Re: [Fed-Talk] Charlie Foxtrot for iOS devices in US Government?
Re: [Fed-Talk] Charlie Foxtrot for iOS devices in US Government?
- Subject: Re: [Fed-Talk] Charlie Foxtrot for iOS devices in US Government?
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 31 Mar 2016 15:38:30 +0000
- Thread-topic: [Fed-Talk] Charlie Foxtrot for iOS devices in US Government?
Any model that has the A7 CPU or later, I believe. The iOS secure enclave is based on ARM TrustZone, a.k.a. Trusted Execution Environment (TEE). TrustZone was integrated into the A7 chip.
-- T
> -----Original Message-----
> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
> bounces+tmiller=email@hidden] On Behalf Of Marcus, Allan B
> Sent: Thursday, March 31, 2016 10:27 AM
> To: Dave Schroeder <email@hidden>
> Cc: Apple Fed-Talk List <email@hidden>
> Subject: Re: [Fed-Talk] Charlie Foxtrot for iOS devices in US Government?
>
> Thanks. Does anyone know which iPads have the secure enclave?
>
> --
> Thanks,
>
> Allan Marcus
> Los Alamos National Laboratory
> 505-667-5666
> email@hidden
>
>
>
>
>
>
>
>
> On 3/29/16, 2:02 PM, "Dave Schroeder" <email@hidden> wrote:
>
> >Yes, just using "attacker" in the generic sense.
> >
> >I think the issue here is more that when a device is an an "attacker's"
> physical possession, there are a lot more possible mechanisms of defeat.
> Here, the iPhone 5c and earlier really came from an era when there was a
> different overall priority placed on the security of iOS hardware and
> software, e.g., from government intrusion.
> >
> >So we have a situation where deficiencies or shortcomings in devices
> without the hardware-based security enclave may be susceptible to
> additional attack vectors. It appears that DOD, for example, considers any iOS
> device that has the capability to run iOS 9.x to meet the overall requirements
> for their managed mobility programs.
> >
> >Without knowing the specific attack vector or exactly what was defeated,
> it's difficult to know if it was just the fact that it had a 4-digit PIN, a
> vulnerability in the particular version of iOS 9.x the device was running, a
> deficiency in the iPhone 5c hardware, a more generic flaw, or a combination
> of any/all of the above.
> >
> >I am operating under the assumption that it's likely due to the fact that it's
> 1. older hardware (without HW enclave) and 2. in physical possession. I think
> the main issue protecting against device loss, and having policies and
> procedures which support quick identification and remote wiping of lost,
> stolen, or misplaced devices.
> >
> >Dave
> >
> >> On Mar 29, 2016, at 2:26 PM, Marcus, Allan B <email@hidden> wrote:
> >>
> >> Of course. In this case the “attacker”, from the perspective of the iPhone,
> was the FBI. They got into the phone rather quickly (once they found people
> that knew what they were doing). It seems the conventional wisdom is that a
> short password combined with an older phone allowed for a relatively easy
> crack. That said, in 3 years our current iPhone 6s will be an “old phone”. I
> wonder if by then firms like Cellebrite will have figured out how to break into
> an iPhone 6s.
> >>
> >> I’m just looking for lessons learned here. We manage our devices and
> require a 8 character complex password and we allow TouchID. Sure, I know
> TouchID can be spoofed, but there is the two day timeout to contend with.
> I’m just wondering if even an 8 character complex password is sufficient on
> “older” devices? Also, what constitutes and “older” iPad?
> >>
> >> --
> >> Thanks,
> >>
> >> Allan Marcus
> >> Los Alamos National Laboratory
> >> 505-667-5666
> >> email@hidden
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> On 3/29/16, 12:21 PM, "Dave Schroeder" <email@hidden>
> wrote:
> >>
> >>> I can tell you that DOD, for its part, considers any/all iOS devices capable
> of running iOS 9.x -- even including the older devices -- to be "safe", when
> properly managed.*
> >>>
> >>> My own personal opinion is that the biggest challenge with mobile
> devices, even with encryption and so on, is losing them, or an attacker
> gaining physical access to devices.
> >>>
> >>> Dave
> >>>
> >>> * This implies things like enrollment in MDM, PIN/passcode
> enforcement, etc.
> >>>
> >>>> On Mar 29, 2016, at 1:03 PM, Marcus, Allan B <email@hidden> wrote:
> >>>>
> >>>> What iPad versions are "safe", including the Mini?
> >>>>
> >>>>
> >>>> ---
> >>>> Thank you,
> >>>>
> >>>> Allan Marcus
> >>>> Los Alamos National Laboratory
> >>>> 505-667-5666
> >>>> email@hidden
> >>>>
> >>>>
> >>>> From: Dave Schroeder <email@hidden>
> >>>> Date: Tuesday, Mar 29, 2016, 9:59 AM
> >>>> To: Marcus, Allan B <email@hidden>
> >>>> Cc: Apple Fed-Talk List <email@hidden>
> >>>> Subject: Re: [Fed-Talk] Charlie Foxtrot for iOS devices in US
> Government?
> >>>>
> >>>> On Mar 29, 2016, at 10:37 AM, Marcus, Allan B <email@hidden> wrote:
> >>>>
> >>>>> So, the FBI, with the help of a third party (probably Israeli firm
> Cellebrite) seem to have decrypted an older iPhone. Another assumption is
> that the iPhone only had a 4 digit passcode.
> >>>>
> >>>> It wasn't an assumption, for what it's worth; it was openly stated that
> the device had a 4-digit PIN.
> >>>>
> >>>>> Assuming we use 8 character complex passcodes and TouchID, and
> assuming most of our phone are 5s or newer, does the US government have
> anything to worry about here?
> >>>>>
> >>>>> What version of the iPhone and the iPad are “safe” from this type of
> cracking, although it’s a given we don’t know exactly what they did. Anyone
> know anyone in the FBI to get a lessons learned on how to protect Govt. iOS
> devices?
> >>>>
> >>>> Yes. Keep your device patched. Use modern devices (iPhone 5s or 6
> and newer).
> >>>>
> >>>> *** Don't lose your device, or lose physical control of your device. ***
> >>>>
> >>>> DISA/DOD, for instance, doesn't do anything "special" in this regard for
> iOS devices.
> >>>>
> >>>> Dave
> >
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden