Author Topic: And so, supposedly, Apple's latest iOS' iPhone password can be bruteforced  (Read 1458 times)

0 Members and 1 Guest are viewing this topic.

Offline Decoman

  • Regular Contributor
  • *
  • Posts: 160
  • Country: no
There seems to be a new development with regard to what I guess people might think of as being the best of the best in the consumer products range. Apple's Iphones. I am not sure, but I think this might also impact the iPad, but this sort of went past me as I read about this.

I am supposed to build my LED project but the project is on hold, though I suspect that people might find this kind of news interesting, and presumably there is merit to this vulnerability. I am thinking this is an intentional backdoor, as an intended weakness, but what do I know, I can only speculate.

This article dates back to only yesterday, 22. June 2018.
https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/ ("A hacker figured out how to brute force iPhone passcodes")

"The attack allows any would-be-hacker to run as many passcodes as they want, without destroying the data."

I know that "hacking" is both a generic non negative word for tinkering with something, however the media tend to use "hacking" as a just negative loaded word implying criminality, so I find it amusing that znet uses the phrase 'hacking' in the title and 'security researcher' in the article text. Maybe the author of the article didn't write the headline perhaps I am thinking.

So, some time ago (in 2016 I think), there was a congress hearing in USA ("House Judiciary Committee"), in which Apple had to show up in regard to this hearing, which was at a time when the Federal Bureau of Investigation claimed that they could not bypass the password protection without making the phone they wanted to get into inaccessible by being locked out of it. Later, there were news of some Israeli company who is mentioned as having helped the FBI in this regard. (Random reference to this linked to below.) What they did with the actual phone I have no idea. I don't remember reading about anything from opening up that one particular phone, or if they found anything interesting at all. I believe Apple was initially asked by the FBI to provide a tool for breaking into this mobile phone made by Apple, and afaik Apple denied providing this type of tool. I think it is fair to say that Apple is not interested in having this public image of someone that sells phones, that per design would be accessible by law enforcement, and who knows who else. It should be pointed out that there is also a parallel discussion/problem to this, where security researchers and others knowledgeable in the subject matter, and afaik the last development to that, is that security experts seem to agree that there is no secure way to create a mandated backdoor in products for law enforcement without such a backdoor being vulnerable to being used by others. I guess with the seemingly non-stop news about terrible computer security, who will notice yet another news article about some new vulnerability to phones, the internet, or computer hardware in general.
http://www.dailymail.co.uk/news/article-3514875/Israeli-firm-helped-FBI-crack-San-Bernardino-gunman-s-cellphone-without-Apple-s-help.html (FBI's demand for Apple to develop a tool)

And the znet article above links to this other article again, which in turn links to a Forbes article, about a US based company that supposedly is selling boxes that can break into iPhones as I understand it:
https://www.zdnet.com/article/graykey-box-promises-to-unlock-iphones-for-police/ (article from 19. March 2018)


Here's also a link to a recent, but article by Bruce Schneier, unrelated to the ihpone article, regarding what is described as "Security is failing just as technology is becoming autonomous (...)".
https://www.theregister.co.uk/2018/06/22/security_failing_iot_schneier/ ("Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbage", Autonomous vehicles related)

As someone that aren't that into electronics nor computer programming, what I believe I have learned, is that the very idea of something in particular being secure, or providing security, that doesn't fare well if the IMPLEMENTATION of a design has flaws or if there are other vulnerabilities associated with a product.

Then there is the imo scary thing where the design itself isn't secure. One example that I can think of would be the NSA sponsored 'dual elliptic curve deterministic random bit generator' that was incorporated into a standard and is believed to have defeat secure SSL/TLS encryption for years, and was used for seven years between 2006 and 2014 according to the Wikipedia entry on the subject (is anyone unwittingly still using the Dual_EC_DRBG, and is it even possible? I have no idea). I honestly don't understand how it can be insecure, but apparently NSA paid NIST (or RSA Security it was perhaps) a lot of money to have it included in the standard, and NSA is said to have been working on it, and is believed to know the inns and out of it, probably being backdoor.
https://en.wikipedia.org/wiki/Dual_EC_DRBG
https://blog.cryptographyengineering.com/2013/09/18/the-many-flaws-of-dualecdrbg/ (An 2013 article that discusses the ways in which the 'Dual_EC_DRBG' is believed to be insecure.)

I can see how people like their smartphones, with the high res screens, camera feature for both stills and video, and whatnot, but I never liked smart phones, and I don't go around thinking that consumer products like mobile phones, or the internet, have good security. :|

One more thing, for those that thinks that espionage is a laudable and wholesome activity and with people that can do no wrong, I remember reading through the book 'Privacy on the line' by Whitfield Diffe and Susan Landau, and I remember this one moment about how espionage against others, I think would obviously be something that would be sabotaging any negotiations between two parties, if you sought to learn what lowest offer another part would be willing to accept for any upcoming agreement. Then ofc, there is the whole privacy need issue, or just 'privacy' as it is unfortunately called, and with the internet of things and insecure thingies, you might as well include 'personal safety' as being at risk when you can't fully trust your refrigerator, your door lock, your car, your phone, your pacemaker or other gadgets. I want to add that I sometimes come across a video showing a discussion panel about what is said to be secure and anonymous research into public data, something Landau have talked about in those debates, but it really unnerves me what kind of research this is, as I don't know anymore if Landau is pushing for a new technology in a world where privacy needs aren't respected by anyone, or if I am just misunderstanding what kind of technology this might be. I worry that all the data and meta data off 'personal data' used by corporations will become this kind of whitewashed activity that not only is "legal", but somehow secure, as if things could still be private yet with all that data being analyzed. I think at least that 'anonymous' should not be synonymous with 'privacy' given the context of it all. Privacy ought imo be about peoples general and specific privacy needs, and never 'a product', nor 'a right' as such, otherwise there can obviously be no principled understanding when treating something supposed to be as serious, and more to the point, as personal to the individual, if being nothing more than a pragmatic concern, with regards to laws or other inane ideas that goes around in the name of "privacy".
« Last Edit: June 23, 2018, 09:28:59 am by Decoman »
 

Offline encryptededdy

  • Frequent Contributor
  • **
  • Posts: 358
  • Country: nz
Interesting. I would've expected the secure processor to handle the lockout / retry limit.
 

Offline Decoman

  • Regular Contributor
  • *
  • Posts: 160
  • Country: no
A day after it looks like this might not be a thing after all. Having said that what I have learned from years of reading about computer security vulnerabilities, is that I like a good scandal. It is refreshing somehow I will admit. If true, this is/would have been a big deal I think.

Today znet rewrote their entire article (I saved a copy of the old one earlier):
https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/

Old title: "A hacker figured out how to brute force an iphone passcode"
New title: "Apple pushes back on hacker's iPhone passcode bypass report"

"The researcher later found that passcodes he tested weren't always counted."

Beyond that I don't understand things either way. Something about pins that I don't understand. I'll wait for some more information about that.

It is tempting for me to speculate wildly that Apple somehow changed their iphones on the fly to cover up a potential backdoor already existing, however I guess that would be very silly of me as I don't even know mobile phones works anyway with regard to updating and so I will simply accept that this piece of news might be not have been what it seemed to be at first.

Looking forward to seeing some more articles about this.

Hm, I guess I am a little weirded out by how security researchers tend to give an offending company ample time to fix a bug, which doesn't seem to have happened here, the article(s) are shy on details in that regard I think.
« Last Edit: June 24, 2018, 08:47:33 am by Decoman »
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
Without giving away anything that isn't already in the public domain, I know that this "feature" does in fact exist even up to the current version of the iPhone and iPad. It's not a bug, it's deliberate design by Apple. It's also not too difficult to bypass/disable the automatic lockout period after x number of incorrect attempts.

This is one of the reasons why I keep saying on this forum that your iPhone isn't as secure as you think it is.

Just about every system can be brute forced, this is nothing new. Apple (among others) need to strike a balance between ease-of-use and security. You can't always have it both ways.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 4448
  • Country: nl
Bullshit.
 
The following users thanked this post: tooki, bd139

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
Bullshit.

Care to elaborate? Perhaps you know something that the rest of the world doesn't?

