Joel Esler wrote:
I say *duh* to the whole thing. Apple has the keys (quite
literally), so why wouldn't they able to do this?
This has been all over the internet the last few days, and comes up
every now and then. I even wrote up a quick bit about it here
(http://darthnull.org/2013/05/13/apple-forensics-law-enforcement-and-fud/).
I'm sorry for having delayed in responding here..so I'll summarize that
post quickly:
1. Apple has no keys to the data on the device. The encryption keys on
the device are tied to a UID (unique ID) that's burned into the silicon
on the device, and cannot be extracted for offline brute-forcing or
other use. See Apple's "iOS Security" white paper (May and October 2012)
for good technical details.
2. What Apple can do, presumably (this has never been publicly
confirmed, to my knowledge) is boot a device off a trusted external
drive. The boot loader on iOS devices requires a signed boot partition,
but they own the signing key, so it seems obvious they should be able to
do this.
3. If they do boot off an external image, they then get shell-level
access to all unencrypted data on the phone, which is damned near
everything, unfortunately. Of the built-in apps, only Mail (last I read)
uses additional encryption, and some databases (contacts, etc.) need to
remain unencrypted so they can work when the phone is locked. Very few
3rd party apps, in my experience, use additional encryption.
4. If Apple wanted to *decrypt* the rest of the data that's protected
with a passcode, they'd need to do passcode brute-forcing, just like
hackers, researchers, and forensics tools have been doing for a long
while. The difference between what we (and forensics tools) can do and
what Apple can do is that Apple has the legitimate external image, while
we just have things that exploit a boot rom bug in older devices (i.e.,
nothing after iPhone 4).
5. This most recent article didn't tell us a damned thing, other than
"Hey, Apple responds to LEA requests, and they've got a big backlog of
work." Even that is only hearsay, really, a single ATF agent hearing
from a single Apple employee.
6. The article didn't detail what kind of "security bypass" Apple is
capable of attaining, what they usually do, why the backlog is allegedly
so large, etc. If Apple's simply booting off the external drive, that
should only take a matter of minutes, so either they have thousands of
confiscated devices awaiting forensic analysis, or the backlog refers to
actual brute-forcing to get at encrypted data, which may take a lot
longer, depending on the strength of the passcode.
It'd be really great to get a formal explanation from Apple on what they
can and cannot do, forensically, but I doubt they're going to ever do
that.
Bottom line: Use a strong passcode for the device (5-6 or more
alphanumeric characters), and ensure sensitive information is stored in
apps that use additional encryption based on that passcode.
david.
|