FBI vs Apple: A Postmortem

By now you’ve doubtless heard that the FBI has broken the encryption on Syed Farook — the suicide terrorist who killed fourteen and then himself in San Bernardino. Consequently, they won’t be requiring Apple’s (compelled) services any more.

A number of people have written in and asked what we knew about the hack, and the frank answer is “not a heck of a lot”. And it’s not just us, because the FBI has classified the technique. What we do know is that they paid Cellebrite, an Israeli security firm, at least $218,004.85 to get the job done for them. Why would we want to know more? Because, broadly, it matters a lot if it was a hardware attack or a software attack.

Software or Hardware?

If the attack was hardware, it may not be such a big deal. The iPhones supposedly prevent a brute-force (guessing) attack against the password by wiping memory or delaying after a fixed number of wrong guesses. The basic idea behind a possible hardware attack is to dump the memory from an NAND flash chip on board, try a few passwords, and then re-flash the memory to the initial state before tripping the security. Another possibility, if there’s a timeout on password guesses, is to associate the phone with a fake cell tower, and push new times to the phone every time they get locked out. Delays are meaningless if you can arbitrarily set the time on the phone.

The hardware attacks, if these are they, aren’t a big deal because they require physical control of the phone, potentially for a long time. This isn’t something that a criminal gang is going to use to steal your bank account data, but something that governments can do in limited situations, legally, and with warrants. In contrast, an unknown flaw in the OS’s security model could be remotely exploitable, and would likely work on any phone in a lot shorter time. If the flaw became known to criminal gangs before Apple, millions of Americans with iPhones will be at risk.

Responsible Disclosure?

If the FBI is sitting on an OS flaw, and it is one that’s in principle exploitable by criminals, they owe it to their constituency — US citizens — to disclose that information to Apple so that it can get fixed. But because the FBI has classified the hack, they’re not going to be compelled to tell anyone how they did it.

It’s certainly the case that if we had hacked this phone, we’d be subject to charges under the DMCA or worse. And we’d certainly be under a moral, if not legal, obligation to inform Apple so that they could fix things. We hope that this means that the crack was hardware based. It’s worth mentioning that what the FBI was demanding from Apple was a software attack — this may be further evidence that they don’t have one.

More Legal Battles Ahead

So the Farook case is over, which means we can all rest assured that our phones are safe, right? (Or at least they’re safe from anyone who hasn’t hired Cellebrite.) After all, the FBI director publicly stated that this was just about unlocking only a single (terrorist’s) phone, and not about setting a precedent, so they’ll stop trying to force firms to break their own encryption, right?

We don’t believe that for a second. The Farook case was intended to capitalize on the public’s fear of terrorism to force Apple to play along and take actions that harm all of their customers. The FBI will be trying to establish precedent to compel decryption again, and will try until they find a judge to agree with them.

Sounds like a conspiracy theory? Don’t listen to some crackpot writer for a niche tech website. Richard Clarke, former national security advisor and head of counter terrorism weighed in on the subject:

“[The FBI] is not as interested in solving the problem as they are in getting a legal precedent,” Clarke said. “Every expert I know believes the NSA could crack this phone. They want the precedent that government could compel a device manufacturer to let the government in.”

“The FBI director is exaggerating the need for this, trying to build it up as an emotional case … It’s Jim Comey. And the Attorney General is letting him get away with it.”

What Clarke said is consistent with our crackpot conspiracy theories. The FBI has been systematically trying to compel firms to backdoor their own encryption. If they were interested in just one phone, they’d pay an Israeli security firm $200,000 to get the job done. (We have no inside information about if or why the NSA wouldn’t play along.)

The FBI has been after Apple since they announced that they were expanding encryption coverage. Read this headline from December 2014. Does that sound familiar? It’s exactly the same legal argument they used in the Farook case. Only the FBI got shut down instead of hiring an outside hacking firm. That didn’t stop the FBI from telling Apple employees that they would be killing children by enabling encryption on their phones.

You don’t need to look very far into the future to find the FBI’s next test case, either. Indeed, there are currently at least a dozen open cases at the moment, all justified under the All Writs Act. It’s hard to believe Director Comey’s argument that Farook was about a single phone.

(As we were writing this article, the Justice Department essentially declared victory in Farook, and now seems to say that it will use the Farook result as precedent. That was fast!)

Which Side Are They On?

There is a real problem at both the NSA and the FBI at the moment. They’re tasked with getting information on potential terrorists and prosecuting crimes, while at the same time protecting American citizens’ data and property. In particular, the NSA helps develop civilian cryptography, and the FBI is responsible for interstate Internet fraud. In cases like this, the same agencies have both an interest in the public’s benefit from strong encryption but also the desire to decrypt individual’s phones as evidence. They’re required to be schizophrenic. One can only hope that they’re balancing the conflicting demands appropriately.