It's pretty well known. I know some of the Apple fan-boys will refuse the believe it, but it's nothing new. A quick Google will turn up plenty of results on this subject. Of course the organisations who specialise in this type of work won't tell you how it's done.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 4448
  • Country: nl
Low hanging fruit can't have high monetary value, or everyone will just keep picking it. An iOS exploit has inherent reputational value. If there were low hanging fruit iOS exploits they'd already be known ... with a little more reputation building demonstration than a tweet he had to start hemming and hawing about a day later. You could posit a conspiracy theory where Apple paid him off to make himself look like a fool, but then again that would return the monetary value of the exploit and everyone would stand up to threaten their own demonstration for the pay off.

Your claim makes either Hackers or Apple completely irrational economic actors, which I do not think is likely.
 
The following users thanked this post: tooki

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
Low hanging fruit can't have high monetary value, or everyone will just keep picking it. An iOS exploit has inherent reputational value. If there were low hanging fruit iOS exploits they'd already be known ... with a little more reputation building demonstration than a tweet he had to start hemming and hawing about a day later. You could posit a conspiracy theory where Apple paid him off to make himself look like a fool, but then again that would return the monetary value of the exploit and everyone would stand up to threaten their own demonstration for the pay off.

Your claim makes either Hackers or Apple completely irrational economic actors, which I do not think is likely.

If that's what you want to believe that's fine. All I can say is that the existence of the exploit itself isn't a secret and is very much real and remains to this very day. How it's being achieved is a closely guarded secret and that's why you have companies which charge a huge amount of money for these kinds of products and services (which are only available to select customers, you as an individual cannot purchase them). There are some very very smart individuals working behind the scenes and their skills don't come cheap.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 4448
  • Country: nl
Yes, there are >>100 k$ exploits ... but if every eastern European with security research background could find it with a couple 100 man hours of research it wouldn't stay a >>100 k$ exploit for long. Markets don't lie, Apple exploits are hard to find. That's why they don't come cheap.

PS. also Asians I guess, they do well in bug bounty contests.
« Last Edit: June 24, 2018, 11:33:42 pm by Marco »
 
The following users thanked this post: tooki

Offline Decoman

  • Regular Contributor
  • *
  • Posts: 160
  • Country: no
I am trying to understand the aftermath of this article and I don't get it.

Both Apple and the hacker seem to say that the iPhone dropped/drops some of the items on the list of password entries bunched up in one big array as I understand it, however, I could imagine this being some kind of tampering feature, to have the phone locked if you SIMPLY ran a single list one.

But I wonder, what if you had a list so long, it repeated a basic list, over and over again, and then presumably it doesn't matter if the iPhone drops/dropped just some of the entries, when what the article seem to say,you could feed the iPhone a continuous stream of entries as long as they are bunched up in one big stream. Being confused and cynical here I can at least imagine a backdoor being hidden this way. A "normal" hacker might fail because he only had a single list, while some government agency might have a prepared list of entries that are multiplied and maybe quasi randomized in some prepared way, so that a device dropping entries doesn't matter if the odds are that the device will successfully run through all passwords entries, despite dropping the occasional entry.

Am I perhaps misunderstanding something here?



Edit: For fun I am adding this link to this other piece of unrelated news I saw today, but still related to computer security. Seems there are this kind of news all the damn time. Research showing that the battery in a mobile phone can be used to snoop on the user, as an indirect side channel attack I guess, that is said to have some limitations.
https://www.theregister.co.uk/2018/06/25/the_battery_is_the_smartphones_ibesti_snitch_boffins/
« Last Edit: June 26, 2018, 07:51:55 am by Decoman »
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
I think 99% people don't understand the subject matter because they don't have first-hand experience in relation to it.

I personally don't consider it to be a bug or back door, I think it's deliberate. The method and manner that is used to brute force passwords utilises a mechanism which Apple uses internally to service or test its devices. They'd have patched it long ago if this wasn't the case. The fact that they haven't tells me that doing so would lock themselves out of some kind of process(es) that Apple themselves use.

Circumventing the lockout period has been known for a long time, that's old news for those in the industry, yet Apple don't seem to care. Their new version of IOS on face-value appears to make this process more difficult by disabling data via the lightning connector, but don't be so sure that this is the magic fix (see my reasoning above).

As I said long ago, if you think your Apple device is secure, think again. In some aspects it is, very much so, in other ways it fails miserably. But good news, it's unlikely some random with a laptop will be able to use these methods to gain access to your data. Firstly, they would need physical access to your device and secondly, the tools/software/hardware/thingys are not for sale to the general public, no matter how much money you have.
 

