Forgot your password?
typodupeerror
Cellphones Crime Handhelds IOS Iphone Privacy Security Apple

DOJ Says iPhone Is So Secure They Can't Crack It 454

Posted by samzenpus
from the too-hard dept.
zacharye writes "In the five years since Apple launched the iPhone, the popular device has gone from a malicious hacker's dream to law enforcement's worst nightmare. As recounted by the Massachusetts Institute of Technology's Technology Review blog, a Justice Department official recently took the stage at the DFRWS computer forensics conference in Washington, D.C. and told attendees that the beefed up security in iOS is now so good that it has become a nightmare for law enforcement."
This discussion has been archived. No new comments can be posted.

DOJ Says iPhone Is So Secure They Can't Crack It

Comments Filter:
  • by ryanov (193048) on Monday August 13, 2012 @12:20PM (#40974953)

    I've never been too impressed with government agencies and their knowledge of computing.

    • TWO WORDS (Score:5, Insightful)

      by Jeremiah Cornelius (137) on Monday August 13, 2012 @12:28PM (#40975089) Homepage Journal

      iCloud Supoena.

      So, the "remote control" is uncrackable? iCloud and Siri and "location awareness" with GSM, WiFi and GPS make the security of the actual device nearly an orthoganal proposition to any enforceable protection for the user or data.

      When this is so clearly a form of misdirection, I can't help but wonder the purpose of a DOJ statement like his being made public. Which perception and behaviour are they trying to influence, and by whom?

      • Re:TWO WORDS (Score:5, Insightful)

        by CanHasDIY (1672858) on Monday August 13, 2012 @01:12PM (#40975711) Homepage Journal

        When this is so clearly a form of misdirection, I can't help but wonder the purpose of a DOJ statement like his being made public

        Setup for a false flag operation:

        - DOJ publicly claims Device X is secure from their snooping
        - Suckers fall for the ploy and migrate to Device X, assuming it's safe from prying gov't eyes
        - DOJ forces Device X's manufacturer, via NSL or similar devious means, to turn over user information.
        - Device X's user has no idea what's going on, thanks to draconian EULA and ToS, until jackbooted thugs kick in the door.

        It's quite brilliant, really. Or, would be, if not so obvious.

        • Re:TWO WORDS (Score:5, Insightful)

          by Kjella (173770) on Monday August 13, 2012 @02:09PM (#40976413) Homepage

          Except what you're describing is not a false flag operation.

          False flag (also known as black flag) operations are covert operations designed to deceive in such a way that the operations appear as though they are being carried out by other entities.

          This may be a disinformation campaign but unless the DOJ is posing as someone else, it's not a false flag.

          • Except what you're describing is not a false flag operation.

            Of course, but "false flag" sounds so cool!

      • Re:TWO WORDS (Score:5, Informative)

        by blueg3 (192743) on Monday August 13, 2012 @01:21PM (#40975831)

        I can't help but wonder the purpose of a DOJ statement like his being made public.

        It was a higher-up in the DoJ (specifically, Ovie Carroll) discussing challenges in digital forensics (at a conference on digital forensics). It was a brief mention in a larger talk and a fact that does not surprise anyone in the field. It's well-known that pulling data off of an iPhone can be a real pain in the ass. (IMO, I would consider Android worse, as there is not yet a reliable technique that can pull data off of an unrooted phone without modifying the phone's data, and data modification -- even when justified and documented -- is a big problem in some jurisdictions.)

      • by Quiet_Desperation (858215) on Monday August 13, 2012 @02:55PM (#40976831)

        It's misdirection to misdirect you from the misdirected misdirect, and time passes more slowly at each level of misdirection until you spend a lifetime misdirected into Limbo! THAT'S WHEN THEY GET YOU! #theyareouttogetyou

    • mod TFS (Score:5, Insightful)

      by AliasMarlowe (1042386) on Monday August 13, 2012 @12:39PM (#40975241) Journal

      TFA and TFS should be modded +5 Funny.
      One suspects that there are back doors all over the iPhone, in addition to the various apps that have access to remarkable amounts of stored material and regularly send it home (or elsewhere). Otherwise its alleged impenetrability would hardly be promoted by law enforcement. It's like Brer Rabbit pleading "please don't throw me in the briar patch".