If the Farook case has shown us anything, it’s that the FBI is behaving as if they value their offensive mandate more heavily than their defensive one — even though it weakens the security of US citizens with legitimate interests in keeping their confidential information safe.

The FBI testified that only Apple could unlock the phone while seeking an outside firm to unlock the phone. Indeed, it was cracked just over a month after this testimony. They picked an emotionally charged case and touted it heavily in the public press, something that they don’t do with their other cases — most notably those where the judges decide against their interpretation of the All Writs Act. They’re asking for a software-based attack, which is something with far-reaching consequences (and dangers if it falls into the wrong hands). And finally, they’ve relied on misleading and hyperbolic testimony to push the issue. In short, they’re playing dirty pool and stretching the truth, which is what one expects of the prosecution.

This would be uncontroversial if they’re weren’t also tasked with protecting the interests of American citizens.

Filed under: iphone hacks, news, security hacks

from iphone hacks – Hackaday

Bullet-time Video Effect by Throwing Your Phone Around

Ski areas are setting formal policies for drones left and right, but what happens when your drone isn’t a drone but is instead a tethered iPhone with wings swinging around you like a ball-and-chain flail as you careen down a mountain? [nicvuignier] decided to explore the possibility of capturing bullet-time video of his ski runs by essentially swinging his phone around him on a tether. The phone is attached to a winged carrier of his own design, 3D printed in PLA.

One would think this would likely result in all kinds of disaster, but we haven’t seen the outtakes yet, and the making-of video has an interesting perspective on each of the challenges he encountered in perfecting the carrier, ranging from keeping it stable and upright, to reducing the motion sickness with the spinning perspective, and keeping it durable enough to withstand the harsh environment and protect the phone.

He has open sourced the design, which works for either iPhone or GoPro models, or it is available for preorder if you are worried about catastrophic delamination of your 3D printed model resulting in much more bullet-like projectile motion.

Thank you [Remeton] for pointing us to this nausea-inducing (ish) hack.

Filed under: iphone hacks, video hacks

from iphone hacks – Hackaday

The Contrarian Response To Apple’s Need For Encryption

On December 2, 2015, [Syed Rizwan Farook] and [Tashfeen Malik] opened fire at a San Bernardino County Department of Public Health training event, killing 14 and injuring 22. This was the third deadliest mass shooting in the United States in recent memory, and began a large investigation by local, state, and federal agencies. One piece of evidence recovered by the FBI was an iPhone 5C belonging to one of the shooters. In the days and months after the shooting, the FBI turned to Apple to extract data from this phone.

A few days ago in an open letter to customers, [Tim Cook], CEO of Apple, stated they will not comply with FBI’s request to build a backdoor for the iPhone. While the issue at hand is extracting data from an iPhone recovered from the San Bernardino shooting, [Cook] says building a new version of iOS to extract this data would allow the FBI to unlock any iPhone. Needless to say, there are obvious security implications of this request.

Apple does not publish open letters to its customers often. Having one of the largest companies on the planet come out in support of privacy and encryption is nearly unprecedented. There is well-founded speculation this open letter to the public will be exhibit A in a supreme court case. Needless to say, the Internet has gone a little crazy after this letter was published, and rightly so: just imagine how better off we would be if AT&T said no to the NSA in 2002 – [Snowden] might just be another IT geek working for a government contractor.

There is a peculiar aspect of public discourse that doesn’t make any sense. In the absence of being able to say anything interesting, some people have just decided to add a contrary viewpoint. Being right, having a valid argument, or even having evidence to support assertions doesn’t matter; being contrary is far more interesting. Look at any comment thread on the Internet, and you’ll find the longest comment chain is the one refuting the parent article. Look up the ratings for a cable news channel. You’ll find the highest rated show is the one with the most bickering. When is the last time you saw something from the New York Times, Washington Post, or LA Times on Facebook or your favorite news aggregator? Chances are, it wasn’t news. It was an op-ed, most likely one that was espousing a view contrary to either public opinion or public policy.

As with any headline event on the Internet, the contrarians have come out of the woodwork. These contrarians are technically correct and exceedingly myopic.

The Contrarian Opinion to Apple’s letter

The netsec industry is odd. Every day, my inbox is accosted by unsolicited emails from PR agencies, asking if I’d like to do an interview with a CEO or chief scientist on the security issue du jour. From the unending reminders to upgrade to Windows 10 to the security implications of a virus designed to destroy Iranian centrifuges, I have been offered an interview with someone who is uniquely qualified to speak on the subject. As expected, the first offers for an interview turned up in my inbox ten hours after news of Apple’s refusal to cooperate with the FBI crashed around the world.