Online bd139

  • Super Contributor
  • ***
  • Posts: 12064
  • Country: gb
the tools/software/hardware/thingys are not for sale to the general public, no matter how much money you have.

Doesn't always work out like that...

https://www.kitguru.net/tech-news/featured-tech-news/matthew-wilson/hacker-leaks-the-ios-cracking-tools-that-the-fbi-paid-for/

As a point though, security is about layering. Never rely on one layer of defence or multiple layers of the same method to defend yourself.

As a second point, iOS is still the least risky mobile OS choice as far as security goes. Apple actually have made more headway than anyone else in this department. They fucked up a lot of market pitches recently so they have the privacy and security markets still on their side (me included) so they're going to push for the best outcome where they can.

And as a third point, unless there's a POC in the wild or under embargo, which there isn't here, then it's probably bollocks. You have to run these scenarios and come up with statistical data for it to be valid rather than just claim you have done it. Much like TLBleed etc.
« Last Edit: June 26, 2018, 08:52:29 am by bd139 »
 
The following users thanked this post: tooki

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
Doesn't always work out like that...

https://www.kitguru.net/tech-news/featured-tech-news/matthew-wilson/hacker-leaks-the-ios-cracking-tools-that-the-fbi-paid-for/

As a point though, security is about layering. Never rely on one layer of defence or multiple layers of the same method to defend yourself.

As a second point, iOS is still the least risky mobile OS choice as far as security goes. Apple actually have made more headway than anyone else in this department. They fucked up a lot of market pitches recently so they have the privacy and security markets still on their side (me included) so they're going to push for the best outcome where they can.

And as a third point, unless there's a POC in the wild or under embargo, which there isn't here, then it's probably bollocks. You have to run these scenarios and come up with statistical data for it to be valid rather than just claim you have done it. Much like TLBleed etc.

True. However "900GB of Cellebrite data" means nothing. Even if they managed to get their hands on Cellebrite's software, it would be rendered useless without the accompanying hardware. And while Cellebrite seem to be the market leader, there are others.

I disagree with Apple being the "least risky" however. Sure, for normal everyday uses, you're probably right. But for those using their devices for nefarious purposes or even those who want to protect their privacy, Apple isn't any better than any of the other phones on the market. As I said before, in some ways, IOS is more secure, in other ways it fails.

You're also right, I can only claim so much. But certain NDA's and other factors prevent me from talking about anything that isn't publicly known. Dave is one of two people on this forum who can verify my credentials and even with his previous clearances and background, it's need-to-know.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 4448
  • Country: nl
Circumventing the lockout period has been known for a long time, that's old news for those in the industry

If so it would have become a cheap exploit and any grey hat who wants a job would have simply published it.

PS. since we're talking about economic incentives, Apple has no real incentive to allow any easy to find exploit. Because they will follow the same reasoning as me, any easy to find exploit will end up on the street. If they want to cooperate with the US government they would use something hard to find. Or just hand the design files to the NSA and save them the trouble of wasting money and time for each CPU spin to tamper with it.
« Last Edit: June 26, 2018, 10:47:01 am by Marco »
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
Circumventing the lockout period has been known for a long time, that's old news for those in the industry

If so it would have become a cheap exploit and any grey hat who wants a job would have simply published it.

PS. since we're talking about economic incentives, Apple has no real incentive to allow any easy to find exploit. Because they will follow the same reasoning as me, any easy to find exploit will end up on the street. If they want to cooperate with the US government they would use something hard to find. Or just hand the design files to the NSA and save them the trouble of wasting money and time for each CPU spin to tamper with it.

No one said they were easily found. Just because something has been known for some time, it doesn't make it easily discoverable.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 4219
  • Country: ch
I think 99% people don't understand the subject matter because they don't have first-hand experience in relation to it.

I personally don't consider it to be a bug or back door, I think it's deliberate. The method and manner that is used to brute force passwords utilises a mechanism which Apple uses internally to service or test its devices. They'd have patched it long ago if this wasn't the case. The fact that they haven't tells me that doing so would lock themselves out of some kind of process(es) that Apple themselves use.

Circumventing the lockout period has been known for a long time, that's old news for those in the industry, yet Apple don't seem to care. Their new version of IOS on face-value appears to make this process more difficult by disabling data via the lightning connector, but don't be so sure that this is the magic fix (see my reasoning above).

As I said long ago, if you think your Apple device is secure, think again. In some aspects it is, very much so, in other ways it fails miserably. But good news, it's unlikely some random with a laptop will be able to use these methods to gain access to your data. Firstly, they would need physical access to your device and secondly, the tools/software/hardware/thingys are not for sale to the general public, no matter how much money you have.
You seem to be taking as gospel that this supposed exploit is even real. But if it were, we’d have widespread, repeated demos of it. There aren’t.

Given Apple’s public commitment to privacy and security, and the various efforts they’ve already gone to (read the iOS security guide white paper, it’s fascinating), it would make no sense at all for there to be this big a vulnerability on purpose. And the fact that there’s exactly one demo of it, whose veracity is disputed, supports that it doesn’t exist, never mind exists deliberately.

Circumventing the lockout period has been known for a long time, that's old news for those in the industry

If so it would have become a cheap exploit and any grey hat who wants a job would have simply published it.

PS. since we're talking about economic incentives, Apple has no real incentive to allow any easy to find exploit. Because they will follow the same reasoning as me, any easy to find exploit will end up on the street. If they want to cooperate with the US government they would use something hard to find. Or just hand the design files to the NSA and save them the trouble of wasting money and time for each CPU spin to tamper with it.

No one said they were easily found. Just because something has been known for some time, it doesn't make it easily discoverable.
True. But given the nature of this supposed exploit, it stands to reason that it would have been tried in the past.
 

Online bd139

  • Super Contributor
  • ***
  • Posts: 12064
  • Country: gb
Interesting point there. If it was there then they’d know about it. Simple flow analysis methods would reveal this.

There are three credible outcomes:

1. Apple know and are pushing updates out shortly for it and are covering it and the security dude can’t hold his gob shut during embargo period.

2. Security dude is spouting shit or didn’t validate his test cases properly.

3. There is a vulnerability and the security dude has a serious comms problem and apple are lying.

My money is on (2) because it’s the rational answer and there is no evidence to the contrary.

Either way this will have kicked off an internal review at Apple and analysis done. They wouldn’t have replied like they did if they hadn’t done that.
 

Online james_s

  • Super Contributor
  • ***
  • Posts: 9792
  • Country: us
While I generally like my iPhone, I have observed a slow but steady decline in overall quality over the past several versions of iOS. My old iPhone 4 had iOS 6 and it was very nice, polished, smooth, very rarely had any problems at all. My partner got one with iOS7 and it was not only hideously ugly but had many inconsistencies and seemed a bit more flaky. My current phone has I think iOS9 on it and it's quite buggy. Reminders often don't work or get out of sync between what is showing up on the lock screen and what is in the reminder menu. Clearing a reminder sometimes clears it and sometimes simply dismisses it. Repeating reminders sometimes work and sometimes don't. I've had the UI become unresponsive when an incoming call comes in so I have to wait for it to "wake up" so I can answer the call. The touchscreen is much worse than on the old iPhone 4, often not registering touches, especially in the corner. Not long ago an iOS update was recalled due to some major bug in it. Steve Jobs must be turning in his grave. It's still better than the Android phones I've used but only marginally so, the difference used to be night and day.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 4448
  • Country: nl
No one said they were easily found. Just because something has been known for some time, it doesn't make it easily discoverable.
"It's also not too difficult to bypass/disable the automatic lockout period after x number of incorrect attempts."
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
No one said they were easily found. Just because something has been known for some time, it doesn't make it easily discoverable.
"It's also not too difficult to bypass/disable the automatic lockout period after x number of incorrect attempts."

Being able complete the process with ease is quite different from making the discovery in the first place.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 4219
  • Country: ch
Agreed. However, high speed automated passcode brute-forcing would have been one of the first things law enforcement and other would-be intruders, not to mention security researchers, would try.
 

Offline Halcyon

  • Super Contributor
  • ***
  • Posts: 3722
  • Country: au
Agreed. However, high speed automated passcode brute-forcing would have been one of the first things law enforcement and other would-be intruders, not to mention security researchers, would try.

Hi Tooki, I've sent you a PM. Hopefully it might clear up a bit of the mystery.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf