Joel Esler wrote:
I say *duh* to the whole thing. Apple has the keys (quite literally), so why wouldn't they able to do this?
This has been all over the internet the last few days, and comes up every now and then. I even wrote up a quick bit about it here (
http://darthnull.org/2013/05/13/apple-forensics-law-enforcement-and-fud/).
I'm sorry for having delayed in responding here..so I'll summarize that post quickly:
1. Apple has no keys to the data on the device. The encryption keys on the device are tied to a UID (unique ID) that's burned into the silicon on the device, and cannot be extracted for offline brute-forcing or other use. See Apple's "iOS Security" white paper
(May and October 2012) for good technical details.
2. What Apple can do, presumably (this has never been publicly confirmed, to my knowledge) is boot a device off a trusted external drive. The boot loader on iOS devices requires a signed boot partition, but they own the signing key, so it seems obvious they
should be able to do this.
3. If they do boot off an external image, they then get shell-level access to all unencrypted data on the phone, which is damned near everything, unfortunately. Of the built-in apps, only Mail (last I read) uses additional encryption, and some databases (contacts,
etc.) need to remain unencrypted so they can work when the phone is locked. Very few 3rd party apps, in my experience, use additional encryption.
4. If Apple wanted to *decrypt* the rest of the data that's protected with a passcode, they'd need to do passcode brute-forcing, just like hackers, researchers, and forensics tools have been doing for a long while. The difference between what we (and forensics
tools) can do and what Apple can do is that Apple has the legitimate external image, while we just have things that exploit a boot rom bug in older devices (i.e., nothing after iPhone 4).
5. This most recent article didn't tell us a damned thing, other than "Hey, Apple responds to LEA requests, and they've got a big backlog of work." Even that is only hearsay, really, a single ATF agent hearing from a single Apple employee.
6. The article didn't detail what kind of "security bypass" Apple is capable of attaining, what they usually do, why the backlog is allegedly so large, etc. If Apple's simply booting off the external drive, that should only take a matter of minutes, so either
they have thousands of confiscated devices awaiting forensic analysis, or the backlog refers to actual brute-forcing to get at encrypted data, which may take a lot longer, depending on the strength of the passcode.
It'd be really great to get a formal explanation from Apple on what they can and cannot do, forensically, but I doubt they're going to ever do that.
Bottom line: Use a strong passcode for the device (5-6 or more alphanumeric characters), and ensure sensitive information is stored in apps that use additional encryption based on that passcode.
david.
_______________________________________________