      • by Brannon (221550) on Monday August 13, 2012 @01:11PM (#40975701)

        would that still be a misdirection?

        Oh, I see, anything which is said in favor of iPhone security is "reverse psychology", anything critical of iPhone security is "speaking truth to power".

        You guys crack me up.

      • Re:mod TFS (Score:5, Interesting)

        by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Monday August 13, 2012 @01:45PM (#40976139) Homepage Journal

        This is purely anecdotal, but... I was recently on a flight next to a highway patrolman flying back from a conference for computer detectives (my words, not his; I don't remember what the actual job title was). He showed me the modified Ubuntu distro DVD they were passing out - "Look, it has a password cracker!" "Is that John the Ripper?" "You've heard of that?!?" - and we had a pretty nice chat.

        During the conversation, I mentioned that iPhones are encrypted now. I asked, "OK, hypothetically, suppose I'm a mafia drug dealer and you get my encrypted cell phone. How screwed am I?" He said that they'd get a subpoena for my house, show up with a search warrant, and read the backup off my Mac's hard drive, "and then we run this app [opens it to show it to me] and have full access to all your data!" I told him that was pretty impressive, "but... what if I turn on FileVault and encrypt my whole hard drive?" He looked like I'd kicked his puppy and said that most criminals aren't smart enough to do that, but in that case, yeah, there was nothing he could do.

        Feel free to take that with a grain of salt, but I had a detective tell me - in an unguarded two-geeks-talking moment with no apparent motive or visible sign of deceit - that the only way they could recover an encrypted iPhone's contents was through examining the unencrypted backup from an unencrypted hard drive. Now this was a state highway patrol guy and not an NSA analyst, and maybe the higher-up guys have access to emergency use stuff they're not talking about, but my takeaway was that the state-level police really don't have any way to defeat the encryption.

        • Re:mod TFS (Score:5, Interesting)

          by Shakrai (717556) * on Monday August 13, 2012 @02:04PM (#40976349) Journal

          Now this was a state highway patrol guy and not an NSA analyst, and maybe the higher-up guys have access to emergency use stuff they're not talking about, but my takeaway was that the state-level police really don't have any way to defeat the encryption.

          Without talking about bad implementation (e.g., weak passwords) or side channel attacks (keystroke loggers and the like) it seems exceedingly unlikely that any law enforcement agency would have the ability to defeat modern encryption algorithms. Even if the NSA has such an ability (the math geeks can comment on the likelihood of this) it would be far too valuable to waste on something as mundane as a criminal prosecution. National Security concerns trump the incarceration of child molesters, drug dealers, murderers, and other common criminals.

          Far more interesting than the technical aspect will be the evolution of 5th amendment case law as it relates to encryption. There is no definitive legal precedent in the United States as to whether or not you can be compelled to disclose an encryption password. There have been a few cases that have danced around the edge of this question, but none have directly addressed it, nor have they made it to SCOTUS.

          • Exactly. He told me, basically, that the main (only?) side channel attack was getting the unencrypted backup. And yeah, I strongly suspect that if the NSA had the ability to crack AES, it would only be used for situations that you and I would never hear about. The instant it came out in even the most important of public trials, everyone would stop relying on AES about 30 seconds later.

          • by swillden (191260)

            Even if the NSA has such an ability (the math geeks can comment on the likelihood of this)

            I don't personally count as such a math geek, but I know some who do, and the consensus is that, no, the NSA does not. Academic cryptographers who regularly collaborate with NSA cryptographers have the general impression that while it's likely that the NSA knows a number of tricks that academic cryptographers don't, that in many areas the NSA is learning a great deal from published work. In other words, the NSA may still be ahead, but not by that much.

