> There's also a credible rumor that Cellebrite's mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.
>The story I hear is that Cellebrite hires ex-Apple engineers and moves them to countries where Apple can't prosecute them under the DMCA or its equivalents.
Crazy if true.
Doesn't this also create a weird incentive problem where the FBI (or any other law enforcement agency) who would normally be tasked with helping Apple with this doesn't actually want to?
Within ten seconds of searching my memory I can think of at least three Israeli companies that are known for researching/hoarding secret zero days and making use of them for large sums of money. Cellebrite, NSO, and Elbit.
The DMCA is not concerned with the security of Apple’s devices or “Secure Enclave” as Apple never said they existed for the sake of protecting copyright - that’s iTMS’s DRM which is entirely unrelated.
I didn’t said it was applicable in this case however US copyright laws are enforced over most of the world in one way or another via the trade agreements basically any deal that the US signs has a clause about respecting US copyright and a mechanism through which to seek grievances.
Relative to the size of its population, Israel has a highly developed electronics engineering related industry. Part of it related to their state support of domestic defense contractors like IAI and their avionics/radar/C4I equipment. Aside from Cellbrite, companies like Ceragon, Alvarion, Radwin, ECI, Telrad, Elbit.
Second hand knowledge: Within international organizations that have worked extensively in the Israel-Lebanon border area it is well known that Israel has pwned most of the Lebanese telecoms and ISPs quite thoroughly. To the extent that Hezbollah started laying its own fiber optic cables.
Specifically, many Israli tech people (and especially those in defense) seem to be “graduates” of the IDF’s 8200 SIGINT unit, which has close relationships with VCs in both Israel and the US.
> Relative to the size of its population, Israel has a highly developed electronics engineering related industry. Part of it related to their state support of domestic defense contractors ...
It's not due only to Israeli resources. Much of Israel's defense budget comes from the U.S., plus there is much more support, including technology transfer, that isn't provided in cash.
get over it? it isn't their job to 1. have encyclopedic knowledge of a small and belligerent country and then 2. enforce others to the same standard. no country gets that treatment here.
? Israel defense budget is about 20 billion these days the military aid to Israel is about 2.5 billion without special congressional allowances.
Israel’s GDP is ~320 or so billion.
And if you wondering about the reason for discrepancies from the article above it's because that one is from 2012 the budget is larger and the US dollar devaluation against the Israeli Shekel by 15% since then, in fact fluctuations of the US Foreign Military Financing (FMF) as portion of the Israeli Defense budget are often due to currency exchange as much of the Israeli budget allocated in local currency is spent locally while the FMF is spent over in the US in dollars.
It's also important to note that the Israeli allocation of the budget does not include FMF or any other aid so when Israel allocates say 18 billion USD equivalent in local currency in the budget that is the amount to which the government will fund the defense ministry, beyond that the defense ministry has it's own internal budget which is funded via the Israeli government budget, FMF as well as any additional revenue streams of defense ministry such as rent, dividends from it's share of now privatized national defense contractors like IWI (form Israeli Military Industries) and IAI etc.
Ok then. I guess Apple's a Chinese company or an Irish Company or a Singaporean company because they have subsidiaries--each with a local CEO--in each of those countries:
Cellebrite itself is an Israeli company, despite being a subsidiary of a Japanese one.
Apple is an American company, but they have foreign subsidiaries like Shazam Entertainment, which is a British company. If Apple Singapore is a full subsidiary, then sure, that's a Singaporean company, but Apple Inc wouldn't be.
No? The law doesn’t prevent the government from searching your property in a wide range of circumstances: e.g. with a warrant, pursuant to a valid arrest, etc. That’s the whole idea of warrants: so there is a controlled way to search private property. The government goes to Israel to defeat technological roadblocks to doing what it’s allowed to do under the law. This technology isn’t being used to break into phones at surprise checkpoints, it’s being used to search phones of people who have been arrested.
Presumably guelo thinks Guantanamo permits the US to do things that would be illegal here. But breaking an iPhone pursuant to a warrant wouldn’t be. Having a warrant (or a suspect in custody) permits the government, by design, to do lots of things that would otherwise be illegal. The government doesn’t need to ship safes to Israel to avoid violating safe cracking laws when searching pursuant to a warrant.
