DOJ Says iPhone Is So Secure They Can't Crack It

zacharye writes "In the five years since Apple launched the iPhone, the popular device has gone from a malicious hacker's dream to law enforcement's worst nightmare. As recounted by the Massachusetts Institute of Technology's Technology Review blog, a Justice Department official recently took the stage at the DFRWS computer forensics conference in Washington, D.C. and told attendees that the beefed up security in iOS is now so good that it has become a nightmare for law enforcement."

Re:I don't believe it

[TheLandyman]

I believe, as of iPhone 3GS, it does.. but I'm too lazy to google and confirm.

Re:I don't believe it

[Anonymous Coward]

Wrong.
It uses full disk encryption. However, that can be circumvented quite easily with a jailbreak (if one exists).

However, there is a second encryption system. This system derives the keys from your passcode and a key that is stored within a secure element on the iPhone. Thus, you need to know the Passcode of the iPhone in order to decrypt those files. Since, the key derivation function is tied to the passcode and the key within the secure element you cannot offload the brute-force attack to external machines, you need to do it on the iPhone. This means that a brute-force attack on a 4-digit PIN takes about 20 minutes (ok, that's not much), but when you consider complex PINs with 5 or more characters you are soon at 50 days (don't have the exact numbers in my mind right now, but there is a good presentation on that).

Downturn: You must rely on the app developer to chose the right protection class for the files. If he doesn't then you are down to the rather insecure full-disk-encryption, and you need to chose a longer Passcode...

Re:I don't believe it

[Anonymous Coward]

> "As far as I know the iphone doesn't use full disk encryption."

And because you don't know if it does that means it doesn't, right?

http://support.apple.com/kb/HT4175 [apple.com]

Full device encryption has been available since the 3GS, when they added in hardware encryption support to their iOS products.

Before speaking on a subject you know absolutely nothing about you should do a little research on it first.

Just ask Apple

[Anonymous Coward]

Just ask Apple the password they'll give it to you : http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

Umm.. what?

[Vellmont]

5 minutes ago I knew nothing of Apples full disk encryption. Now I find an article that states:

The release of the iPhone 3GS (and later iPod Touch 3rd Generation) brought hardware-based full disk encryption (FDE) to the iPhone. This was designed to accomplish one thing: instantaneous remote wipe. While the iPhone 3G had to overwrite every bit in flash memory (sometimes taking several hours), disk wiping on the 3GS worked by simply erasing the 256-bit AES key used to encrypt the data.

Unfortunately, disk encryption on the iPhone did little beyond enabling remote wipe. Mobile forensicator Jonathan Zdziarski found that the iPhone OS automatically decrypts data when a request for data is made, effectively making the encryption worthless for protecting data.

http://anthonyvance.com/blog/forensics/ios4_data_protection/ [anthonyvance.com]

So I'd say I'm just VERY skeptical that the DOJ can't crack something that wasn't really designed with any security in mind in the first place. Either that, or the DOJ has nobody with any skills whatsoever.

Re:Oblig xkcd

[cpu6502]

Hitting people with wrenches is forbidden by the Bill of Rights.

Re:I don't believe it

[wvmarle]

According to TFA, encryption and decryption is now available and built in in the hardware even. So it's become computationally cheap. The AES key is also burned in silicon, making it impossible to get to.

But as usual the weakest link is the user's password, in this case a PIN. A typical 4-digit PIN can be cracked (using special software to prevent phone from wiping itself after ten failed attempts) in a matter of minutes; one needs an 8-digit PIN to be reasonably secure (average 15 years for a brute-force attack).

Re:TWO WORDS

[Baloroth]

Isn't the iCloud stuff (specifically, the device backups) also AES encrypted with a key Apple doesn't have? I will have to dig up the article, but I'm pretty sure I saw that.

No. [arstechnica.com]

Re:TWO WORDS

[poetmatt]

quite the opposite, apple holds the key - so all it takes is a gov't request to apple and they have the master key.

http://arstechnica.com/apple/2012/04/apple-holds-the-master-key-when-it-comes-to-icloud-security-privacy/ [arstechnica.com]
http://arstechnica.com/apple/2012/04/can-apple-give-police-a-key-to-your-encrypted-iphone-data-ars-investigates/ [arstechnica.com]

Given their policies regarding a number of things which are dinosaur-era, we don't have an answer to whether or not they will give it away or not. I don't know that an official statement has ever been made by apple. The question is - do you want to trust that information with apple? Specifically: 100% uncertainty? That's not a "apple is evil, apple is not evil".

Re:Government Computer Skillz

[Anonymous Coward]

The burden of proof is on you, not them, under UK law, provided they can prove you ever had access to the password.

Or to put it another way, you are responsible for maintaining accurate records of every encryption passphrase you ever use.

Enjoy your SSH session keys.

Re:Government Computer Skillz

[Migraineman]

They don't need to. That's what "Contempt of Court" is for - toss you in the clink until your memory improves.

Re:I don't believe it

[dgatwood]

That's because the password-protected encryption doesn't encrypt the whole disk. It encrypts individual files. There is a full-disk encryption key, but its purpose is to make wiping the device a single block write operation (overwrite the key) instead of a complete wipe of tens of gigabytes.

Re:TWO WORDS

[blueg3]

I can't help but wonder the purpose of a DOJ statement like his being made public.

It was a higher-up in the DoJ (specifically, Ovie Carroll) discussing challenges in digital forensics (at a conference on digital forensics). It was a brief mention in a larger talk and a fact that does not surprise anyone in the field. It's well-known that pulling data off of an iPhone can be a real pain in the ass. (IMO, I would consider Android worse, as there is not yet a reliable technique that can pull data off of an unrooted phone without modifying the phone's data, and data modification -- even when justified and documented -- is a big problem in some jurisdictions.)

Re:Oblig xkcd

[Hatta]

Only if done as punishment. According to Scalia, as long as it's not punishment, torture is constitutional. [thinkprogress.org]

STAHL: If someoneâ(TM)s in custody, as in Abu Ghraib, and they are brutalized, by a law enforcement person â" if you listen to the expression âoecruel and unusual punishment,â doesnâ(TM)t that apply?

        SCALIA: No. To the contrary. You think â" Has anybody ever referred to torture as punishment? I donâ(TM)t think so.

        STAHL: Well I think if youâ(TM)re in custody, and you have a policeman whoâ(TM)s taken you into custodyâ"

        SCALIA: And you say heâ(TM)s punishing you? Whatâ(TM)s he punishing you for? ⦠When heâ(TM)s hurting you in order to get information from you, you wouldnâ(TM)t say heâ(TM)s punishing you. What is he punishing you for?

Re:Umm.. what?

[bill_mcgonigle]

Last time I checked, the government can't lie. It can only deny.

Sorry, incorrect. Go watch "Don't talk to police" on YouTube. Required viewing for US residency.

Re:Government Computer Skillz

[Hatta]

In the U.S., the 5th Amendment prevents someone from being required to turn over their password.

This is still unsettled. The 11th Circuit Court [wired.com] has ruled that passwords are protected under the 5th amendment. However the 10th Circuit [huffingtonpost.com] has chosen not to intervene in a lower court decision that forced a woman to decrypt her laptop.

This is going to have to go to the Supreme Court eventually, and I think you can guess how the fascist majority of justices will decide.

Re:Government Computer Skillz

[Hatta]

Wikipedia [wikipedia.org] sez:

In civil contempt cases there is no principle of proportionality. In Chadwick v. Janecka (3d Cir. 2002), a U.S. court of appeals held that H. Beatty Chadwick could be held indefinitely under federal law, for his failure to produce US$ 2.5 mill. as state court ordered in a civil trial. Chadwick had been imprisoned for nine years at that time and continued to be held in prison until 2009, when a state court set him free after 14 years, making his imprisonment the longest on a contempt charge to date.

Re:TWO WORDS

[DJRumpy]

FYI, this is the source of the summary quotes (adhoc as they are) and also addresses other questions regarding device security as opposed to iCloud security which has nothing to do with the linked articles.

"I can tell you from the Department of Justice perspective, if that drive is encrypted, you're done," Ovie Carroll, director of the cyber-crime lab at the Computer Crime and Intellectual Property Section in the Department of Justice, said during his keynote address at the DFRWS computer forensics conference in Washington, D.C., last Monday. "When conducting criminal investigations, if you pull the power on a drive that is whole-disk encrypted you have lost any chance of recovering that data."

