By Eric Beasley
As the resident tech expert here at A Miner Detail, I’ve been covering the ongoing Apple v. FBI saga, which has come to an abrupt and not surprising end. Let me tell you why, in easy to understand terms.
The FBI has dropped their suit against Apple for assistance in decrypting the Government iPhone possessed by one of the San Bernadino shooters. Why? According to CNET:
The US Department of Justice, with the help of a third party, has successfully accessed data on a phone used by a terrorist in December’s attack in San Bernardino, California, the agency revealed in a court filing Monday.
The rumor mill in tech circles has been spinning about who this third party is, how they did it, and what this means for your personal security. So let me break this down for you.
First, who is the mystery third party? Right now the buzz indicates that Cellebrite, an Israeli company that specializes in cell phones made this possible. They make numerous products used by law enforcement and the military to unlock and copy data off of mobile devices.
Tech Talk: This does not surprise me, nor should it surprise you. There is absolutely nothing in the technology world that is immune from some sort of hack or security bypass. There are two possible scenarios for how Cellebrite was able to crack the iPhone: 1. After this saga started, the company realized that they had a huge opportunity for increased business. They took their hackers, put them in a dark basement, and supplied them with an infinite amount of Cheetos and Mountain Dew, with the explicit instructions to find a work-around. After some time, they discovered a Zero-Day vulnerability unknown to Apple that allows them to bypass the security features. 2. Another, and more likely scenario, is that Cellebrite developed a technique for mapping the machine code on the device and identify the memory sector used to verify the password. This is the technique that John McAfee proposed to do for free. For the end user, this means very little. Your average identity theft syndicate is not going to have access to this technology. Even a well-funded and organized criminal syndicate will not be able to do this.
TECH TALK UPDATE: It was pointed out to me by my tech savy friends that I missed a third possibility. The FBI could have desoldered the memory chips from the phone and copied the contents onto a new phone, then performed the desired brute force password guess attack. While this is plausible and technically sound, I have strong doubts this is what happened for a few reasons: 1. To guess every password combination, you would be bricking a lot of phones in the process. If it was a 4 digit combination, that's 10,000 possibilities and you would need 1,000 phones (10 guesses per dummy phone). The number of required phones increases exponentially in relation to the length of the combination. 2. I doubt the FBI would hand over the phone to a foreign company, even an allied country. 3.I doubt that the FBI has the technical ability to perform the desoldering and data copying. To be fair, the tasks could have been performed by another agency or a contractor.
Translation: Nothing on a computer is safe. It is possible that Cellebrite has discovered a way to bypass Apple’s security measures. Look for a update to be pushed out the second that Apple figures out how this was accomplished.
While your iPhone might be safe from criminals, what about the Government? Well, that’s the million dollar question. I honestly do not know. To answer that question fully, I would need to see the full details of the exploit and how the data was accessed.
If they used method #1, then every iPhone could be decrypted by the FBI with ease, as long as they had physical possession of the device. If they used method #2, the FBI would be unable to reproduce the exploit. The ability to read machine code (1’s and 0’s) is a unique skill possessed by very few IT professionals, and the FBI cannot afford any of them. Considering the strong pro-privacy beliefs of most IT folks, I could also see most of them refusing to perform that service.
The best news to come out of this entire story is that the FBI will no longer be actively attempting to coerce a private business to circumvent our Constitutional Rights. The bad news? The FBI may possess the technology to bypass iPhone security.
Oh yeah, almost forgot, #TaxationIsTheft.
I am waiting until some more facts come out. Given the number of outright lies this adminstration has uttered I am skeptical this is nothing more than an attempt to damage Apple.
You obviously are not in the security industry. The iPhone has been cracked for some time and there are several government agencies use this technology. On another note, how stupid are you? You really believe that to crack the iPhone you just put “hackers, put them in a dark basement, and supplied them with an infinite amount of Cheetos and Mountain Dew, with the explicit instructions to find a work-around.” For someone who is supposed to be a technical expert you really don’t seem to understand the very basics of how IT security works. The security industry is full of professionals coders who work in office buildings or home offices. We have families and friends and do much more than sit around and each Cheetos and drink Mountain Dew in a dark basement. Now lets look at your conclusions “If they used method #1, then every iPhone could be decrypted by the FBI with ease, as long as they had physical possession of the device. If they used method #2, the FBI would be unable to reproduce the exploit. The ability to read machine code (1’s and 0’s) is a unique skill possessed by very few IT professionals, and the FBI cannot afford any of them. Considering the strong pro-privacy beliefs of most IT folks, I could also see most of them refusing to perform that service.” Using method #1 does not require physical possession of the device. It just requires the ability to access the device. I can do it from anywhere in the world, as long as the device in question connects to a cell network. Method #2 does require a unique skill set, and quite a few of them are in the employment of the US Federal government, usually a through a government contractor. As for the “strong pro-privacy” belief of computer professionals, I think you will find that, as with most parts of life, there are people on all ends of the spectrum in the IT industry.
http://www.etc-md.com/archives/4373
1. Do you not understand sarcasm?
2. For an “IT Security Professional,” you understand very little about the iPhone security architecture. This version of iOS does not accept passcodes sent electronically, physical input is required. Your attack vector just failed miserably. So again, physical possession is a requirement and you are wrong.
3. Don’t parse my words. I said the FBI cannot afford someone with the required machine code skill set. I did not say the entire Federal Government, as I know they do exist.
4. IT professionals trend towards privacy, again which is exactly what I said.