The gist of the first pitch for this interview is as follows: Apple could have easily complied with this court order. This is not a crypto war. To quote this interview pitch directly and without attribution:

Apple didn’t need to react this way – it was premature and apples and oranges. Forensically speaking and legally speaking the Judge asked for reasonable assistance on unlocking THIS SPECIFIC phone. Even if that requires them to modify the firmware with a key they have they don’t have to give that software to the FBI. They can simple do a few steps:

• Give phone to Apple
• apple runs their secret sauce and makes a backup image of the data/phone info
• they give that image backup to FBI which only contains the data not the key. This is how forensics on mobile devices are done, by a backup image.

There is no threat to mass surveillance here. it was a reasonable search warrant request no different than a warrant to the free webmail services or face books asking for data. You’re not giving them your keys to ALL your data, you’re only giving them the very specific data of the account that was requested.

While this is an interesting counter to [Tim Cook]’s argument, it lacks the technical details required of a matter that requires a passing knowledge of topics ranging from electrical engineering to 18th century case law. Fortunately, the default mode of discourse these days is contrarianism, and there’s always someone else ready to glom onto the most important thing to happen in the Internet this week.

On the Trail of Bits Blog, [Dan Guido] plainly states Apple can comply with the FBI court order without compromising security for millions of iPhones, and gives a reasonable technical breakdown of how Apple can do it.

In plain English, the court order asks Apple to create a special version of iOS that works on only one iPhone – the phone recovered from the San Bernardino shooting. This custom version of iOS would never leave the Apple campus. After all, according to the court order, the FBI only wants the data on the phone and not a method to extract data from every iPhone they come across.

This is technically possible. New firmware can be uploaded to the recovered iPhone via DFU. This new firmware would require a valid signature from Apple, and the FBI does not have the keys Apple uses to sign firmware. [Dan Guido] ends his teardown with the conclusion it is technically feasible for Apple to comply with all of the FBI’s requests. This request would not necessarily make every iPhone insecure, and to limit the risk of abuse, the tools created to assist in this request can be customized to only work with the iPhone recovered from the San Bernardino shooting.

This is a Unique Moment in History

Apple’s refusal to comply with court orders is the largest news item to hit the Internet in a very long time. The CEO of Google has weighed in on the issue, concurring with [Tim Cook]. It is now inevitable that every god of silicon valley will weigh in on the issue, most likely in agreement with Apple’s stance.

Yet the contrarians remain. The entire argument of one of these contrarians – a chief scientist at a highly regarded security firm – revolves around “secret sauce”. It’s entirely possible for Apple to get around the encryption of the iPhone 5c recovered in San Bernardino, and doing so wouldn’t really be creating a backdoor for every iPhone. Are these assertions correct? Maybe. Possibly, even.

The metaphor of not seeing the forest for the trees is too often used, and anyone can be correct while still being incredibly dumb. Apple’s response to the FBI’s request is unprecedented. Apple is standing up to a court order – defying a court order – in the pursuit of privacy and security.

Historically, large companies haven’t cared about your privacy. The best example would be NSA equipment installed in an AT&T office in 2003, hoovering up Internet backbone traffic and sending that information off to points unknown. This wasn’t the first time AT&T provided data to the NSA; that occurred in 1985, with phone and email data being collected at points around the United States and sent off to NSA repositories.

Ma’ Bell isn’t alone, and for every conspiracy theory on government surveillance spoken in hushed tones over the years, there is always news telling us, ‘yes, the government is spying on you, and here are the companies that helped.’ Instead of the usual way of doing things, Apple is saying what anyone who knows anything about security has been saying forever. If a backdoor exists, you are not secure. Apple will not provide that backdoor, and Google concurs with Apple’s view.

What we have here is one of the largest companies on the planet, a company that is sitting on over two hundred billion dollars – cash – and wants to take this issue public. If anyone has the resources to stand up to a surveillance state, it is Apple.

And yet the contrarians continue to prove there is a difference between intelligence and wisdom. Just because Apple could comply with a court order, doesn’t mean they should. Just because you have a unique viewpoint doesn’t mean you should post it on your Medium blog. This is an opportunity for a company with a deep pocketbook to go up against a surveillance state that has acted against your interests time and time again. This opportunity will not come again.