At the heart of Apple's security architecture is the Advanced Encryption Standard algorithm (AES), a data-scrambling system published in 1998 and adopted as a U.S. government standard in 2001. After more than a decade of exhaustive analysis, AES is widely regarded as unbreakable. The algorithm is so strong that no computer imaginable for the foreseeable future—even a quantum computer—would be able to crack a truly random 256-bit AES key. The National Security Agency has approved AES-256 for storing top-secret data.

Apple did not respond to requests for comment on this story. But the AES key in each iPad or iPhone "is unique to each device and is not recorded by Apple or any of its suppliers," the company said in a security-related white paper. "Burning these keys into the silicon prevents them from being tampered with or bypassed, and guarantees that they can be access only by the AES engine."

It also notes the key here, that while the device is powered on, it is still possible to obtain the key from memory, but once the device is turned off, the key is lost. It also notes that the decryption key itself is encrypted by the device pin, meaning an easy pin is an easily decrypted device. This is true for any mobile device, and a good reason to enable a strong ping instead of the default 4 char code seen on most devices.

What I found curious about the article is that they didn't emphasize this point. Video's of police decrypting a device due to a weak 4 pin character lock within a matter of seconds are available for any number of devices. I am curious how much additional computing power is needed to decrypt a device for each character added to the unlock sequence.

Scare tactics.

[Firethorn]

Okay, can't watch the youtube video(blocked due to limited bandwidth here), but it let me onto the infowars site.

750M rounds is 2.5 rounds per person in the USA, yes. However: Scare tactics are being used.

First, it's for training ammunition - my training/qualification for the year is at well over 500 rounds between pistol and rifle(~half each). I'm not DHS, but it should be a clue as to how many rounds it takes to train&qualify somebody. It's often an annual requirement.

Second - it's a 'purchase UP TO' order, up to 70M rounds/year, between all winning parties, for a 5 year contract. NOT 'planning to buy 750M rounds of ammo'. Going by the contract, that's a MAX of 350M. The minimum order in a year is 1 lot of 1k rounds. In these sorts of contracts they list the maximum possible they expect for each item - for example, a big purchase of .40S&W handguns, a shift to .357 Sig, whatever. .223 is well represented, though I wonder that they aren't shooting NATO 5.56 spec rifles(the difference is about a human hair; doesn't matter much in training I guess). Going by my figure, a max order of 70M rounds would let you dual-qualify ~140k people. Office types trained 'just in case' would use a bit less ammo, SWAT types far more. A quick search shows 160k [syr.edu] employees in DHS. Or maybe it's 188k employees AND 200k contractors [fcw.com]. Whatever. I doubt they're going to be qualifying EVERYONE anytime soon, and probably don't plan to short of some crazy doomsday scenarios.

Third - "including 357 mag rounds that are able to penetrate walls." - just about ANY handgun self defense caliber is fully capable of penetrating a wall while remaining potentially lethal. It's a simple fact that a human body, which self defense rounds generally have to be able to completely penetrate to be considered effective, is more difficult to penetrate than 2 sheets of drywall. You want to go back to yea old days - when the .357 was developed, the standard was actually penetrating a car windscreen with a maximum deflection such that you'd still hit the driver. 9mm, btw, is 'normally' powerful enough for this, though you might need 2 shots(not as big of a deal for a semi), but this was back when we were still issuing revolvers to police. While we're at it, the contract also lists rifle calibers - .223, .30-06, and .308; all far more powerful than .357.

In other words, it's a big hoopla over just about nothing.

Re:TWO WORDS

[Y-Crate]

The same subpoena can't get the data out of RIM actually -- device to device communications are encrypted in such a way that RIM has no access to the contents.

Yeah, about that... [indiatimes.com]

Re:TWO WORDS

[TheRaven64]

Not true. It's absolutely fine to store your data on someone else's server as long as it's encrypted, you have the key and they don't. For example, using tarsnap [tarsnap.com] for backups should not be a problem, because the data is encrypted on the client and uploaded. Someone I know just submitted a PhD thesis on storing data securely on untrusted servers (well, a bit more than just that) and it's quite possible. That doesn't solve the reliability issue, of course, you still have to trust the remote site to stay in business, and to have adequate redundancy and backups. Even that can be addressed by sending your data to multiple providers.