            With that in mind, put yourself in the shoes of the

        • Re:mod TFS (Score:4, Interesting)

          by mark-t (151149) <markt@ l y n x.bc.ca> on Monday August 13, 2012 @02:13PM (#40976455) Journal

          "....most criminals aren't smart enough to do that"

          I can't seem to help but read that as ".... criminals who are smart enough to do that will probably get away."

    • by Sparticus789 (2625955) on Monday August 13, 2012 @12:47PM (#40975371) Journal

      I was at this conference, the running joke was "If it's encrypted, forget about it!" Everyone knows this. FDE and utilities like TrueCrypt will always prevent data recovery, save for the human factor of giving up the password.

      Also at the conference was the strong difference between American and British/Australian law. In the U.S., the 5th Amendment prevents someone from being required to turn over their password. The Brits and Aussies do not have this problem, as the 5th amendment doesn't exist for them.

    • by Darinbob (1142669)

      It's simple. First you hack their Amazon account, then that gets you into Google, and from there breaking into the iPhone is easy enough for a 14 year old.

  • by carrier lost (222597) on Monday August 13, 2012 @12:21PM (#40974969) Homepage

    Gee. The government can't spy on you using your own hardware?

    This is truly frightening.

  • (also article is a little too breathlessly enamored of apple: PR astroturf?)

  • by Jeremy Erwin (2054) on Monday August 13, 2012 @12:23PM (#40974999) Journal

    It's a start.

    • by DJ Jones (997846)
      In unrelated news: Apple sued by DOJ for breaking anti-trust laws. Suit settled out of court for unknown damages.

      ....Soon thereafter, US Homeland Security Agency states "we have no more concerns regarding apple's encryption systems".
  • by Anonymous Coward on Monday August 13, 2012 @12:23PM (#40975003)

    ...I've got some "moon" rocks I'd like to sell you.

    Honestly, this seems like a way to trick dumb criminals into thinking their information is secure just because they use an iPhone. If this were truly the case, and the DOJ does really have problems in dealing with iOS devices, I'd expect them to remain tight lipped about it.

    • by Dins (2538550)

      If this were truly the case, and the DOJ does really have problems in dealing with iOS devices, I'd expect them to remain tight lipped about it.

      No, they'd strong arm Apple into providing them with back doors and then remain tight lipped about it...

    • If in the first public trial it came to light that the DOJ of the government had a way to decrypt any iPhone, the secret would then become public knowledge. So far there has been no such trial.

  • How long until they just resort to this [xkcd.com]?

    • Re:Oblig xkcd (Score:5, Informative)

      by cpu6502 (1960974) on Monday August 13, 2012 @12:43PM (#40975309)

      Hitting people with wrenches is forbidden by the Bill of Rights.

      • by plover (150551) *

        Using evidence in court that was obtained by hitting you with wrenches is forbidden, nor can they use information derived from that information. (Fruit of the poisoned tree.)

        Depending on the data, though, they may not be nearly as interested in prosecuting you.

      • Re:Oblig xkcd (Score:4, Insightful)

        by KhabaLox (1906148) on Monday August 13, 2012 @12:56PM (#40975501)

        Hitting people with wrenches is forbidden by the Bill of Rights.

        Your point being....?

        Didn't stop them from hitting Padilla or Manning with metaphorical wrenches. A couple more direct examples: reporters [wikipedia.org] jailed (or threatened [nytimes.com] with jail) for not revealing their sources.

      • by h4rr4r (612664)

        Which is why they just water board you, for extra Bill of Rights goodness they do that at a military base on a small island nation right off the coast.

      • Re:Oblig xkcd (Score:5, Informative)

        by Hatta (162192) on Monday August 13, 2012 @01:25PM (#40975867) Journal

        Only if done as punishment. According to Scalia, as long as it's not punishment, torture is constitutional. [thinkprogress.org]

        STAHL: If someoneâ(TM)s in custody, as in Abu Ghraib, and they are brutalized, by a law enforcement person â" if you listen to the expression âoecruel and unusual punishment,â doesnâ(TM)t that apply?

                SCALIA: No. To the contrary. You think â" Has anybody ever referred to torture as punishment? I donâ(TM)t think so.