Ah yes, the old “government does X, so i’m going to speculate it also does Y, and it’s up to you to prove otherwise” trick. Arguing on the Internet is so much fun when we get to just make things up.
Come on now, there are literally thousands and thousands of thoroughly documented cases of law enforcement and government agencies violating the law.
The Israel == Guantanamo thing doesn't exactly make sense to me either, but now you're arguing nonsense. Certainly, we all know that the government, including law enforcement, doesn't always follow the law.
That's almost the entire argument for putting any limits on governmental power at all.
(That's not to say we should restrict them from doing this, though; if they can crack a phone, good for them, I suppose. But it's another thing to be concerned about.)
There's thousands of law enforcement agencies in the U.S., handling tens of thousands if not hundreds of thousands of cases each year. If they break the law with respect to a small percentage of those cases, you'll end up with thousands of examples. But with respect to any given thing, statistically, the government is probably not breaking the law.
Here, the "Israel == Guantanamo" thing doesn't make sense if you assume that the government is using the Israeli hacks to break iPhones it has in custody because of a warrant or arrest. You can speculate that the government is stealing peoples' iPhones and breaking into them without a warrant, but it's an actual logical fallacy to point to different things the government is doing to argue that the government is doing this thing too.
But under the DMCA it doesn't matter if the thing you are trying to break the protection for is something you are allowed to do, just the act of breaking the protection is illegal.
The iPhone hacks by their nature require having custody of the physical cell phone for an extended period of time. As far as I know, the government isn’t stealing peoples iPhones to search them.
> As far as I know, the government isn’t stealing peoples iPhones to search them.
Well, OK, now you know:
The US government seizes phones and laptops, "without showing reasonable suspicion of a crime or getting a judge’s approval", on a regular basis, and has done so for a number of years.
The government is permitted to search anything that crosses the U.S. border. It's a power inherent to nations, which are entities defined by their borders. The founding generation provided for such searches and seizures in the very first session of Congress.
You might not like it, but border searches aren't illegal, and the government doesn't need to go to Israel to do them.
I'm not claiming it's illegal. I'm just arguing that this is a new and serious security concern. You write:
> This technology isn’t being used to break into phones at surprise checkpoints, it’s being used to search phones of people who have been arrested.
and:
> As far as I know, the government isn’t stealing peoples iPhones to search them.
That implies it's nothing to worry about if you aren't being arrested, which is wrong.
First, you don't know when this technology is being used. It would be prudent to assume they US government could use this technology on any phone they seize.
Second, even if it's not "stealing" when government agents seize your phone at a border (or yes, at a surprise checkpoint, which they can and do use), from a security standpoint, it's the same thing.
The legality of these searches is not that interesting to me (witch-burning and slavery were legal too). What's interesting is that this new exploit, assuming the story is accurate, allows the government to search the data of phones that they seize.
Why should we worry about that? Because, as we have already established, they seize phones routinely, and not necessarily in conjunction with an arrest or even suspicion of criminality.
Yes, it's legal (in many cases, anyway). But before this new phone-cracking capability, it probably wasn't effective. The security on the Apple iPhone was believed to be good enough to stop such intrusion; now (again, assuming this article is accurate) we know it isn't.
Sure they do, they're familiar with the design. Unless it is completely open source or has been totally reverse engineer (which I doubt) then that is an advantage.
It’s not an advantage, in practice. Writing exploits against iOS is a very scarce skill, and the people who can do this might be slightly more productive if aided by the source, but the reverse isn’t true. Having the source doesn’t teach you anything about finding and exploiting these bugs.
It might seem logical to those unfamiliar with how these hacks work, but consider that such hacks do not depend on the secrecy of the design. Also consider that Apple hires regular software and hardware engineers, who do their best to design a system, and Apple then hires hackers (both internally, as well as external consultants) to find weaknesses in their designs. These weaknesses are then fixed before the product ships, meaning even those who were paid to break it no longer know how. This alone should tell you that people who know the system intimately are not the ones who understand how to break it.
Put another way, if I need to make this product, and there are two candidates I can hire, one person who wrote the software and one who knows nothing about the software but is demonstrably skilled at finding exploits in similar systems, I’ll take the latter in a heartbeat.