Filed under: Featured, iphone hacks, news, security hacks

from iphone hacks – Hackaday

Dry Ice is Nice for Separating Broken Phone Screens

Smartphones are the opium of the people. If you need proof, just watch the average person’s reaction when they break “their precious”. Repairing smartphones has become a huge business. The most often broken item on phones is of course the front glass. In most cases, the screen itself doesn’t break. On newer smartphones, even the touchscreen is safe. The front glass is only a protective lens.

The easiest way to repair a broken front glass is to swap the entire LCD assembly. For an iPhone 6 plus, this will run upwards of $120 USD. However, the glass lens alone is just $10. The problem is that the LCD, digitizer and front glass are a laminated package. Removing them without breaking the wafer thin LCD glass requires great care. The hardest part is breaking down the optical glue securing the glass to the LCD. In the past that has been done with heat. More recently, companies from China have been selling liquid-nitrogen-based machines that cool the assembly. Now immersing a phone screen in -196° C liquid nitrogen would probably destroy the LCD. However, these machines use a temperature controller to keep a surface at -140° C. Just enough to cause the glue to become brittle, but not kill the LCD.

[JerryRigEverything] doesn’t have several thousand dollars for a liquid nitrogen machine, but he does have a $5 block of dry ice. Dry ice runs at -78.5°C. Balmy compared to liquid nitrogen, but still plenty cold. After laying the phone screens down on the ice for a few minutes, [Jerry] was able to chip away the glass. It definitely takes more work than the nitrogen method. Still, if you’re not opening your own phone repair shop, we think this is the way to go.

Broken phones are a cheap and easy way to get high-resolution LCD screens for your projects. The problem is driving them. [Twl] has an awesome project on Hackaday.io for driving phone screens using an FPGA. We haven’t seen it done with iPhone 6 yet though. Anyone up for the challenge?

Filed under: iphone hacks, news

from iphone hacks – Hackaday

Replacing The iPhone 6 Button Bricks The Phone

News comes from The Guardian that the iPhone 6 will break because of software updates due to non-authorized hardware replacements. Several thousand iPhone 6 users are claiming their phones have been bricked thanks to software updates if the home button – and the integrated TouchID fingerprint sensor – were replaced by non-Apple technicians.

For the last few iPhone generations, the TouchID fingerprint sensor has been integrated into the home button of every iPhone. This fingerprint sensor provides an additional layer of security for the iPhone, and like everything on smartphones, there is a thriving market of companies who will fix broken phones. If you walk into an Apple store, replacing the TouchID sensor will cost about $300. This part is available on Amazon for about $10, and anyone with a pentalobe screwdriver, spudger, and fine motor control can easily replace it. Doing so, however, will eventually brick the phone, as software updates render the device inoperable if the TouchID sensor is not authorized by Apple.

According to an Apple spokeswoman, the reason for the error 53 is because the fingerprint data is uniquely paired to the touch ID sensor found in the home button. If the TouchID sensor was substituted with a malicious TouchID sensor, complete and total access to the phone would be easy, providing a forehead-slapping security hole. Error 53 is just Apple’s way of detecting devices that were tampered with.

In fairness to Apple, not checking the authenticity of the touch ID would mean a huge security hole; if fingerprint data is the only thing keeping evil balaclava-wearing hackers out of your phone, simply replacing this sensor would grant them access. While this line of reasoning is valid, it’s also incredibly stupid: anyone can get around the TouchID fingerprint sensor with a laser printer and a bit of glue. If you ever get ahold of the German Defense Minister’s iPhone, the fingerprint sensor isn’t going to stop you.

This is a rare case where Apple are damned if they do, damned if they don’t. By not disabling the phone when the TouchID sensor is replaced, all iPhones are open to a gaping security hole that would send the Internet into a tizzy. By bricking each and every iPhone with a replacement TouchID sensor, Apple gets a customer support nightmare. That said, the $300 replacement cost for the TouchID sensor will get you a very nice Android phone that doesn’t have this problem.

Filed under: iphone hacks, news, security hacks

from iphone hacks – Hackaday

Using Over 3000A to Rapidly Charge an iPhone

Earlier this week I had the pleasure of doing something very stupid with another YouTuber. We wanted to see what would happen if you push over 3000A through an iPhone. The result? Fire. You get fire.

To perform this experiment we prepared a few different setups for maximum electrocution. The first was with the tried and true technique of re-wrapping a transformer to put out low volts at high current — essentially, a DIY spot welder. Now while most of those use a little transformer taken out of a microwave, I happened to have an industrial transformer about four times the size. Once re-wrapped to become a step-down transformer, it can produce approximately 1000A @ 1V … Or if you plug it into a 240V outlet, upwards of 2000A @ 2V — all depending on the resistance of whatever you’re putting in-between the contacts.

