Apple iOS Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 03/19/2018 12:20:15 AM PDT by Swordmaker
Just a week after Forbes reported on the claim of Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer.
In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses.
Another ad showed Grayshift claiming to be able to unlock iPhones running iOS 10 and 11, with iOS 9 support coming soon. It also claims to work on the latest Apple hardware, up to the iPhone 8 and X models released just last year. In a post from one private Google group, handed to Forbes by a source who asked to remain anonymous, the writer indicated they'd been demoed the technology and that it had opened an iPhone X.
(Excerpt) Read more at forbes.com ...
If you want on or off the Mac Ping List, Freepmail me.
Claims to work on all iPhones from iPhone 5s through X using iOS 10 and 11 with iOS 9 coming soon. . . which implies the vulnerability is in iOS, which does not make sense.
End of day, snobby Apple has insecure products just like everyone else.
FBI: your freedom loving americans are belong to us
Thank you Obama Hope and Change FISA occupation
I wouldn’t do such a comparison. Tools to crack into Android devices start at $25. This tool to crack into iOS devices starts at $15,000 and is less expensive than the two other competitor companies’ tools that claim to do the same. That does not equate to "insecure," Reno, far from it.
The best idea now is to not use the default four or six number passcode on an iOS device but to activate the complex passcode which allows one to use a passcode of up to 256 characters using all 223 possible characters available on the virtual keyboard. That size passcode, if you could remember it yourself, cannot be broken by brute force no matter what they bring to bear on it.
There would be 223256 possible passcodes to try. Actually, more, because they would not have an inkling of the length of the passcodes to try. . . so they’d have to try every potential length and combination of passcodes between none to 256 characters in length. It would take an eternity to try them all to find the one right passcode that would work.
You could even make it easy for you to remember by using a poem or a passage of prose. . . But replace every space with one of the 127 obscure symbols, graphics, and non-standard punctuation marks from Apple’s character set. All you have to know is your phrase and the pattern of extra characters you use. . . and perhaps some whimsical misspelling, to further confuse any look-up tables.
What if you needed to dial 911 quickly?
Just yell Help real loud.
Your place is bugged anyway.
I’ll try that. :)
Why wouldn’t it make sense? With tens of millions of lines of code to write, there is bound to be a weak point here or there. Code has just gotten too complex to account for everything.
If this post is true, it would seem the only difference is that one is more expensive to break.
But it is also more expensive to buy. And the price will likely come down, maybe quickly...
Not saying the post is right. Not saying it is wrong.
We will have to see.
You're assuming that the passcode is what is being attacked. That is a huge assumption.
They may both be. . . I still cannot see how this one can claim to recover data from a wiped iPhone, which is what occurs when a user locks a stolen device with find my iPhone or someone tries the wrong passcode after eleven attempts.
The user’s oneway hash is erased completely, and the data on the Flash memory drive is erased to blank. . . and both being solid state devices there are no recoverable shadows of magnetic domains remaining to sense. The ONLY way to restore the iPhone to useability is with the owner’s AppleID and Password through Apple, which restores its ability to be booted and have iOS installed and activated, then to restore the user’s data from a backup.
It IS however remotely possible they’ve each found a means of reading the one-way hash on the buried EPROM in the Secure Enclave and someone has leaked the algorithms that Apple uses to create them. . . and they have a database of all possible input/output hash results with which any given hash can be compared with. . . easy to calculate for four and six digit numerical passcodes. This WOULD be one way of doing it. . . But the Secure Enclave Processor and its EPROM is not accessible by the iOS data processor at all.
Another possibility, based on the time frame of the cracking as described in the article of different amounts of time to “brute force crack the passcode” between four digit, six digit, and complex passcodes, I think they might be either SPOOFING an Apple Firmware Update Certificate or stolen one, and are changing the boot firmware to defeat the time out limitations and the erasure routines and are forcing the device to try sequential passcodes itself until it is successful.
However, the claim of being able to read an already erased device is puffing because the hash of the passcode no longer exists—the passcodes are never stored on iOS devices—and in fact the entire Secure Enclave EPROM, with several necessary 256 bit AES ENCRYPTION KEY COMPONENTS, has been erased, never to be recovered, and the SSD drive itself has been erased—too many erased iOS devices have been tested and found to be completely blank.
So it’s just not a capability I can really see them having, given how the 256bit AES encryption key is built, it would not at all be possible to recover any user data on an erased iOS device. . . But I do think the firmware spoofing is possible, just NOT via iOS as Cellebrite was trying to imply, because all of this is, as I said, in the hardware.
Apple WILL close that firmware spoof or a vulnerability rapidly.
Because the unlocking and encryption of the iOS devices are in the hardware. . . and iOS’s data processor cannot access the Secure Enclave’s dedicated processor which has limited capabilities. . . It’s on a separate bus.
There is a way they may be doing it, but not the red herring they are raising about it being in iOS itself. It has to be in the hardware boot firmware. . . and they’ve either stolen, or found a way to spoof an Apple firmware certificate so they can change the booting firmware of the four interlocking boot ICs. Highly illegal under Federal Law, but who’s going to arrest them for it when law enforcement benefits?
One of Apple’s ex-software engineer’s released the entire source code to an earlier version of the boot firmware not too long ago. . . Apple said it had been entirely rewritten for the iPhone 7 and up. . . But I wonder if "entirely" is entirely accurate? It seldom is. Shortcuts are always taken, especially if something is already working.
It’s not an assumption. They say their approach is time dependent on whether the user has a four, six digit, or a complex alphanumeric-symbolic passcode. That it can brute force the four digit passcode in as little as a couple of hours, but the six digit may take up to a day and a half, and several days to a weeks for a complex passcode. The more complex, the longer the algorithm will take. . . and as I said you can make it so complex that it will never complete due to the law of large numbers no matter how powerful a computer you bring to bear.
From the article:
"It claims GrayKey works on disabled iPhones and can extract the full file system from the Apple device, and indicates the tool would make repeated guesses at passcodes, a technique known as brute forcing, to first get into the device."
The article also indicates the Greykey device only needs to be connected to an iOS device for about two minutes to activate the unlocking process. That tells me it’s a form of malware they’re installing through the lightning port without having access to iOS, i.e. they’re jailbreaking it, Installing new FIRMWARE using a spoofed or stolen Apple firmware certificate (highly illegal under the Millennium Copyright Act, a Federal Felony), and modifying the hardware’s firmware to prevent the countdown timer and erasure, both in violation of the Federal CALEA law of 1993.
Rereading several articles on this, I think the authors’ are misconstruing a disabled iPhone from one that has been completely erased. Those are two different things. . . a disabled iPhone is one that is inaccessible during a waiting period before one can attempt another passcode. An erased iPhone has a black screen and demands to be plugged into a computer with iTunes, and has zero data, and no iOS installed.
Emergency 911 calling is available from firmware even on an erased iPhone from a locked screen. It’s a built in function.
The secret password for all these phones is “password”.
Most Android phones don’t even come with encryption. It’s a third-party app option and the password is stored on the device in a text file. . . even Samsung’s Knox passcodes were stored in an unencrypted easily found open library in a text file.
As for price? I expect it will come down rapidly as the devices become useless for future iOS iPhones and iPads. They might have some value for currently held not already adjudicated cases that won’t get firmware updates, but the vulnerabilities such exploits use have a very short shelf life once they become known. Apple cannot allow them to remain in the wild because, although Apple is not too worried that the White Hat police has them, just the knowledge the vulnerabilities exist means the Black Hat bad guys will find the same vulnerabilities and use them, either by stealing a machine or stealing the tech. So it will be closed, most likely within a month.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