I don't know if that's true, but if I had the same power as a government agency, which would allow way higher salaries than Apple's or any other hi tech corporation, that's the first thing I'd attempt to do: find ex/unhappy/disgruntled engineers and offer them 5x pay plus a luxury home and lab in some tropical island.
Also don't forget the hardware. Like with most/all other phone vendors, iPhone chips aren't made in the US; most of the design maybe is, but the chips themselves are not, and finding a Chinese hardware engineer happy to help would be even easier because all he should implement is a covert channel to tunnel sensitive data (passwords?) to a known place. If you have access to the hardware that should be trivial to do: just implement a small undocumented flash memory space anywhere, then when the user taps a password an also undocumented firmware routine (that's hundreds of bytes, very easy to conceal) would add the password in that small memory that can be read only in certain conditions (say connecting power+tapping a bossa rhythm while with the phone screen is facing down+disconnecting power - that seems crazy but you get the idea: every sensor is a switch and any switch can be used to enter a code). A few spare kilobytes of memory here and there would allow this and other spying mechanisms, so I would't be surprised at all if some big agency would attack the hardware/firmware rather than the software.
> If you have access to the hardware that should be trivial to do: just implement a small undocumented flash memory space anywhere, then when the user taps a password an also undocumented firmware routine (that's hundreds of bytes, very easy to conceal)
I sincerely apologize for being this blunt, but you clearly have no clue what you’re talking about. Ask anyone who’s shipped any piece of hardware they helped design, let alone a processor, and they won’t be able to answer because they’ll be laughing so hard. Adding persistent hardware based spying like you describe into a design is anything but trivial.
By spying I didn't mean moving multi megabytes of data or reprogramming a processor. On a PC stealing passwords can be done by inserting a small uController that acts as a HID device on one side and talks with a USB keyboard on the opposite side. If you hide it into a keyboard and instruct it to record the first two lines one writes just after power on, which are almost always the system username and password, then add them to a flash into the microcontroller, then it's just a matter of social networking to get the data ("hey, here's a new keyboard, I'll trash the old one for you").
On phones one has to intercept screen taps, which is harder, but if you have access to the hardware and develop its drivers, you very likely can do that before passwords get encrypted. All it needs is a daemon reading taps and comparing them with the virtual keyboard key positions (assuming you haven't access to the virtual key output, which would make it even easier) once you have that daemon, tell it to read the system load and intercept what the user taps after a long sleep, which will very likely be the device pin. Want the bank password?, just read what the user taps when there's a bank app in foreground. I'm sorry for those laughing, but it can be done.
They could also have iOS 11 jailbreak exploits in their possession. iOS 11 was already jailbroken recently and the Project Zero team has also informed Apple of exploits they discovered.
Correct me if I’m wrong but this wouldn’t help? “Unlocking” in the context of the FBI and iPhones always seems to be based around making it possible to brute force a device in their posession, which also means strong passphrases will remain secure. This is an incredibly hostile environment to security, the fact that Apple make it as hard as they do is quite impressive.
There's been a number of ways to bypass a locked iOS device throughout the years[1]. This hardware box worked up until iOS 11 beta[2]. I imagine Cellebrite is using something similar, but gets around the fix Apple released.
These devices allow you to perform a brute force attack.
Jailbreak requires a reboot of the device and after a reboot the encryption key for the useful data on the device is not available. If the device uses a strong passcode (as opposed to a numeric code) it cannot practically be brute forced even if you force the device to allow you to enter many attempts quickly.
This is exactly why I use an XKCD style multi-word password for my phone. TouchID/FaceID keep me from having to enter it a lot and the rapid pressing of the power button to disable it give me convenience without significant compromise.
Good but do throw a random character in there, otherwise your passphrase is essentically a few characters long in a (larger) alphabet—ie, a dictionary sorted by most frequently used words. Or at least use some uncommon words.
70^8 = 576480100000000 // 8 chars of upper/lower case, numbers, symbols
4000^4 = 256000000000000 // 4 words pulled from a vocabulary of 4000 words
word rank
------------- ----
correct 1808
horse 1286
battery 3221
staple (not in the first 4000)
> There's also a credible rumor that Cellebrite's mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.
¹https://www.schneier.com/blog/archives/2018/02/cellebrite_un...