During the actual test we read about 1400A going through the iPhone with an ammeter. Which puts an iPhone 6 at a resistance of about 0.0014 ohms.

Now while running 1400A through an iPhone was quite spectacular, we were not yet satisfied. So we hooked up half a dozen marine-grade deep cycle lead acid batteries in parallel. Each battery is capable of outputting around 1000 cranking amps at a time. Which puts our theoretical output (before things go south) at 12V and 6000A. Or 72kW. The equivalent of three US households entire mains supply.

This time, we read over 3000A going into the phone. Take a look.

In addition, we also hooked up the phones to a 20,000V transformer to turn them into a mini Apple branded Jacob’s Ladder. No real point to doing this (the phones actually worked afterwards as well!) but it did make for a pretty cool picture.

So, stupidity aside, it is rather wasteful to destroy an iPhone for people’s entertainment — but… it was pretty entertaining, wasn’t it? [EverythingApplePro] likes to spice things up once, departing from his normal jail breaking, reviews, leaks, rumors to destroying an iPhone in a spectacular fashion. I were happy to lend a hand.

Hackaday does not endorse the destruction of high-value electronics for the enjoyment of the masses… but we do love to see a good explosion. 

Filed under: iphone hacks

from iphone hacks – Hackaday

Immersive Theatre via iBeacons with Dustin Freeman

Combining backgrounds in math and theater, [Dustin Freeman] works on immersive, interactive theatrical experiences. During the day [Dustin] is a Spatial Interaction Engineer at Occipital, who makes the Structure Sensor. In his spare time [Dustin] works on digital theatre projects that bring the theatre goer far past the traditional row of seats.

The concept of immersive theatre is similar to ‘escape the room’ challenges and choose your own adventure experiences, in that the participants control the outcome of the experience by making decisions from the information supplied to them. [Dustin] explains in his talk that the feeling of trying to beat the clock that exists in escape the room challenges is not helpful in Floodlight’s The Painting. Floodlight is a theatre production company and The Painting is the immersive theatre experience put together by [Joshua Marx], professor of acting at San Jose State and [Dustin Freeman] who presented this 2015 Hackaday SuperConference talk.

The Painting

An immersive, interactive theatre experience requires a physical space for the participants to interact with the environment. To meet this requirement [Dustin] was able to gain access to a bar that is closed during the day. Having periodic access required the immersive theatre setup be done quickly. [Dustin] and [Josh] were able to get this done in under 3o minutes. You can’t do better than to have a real set, and The Speakeasy is a functioning bar ready for character interaction with minimal prep.

The premise of The Painting is that you arrive at The Speakeasy and [Josh] greets you at the door to let you in. As you enter he explains that he is very busy and he needs you to go upstairs and get a painting for him. You are equipped with a smartphone and a set of headphones so that [Josh] can communicate with you.

Technologically Navigated

Props throughout the set include iBeacons. When an iBeacon is detected by the smartphone there are two pieces of information received: the iBeacons ID and the distance from the smartphone to the iBeacon. These parameters require some creative code, not only to move the story along but to decode information received. The data from a sensed iBeacon is a scalar quantity rather than a vector, receiving multiple scalar quantities presents a set of problems that must be carefully solved. As shown in the image below, two iBeacons at the same distance from the smartphone have quantum physical locations. The image above shows how [Dustin] was able to solve the distance problem by varying the active radius of each iBeacon.

To determine how the story might play out [Dustin] used the Wizard of Oz Technique as a way to outline the needed code. By physically playing through the scenarios with [Josh] acting as the Wizard [Dustin] would move a game piece along a printout of The Speakeasy floor plan. This routine was whittled down to 4 variants which the two could turn into scripted navigation based on iBeacon location information.

Real World Issues

When designing the technological side of the production a few hiccups came to light. Most men (at least the two involved in designing The Painting) carry their phone in a front pants pocket. This is not true for everyone, women’s clothing often lack pockets and quite a few people opt for back pocket when holstering their phone given the front/back pocket option. This obviously changes the geometry of sensors to iBeacons which has an effect on when a script event is triggered. In a back pocket or backpack the phone might not get withing the correct range of an item to trigger an event. This problem is not yet solved, but may be fixed with something like a special garment that each participant can wear to normalize the cellphone pocket location.

This is an interesting use of Bluetooth technology and [Dustin] gave an informative talk that included not only what worked but what failed and how/why it failed. In the video and slides [Dustin] asks some good thought-provoking questions that would be a good place to continue this work, if you are interested in using the iBeacon technology in a similar way.

Filed under: cons, Featured, iphone hacks

from Hackaday » iphone hacks