Apple iPhone security, Searches and the law
Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 08/06/2015 10:23:17 PM PDT by Swordmaker
What follows is a guest post from Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley:
Properly configured, an iOS device is perhaps the most secure, general purpose communication device available. The iPod Touch in particular is my preferred communication device for those who need to operate in an extremely hostile network such as China or France, and for most users, iOS is vastly more secure than Android.
Despite this, "best" does not mean "impregnable". The FBI claims that iPhones are "bricks" containing no useful information and Apple claims that iMessage is "end-to-end" secure. Neither is the case. A suspect's iPhone is hardly a brick, but rather a vast trove of information and iMessage, rather than being an impenetrable fortress, is actually metadata-friendly and seems designed to support a backdoor.
The first reason an iPhone isn't a brick is that it is just that, a phone. The IMEI on the back is enough information for the FBI to find the phone's carrier and, with a simple warrant, gain a trove of information. Smart phones continuously communicate on the cellphone network, and Apple's Siri in particular will still use cellular connectivity even when on a WiFi network.
This allows the FBI to discover the phone's entire movement history as long as the phone was on. At a minimum, the cellular providers will provide tower-level information, localizing the phone within a few square kilometers on an effectively continuous basis. Yet we know some providers do even better: AT&T records the location of TRACPhone calls with 200m resolution. So unless the suspects already understood that the phone itself is an FBI tracking device and left it at home, the simple presence of an iPhone is a gift to investigators.
But what about information stored on the phone itself, such as Joe Jihobbiest's selfie with an ISIS flag? Unless the target knew how to set up his phone correctly, its actually straightforward to arrest someone with an iPhone.
Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don't configure their phones right. Beyond just waiting for the suspect to unlock his phone, most people either use a weak 4-digit passcode (that can be brute-forced) or use the fingerprint reader (which the officer has a day to force the subject to use).
Furthermore, most iPhones have a lurking security landmine enabled by default: iCloud backup. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages! About the only information of value not included in this backup are the known WiFi networks and the suspect's email, but a suspect's email is a different warrant away anyway.
Finally, there is iMessage, whose "end-to-end" nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage's encryption does not obscure any metadata, and as the saying goes, "the Metadata is the Message". So with a warrant to Apple, the FBI can obtain all the information about every message sent and received except the message contents, including time, IP addresses, recipients, and the presence and size of attachments. Apple can’t hide this metadata, because Apple needs to use this metadata to deliver messages.
Now iMessage's cryptography should prevent all retrospective analysis of message contents, but the FBI’s complaining about this is strange. Nobody wants the postal service to steam open and photograph the inside of every letter just in case the FBI might want a copy (although the post office does record the outside of every letter). And if the suspect didn’t turn off iCloud backup, the old messages are available anyway.
But beyond this, there is a sin-of-omission in iMessage that enables Apple to support wiretapping iMessage. When Alice wants to send a message to Bob, Alice's iPhone contacts Apple's keyserver, a central authority which knows everyone's public keys, and asks "I am Alice, please tell me all my public keys" and "I am Alice, please tell me all of Bob's public keys". Then Alice's phone encrypts the message with all the public keys and sends the result to Apple, which forwards the encrypted messages onto everyone’s devices. Since only the devices know the corresponding private keys and not appleID, Apple claims this is "end-to-end" secure.
The reason why Alice's phone asks for Alice's keys as well as Bob is to enable Alice to have multiple devices. In iMessage, each device has its own key, but its important that the sent messages also show up on all of Alice's devices. The process of Alice requesting her own keys also acts as a way for Alice's phone to discover that there are new devices associated with Alice, effectively enabling Alice to check that her keys are correct and nobody has compromised her iCloud account to surreptitiously add another device.
But there remains a critical flaw: there is no user interface for Alice to discover (and therefore independently confirm) Bob's keys. Without this feature, there is no way for Alice to detect that an Apple keyserver gave her a different set of keys for Bob. Without such an interface, iMessage is "backdoor enabled" by design: the keyserver itself provides the backdoor.
So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice. Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future. A similar modification, adding an FBI key to every request Alice makes for any keys other than her own, enables tapping all messages sent by Alice. There are similar architectural vulnerabilities which enable tapping of "end-to-end secure" FaceTime calls.
This may be why Apple has become the focus of the FBI's ire (which is already used to obtaining SMS and Google chat messages with a simple warrant): Apple’s architecture for iMessage supports wiretapping, yet Apple refuses to support the FBI. If I was in Director Comey’s position I would be angry with Apple's refusal to cooperate. Apple doesn't need to engineer a backdoor into iMessage, they simply need to either enable or publicly close the backdoor in key distribution that already exists! If we believe Apple's public statements, they've chosen to do neither.
Or perhaps (putting on an oh-so-fashionable tin-foil fedora) this is all a fraudulent dance between Apple and the FBI, as Apple simply doesn't want to admit that they are already tapping iMessage for the FBI or NSA and so simply want the Washington DC noise machine to obscure this architectural defect that makes iMessage anything but "end-to-end secure" lest any other intelligence or police agency demand similar access.
I still like iPhones, I still use and recommend iPhones, and iMessage remains perhaps the best usable covert communication channel available today if your adversary can’t compromise Apple. Yet setting up a iPhone properly is no easy task and if one desires confidentiality, I think the only role for iMessage is instructing someone how to use Signal.
Nicholas Weaver is a computer security researcher at the International Computer Science Institute in Berkeley. All opinions are his own.
As for brute forcing the four digit passcode many iPhone user employ, that is a non-starter because the iPhone can be set to erase the data after a certain number of incorrect attempts. Another FAIL.
His claim about the iCloud backups is simply wrong. The backup is encrypted. . . and would still require the user to change the password. He postulates the ability to change his OWN password using his own ability to do so, which then allowed HIM to recover his data to a new Apple device as evidence of insecurity of his backup of his data. SAY WHAT???? The fact that he can recover his own data to another device after he changes his own password is evidence it's available to authorities? FAIL! If the user has enough moxie to set up his device for security he certainly has enough to set up his iCloud similarly.
The claim that "A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages!" is incorrect because the data Apple has is still encrypted by the iPhone before it leaves the phone for the iCloud and Apple does not have the key. He is making unwarranted (pun intended) assumptions without proof.
The author then goes into flights of fancy about Apple and the FBI already cooperating and trying to obfuscate that fact. . . or that the FBI can already do a man-in-the-middle key server and add themselves to the sender or receiver's public keys. . . . but still he says the Apple devices are the best he'd use if they are properly set up.
He wants his cake and to eat it too. SHEESH! . . . Swordmaker
Ahhh....don’t get upset now......
But the fact is, if you want a secure phone, you have to buy one that is..
If you want on or off the Mac Ping List, Freepmail me.
From first line of the expert in the article:
"Properly configured, an iOS device is perhaps the most secure, general purpose communication device available. The iPod Touch in particular is my preferred communication device for those who need to operate in an extremely hostile network such as China or France, and for most users, iOS is vastly more secure than Android.
Now, do you want to repeat your comment?
Mine are properly configured.
I think general purpose was the word that you needed to read.
This was the basis of a argument we had many months ago. I said that no “general consumer” phone was secure unless you purchase one that has been hardened, that is to say that location finding is difficult because it looks like you are walking in the mountains of Peru,(until they unwind the fake) and getting into the phone or it’s data stream is next to totally impossible.
Save for that, and there are only a small number of these phones in use today, everyone has a phone that is not secure in all or some ways..
I would assume that if these hardened phones became the norm, they would be deemed to be a security threat and banned..by the US and most every other government.
It’s just the way things are today.. nothing personal...
I only objected to your claim that Apple phones were secure...and they are not.
Just recently (about three weeks ago), The Hacker Team, the company that sells the forensic reader software to the FBI, NSA, DGSE and other government agencies and police departments at both State and national levels, offered to sell their entire suite of software to another company, wanting to get out of the software business and concentrate on Security Research. What they said was they had software that could breach every mobile device including Android, Microsoft, Nokia Symbian, RIM Blackberry, and jailbroken iOS devices. . . but NOT unbroken iOS devices. They had been unable to crack the protections on iOS 7 and iOS 8 devices. That says one hell of a lot. They are the recognized EXPERTS in this field.
I think I have bought a secure phone.
You are not secure, nor am I....Nobody is today...and nobody will be tomorrow.
I recall that conversation and the fact that you really did not know what you were talking about. . . in that you wanted a phone that was 100% uncrackable. A James Bond type phone.
More or less.....yes...I would call that secure.
But I am fully aware of the history of communications going all the way back to WWI, and no electronic communications remain secure for very long..
Consumer phones are the least secure of todays so called security feature laden phones, because all the workarounds, decryption algos and black box gizmos have been designed to defeat them. More everyday...you should look into what they have in the catalogs for LEO’s and Security firms.
Scary stuff....but much of this stuff is making it’s way to your local sheriffs department..
Back when cell phones..(bag phones) first came out they were considered pretty secure, but is only took a few months before local PD’s had a radio that intercepted cellular traffic.
All I am saying is that you cannot consider any consumer device that is widely used to be secure...maybe a little secure, or moderately...but not secure.
Frankly, the best way to remain secure is to not use the devices...
Having said that, I shall retire for the night..
Sleep well...
Almost forgot to alert you to this that I saw today..
http://www.macrumors.com/2015/07/06/hacking-team-jailbroken-iphone/
The mac heads are making light of this but they may not know that the most recent Chinese data breach of our governments personnel data occurred by way of a I-phone. (as it was explained to me)
A un-named government official was in China, on either business or pleasure, in any case they generally leave their gov issued phones at the office and use a personal phone for security reasons. (they don’t want the gov phone to fall into the chi-coms hands)
He apparently needed to log into the system and used his personal phone which was either tethered to a fake cell tower (most likely) or they set up something in the Hotel broadband system...not sure .
The only way they could have got his login info would have been to decrypt the data sent from the phone or to have tricked the phone into giving them the information they needed.
In any case it was not a hack in the usual sense of the word, but a intercept and then the login info was used to access the data base which is why they never saw it..until much later..
My sons data was ripped off in that little theft, along with millions of others..
So I have a interest in the case.
So these friggin phones are not secure....they just aren’t//
So, you are saying, that’s how OPM got hacked?
The problem with that, Cold, is that The Hacking Team, admitted that in order to be able to jailbreak the iPhone you must first have access to the already unlocked iPhone . . . In other words, to break into the iPhone to jailbreak it, you have to already have unfettered access to the iPhone in order to jailbreak it. If you have unlocked, unfettered access, You ALREADY have access to everything on the iPhone and have no need of breaking into it. SHEESH! Circular reasoning if I’ve ever seen it.
Is anyone else dazed after reading the surrealistic kidnapping saga in the ATT-200m-resolution link in the post?
That’s not how it was ripped off. Sorry. Bogus story that’s been debunked.
Caught that, huh? LOL! Cell tower triangulation at its worst.
PS my eyes are glazed over. I’m wondering if the Vallejo Police and San Francisco Bay Area news papers have apologized to Victim F and Victim M yet?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.