                STAHL: Well I think if youâ(TM)re in custody, and you have a policeman whoâ(TM)s taken you into custodyâ"

                SCALIA: And you say heâ(TM)s punishing you? Whatâ(TM)s he punishing you for? ⦠When heâ(TM)s hurting you in order to get information from you, you wouldnâ(TM)t say heâ(TM)s punishing you. What is he punishing you for?

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          "What is he punishing you for?"

          Sadly the answer to that is so bloody obvious that it strains disbelief that Scalia wouldn't know it before he asked the question.

          Quite simply, he's punishing you for not telling him what he wants to hear. That's all torture is good for anyway. If you torture someone long enough, they'll eventually figure out what you want to hear and start singing that tune like a canary. Note: What you want to hear has little, if anything, to do with the truth (except, perhaps, by coincid

  • by turbidostato (878842) on Monday August 13, 2012 @12:29PM (#40975099)

    The iPhone sports a master encryption key and DOJ has access to it.

  • Umm.. what? (Score:5, Informative)

    by Vellmont (569020) on Monday August 13, 2012 @12:34PM (#40975179) Homepage

    5 minutes ago I knew nothing of Apples full disk encryption. Now I find an article that states:

    The release of the iPhone 3GS (and later iPod Touch 3rd Generation) brought hardware-based full disk encryption (FDE) to the iPhone. This was designed to accomplish one thing: instantaneous remote wipe. While the iPhone 3G had to overwrite every bit in flash memory (sometimes taking several hours), disk wiping on the 3GS worked by simply erasing the 256-bit AES key used to encrypt the data.

    Unfortunately, disk encryption on the iPhone did little beyond enabling remote wipe. Mobile forensicator Jonathan Zdziarski found that the iPhone OS automatically decrypts data when a request for data is made, effectively making the encryption worthless for protecting data.

    http://anthonyvance.com/blog/forensics/ios4_data_protection/ [anthonyvance.com]

    So I'd say I'm just VERY skeptical that the DOJ can't crack something that wasn't really designed with any security in mind in the first place. Either that, or the DOJ has nobody with any skills whatsoever.

  • by Minwee (522556) <dcr@neverwhen.org> on Monday August 13, 2012 @12:40PM (#40975261) Homepage

    I look forward to Ovie Carroll's next few breathless announcements:

    "Hooh, boy, that YouTube is soooo secure, a person could sign up for an account using their real name and home address, then post videos of them committing crimes online and law enforcement would never ever be able to track them! Honest!"

    "You know where the safest place to hide stuff is? Underneath the welcome mat at 950 Pennsylvania Avenue, NW in Washington, DC. Really! We did a study and figured out that once that mat is pushed down on top of something, whether it's drugs, cash or big file folders full of industrial secrets, there's NO way that any one can get into it."

    "My biggest nightmare is someone committing a crime, then emailing a detailed confession to ovie.carroll@usdoj.gov. Once something gets into those email tubes it's IMPOSSIBLE to get it back out and figure out what happened. Really. You can trust me. I'm with the government."

  • Easy (Score:5, Funny)

    by Dcnjoe60 (682885) on Monday August 13, 2012 @12:50PM (#40975423)

    DOJ Says iPhone Is So Secure They Can't Crack It

    I dropped mine off the balcony to the pavement below. It seems that it is very easy to crack an iPhone.

  • encryption laws (Score:5, Interesting)

    by Sebastopol (189276) on Monday August 13, 2012 @01:06PM (#40975647) Homepage

    Can somebody explain how if the iPhone is so uncrackable/breakable that Apple can still export it? I seem to recall some kind of PGP problem where exporting something that was too secure was a violation of US laws. Or maybe I'm mixing reality with a bad Nicholas Cage movie, which is entirely possible.

    • by PPH (736903)

      Old news. They eased up on encryption export restrictions years ago. It was driving all the encryption R&D overseas where our gov't had even less control over it.

  • So we know it's true.

Moneyliness is next to Godliness. -- Andries van Dam

Working...