to generate a duplicate key.
Except, of course, brute forcing. And a several kilobyte key is gonna be pretty hard to brute force.
I am looking at a one-time generation from about the noisiest thing I can think of that's part of a phone. Something that can generate a prodigious amount of data, quickly, and not likely ever generate it again. ( statistically speaking ). So its gonna be the microphone or the camera.
Another way of getting a bunch of numbers that you will not likely ever see again involves streaming data from the camera while twirling it around....
My feeling is this is something the customer has to do to marry his device, to make damn sure no hanky panky takes place before purchase.
If the customer ever needs to wipe his device, he is free at any time to re-do his marriage vow and start off anew. He does not lose his device, but all the files within are now permanently lost - to be treated as available memory for new files.
Like Bitstream noted above... this is for generating a system key. Even the person generating the key won't be able to generate the same key again. The only reason I would ask the customer to do it is to make sure its a fresh key.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Sunday March 06 2016, @10:57AM
have the phone "marry" its purchaser by having its purchaser speak a key to it.
Speaking the code is not very secret. Can't do that during a meeting, etc. Plus, when you have a cold you're screwed. You'll still need a manual way of entering it ... which will be easy to break because everyone has heard you tell your phone "Siri, I'm in the mood" every time you accessed it.
(Score: 1) by anubi on Sunday March 06 2016, @11:31AM
This is a one-time thing to make a system key. To make sure that you have just generated several kilobytes of numbers in a unique order.
My intention is even if you married your phone to a high quality MP3 player, you could not get the same key again even if you played the exact same music... because your sampling is taking place at a slightly different time resulting in completely different digitizations. Add to that all the rollovers... there is so much random noise induced by quantizing errors and phase shifting that I claim it will be impossible to recreate a duplicate of a key made this way.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]