Nicholas Weaver on iPhone Security

Excellent essay:

Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don't configure their phones right. Beyond just waiting for the suspect to unlock his phone, most people either use a weak 4-digit passcode (that can be brute-forced) or use the fingerprint reader (which the officer has a day to force the subject to use).

Furthermore, most iPhones have a lurking security landmine enabled by default: iCloud backup. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages! About the only information of value not included in this backup are the known WiFi networks and the suspect's email, but a suspect's email is a different warrant away anyway.

Finally, there is iMessage, whose "end-to-end" nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage's encryption does not obscure any metadata, and as the saying goes, "the Metadata is the Message". So with a warrant to Apple, the FBI can obtain all the information about every message sent and received except the message contents, including time, IP addresses, recipients, and the presence and size of attachments. Apple can't hide this metadata, because Apple needs to use this metadata to deliver messages.

He explains how Apple could enable surveillance on iMessage and FaceTime:

So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice. Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future. A similar modification, adding an FBI key to every request Alice makes for any keys other than her own, enables tapping all messages sent by Alice. There are similar architectural vulnerabilities which enable tapping of "end-to-end secure" FaceTime calls.

There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing. This might explain Apple CEO Tim Cook's somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.

Posted on August 6, 2015 at 6:09 AM • 39 Comments

Comments

Mike ScottAugust 6, 2015 6:28 AM

It's not strictly true to say that Apple can't hide iMessage metadata. They certainly need to have the metadata in order to deliver the message, but there's no technical reason why they need to log it or retain it once the message has been sent. They could protect themselves against subpoenas by keeping it in memory only, for only as long as they actually need it.

keinerAugust 6, 2015 7:04 AM

A "how-to turn your iphone into a security appliance" always sounds to me like a "how-to turn a piece of shyt into a biological weapon"...

BardiAugust 6, 2015 7:27 AM

I always thought the least government controllable way to send messages would be via an ad hoc bluetooth network, especially during civil unrest. I mean, when I send a file to another, does it really go through any fixed server?

RustyAugust 6, 2015 7:47 AM

@Bardi - it depends on several factors.

Ad-Hoc on it's own uses no encryption. At this point, so far as I know there is no recommended way of establishing a secure ad-hoc network. How do you establish that a dynamic key is valid and not a MITM attack?

So if you want to securely exchange data, you have to have keys that each of you can use. Do you maintain encryption keys for everyone you might communicate with? If not, are you encrypting the data you are exchanging? If yes to that, where do you get the keys from? Is that source compromised?

The solution would be to have pre-shared keys for your system and your destination, and some way of exchanging your location on the network as well. That may be a federated xmlpp collection of servers, or something like bonjour to advertise from each system, and some sort of method of transfer that between systems that are not visible to each other directly. How do you validate that only you and the people you want to talk with are going to get that information, and that the FBI won't be providing their own systems in the network to provide those services keyed to force your "encrypted point-to-point" traffic to pass through their server as an decrypted stream because they provided each of you an encrypted point-to-point tunnel there system?

JDAugust 6, 2015 7:58 AM

The bigger issue here, IMHO, is that 99% of people just don't care. The vast majority, myself as a ITSec professional included, jumped at the convenience of the modern devices available in the last 5-10 years, and like developers, thought about security secondary. Now, almost all of us are hooked on at least /some/ tech that would cause a fairly significant disruption to life if we refused use until it was more secure. For those that have a smartphone, of any vendor, if you believe my statement is wrong, try a week without that device at all, or force yourself to use it for ONLY voice calls. Heck, try a day. Most don't even realize how ingrained these, and other, devices have become in our lives, and voting with our dollar isn't much of an option, as it's generally a lesser of evils choice.

Who?August 6, 2015 8:27 AM

An iPhone is insecure, period. It is not a matter of choosing good passwords. It is a weak device built around a weak operating system. iOS and OS X have a very good foundation in the BSD operating systems, but layers built on top of it are a different matter. Android is not better at all.

In short, corporations do not understand security. They have ignored security for decades, we cannot expect big corporations becoming "secuerity experts" in two years. They lack qualified staff and, when they have good experts they are usually doing other tasks.

Corporations are here for money and, until recently, security did not allow earn money. In fact, security costs money. Don't let me start talking about supposedly secure devices like the blackphone.

The rule number one on security: a secure device that depends on a third party (let us say, a carrier) to protect its information is not secure by definition. Easy.

There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing.

Seriously? It will be the first time the highly democratic and rights aware FISA Court rules against a corporation that wants to avoid its devices become a Emmental cheese by government order.

Alan KaminskyAugust 6, 2015 8:44 AM

@JD -- For those that have a smartphone, of any vendor, if you believe my statement is wrong, try a week without that device at all, or force yourself to use it for ONLY voice calls. Heck, try a day. Most don't even realize how ingrained these, and other, devices have become in our lives, and voting with our dollar isn't much of an option, as it's generally a lesser of evils choice.

Your statement is wrong.

I used to have a smartphone (Android). I got rid of it. Now I have a "dumb" cellphone that I use only for texts and voice calls, and I do very few of those.

I do not miss the smartphone at all.

I could and did vote with my dollar. What I used to pay for one month of smartphone service now gets me an entire year of dumbphone service.

BTW, I am a professor of computer science. I use high tech every day. I am no Luddite. I simply do not agree that smartphones, tablets, etc. are a necessity.

exultant macaroniAugust 6, 2015 8:58 AM

@Alan Kaminsky & JD

I agree with Alan. I too have gradually stopped using my cell phone in the last year and half or so. I still have it (switched off, in a drawer at home) in case I need to do something with it one day, but I haven't used it for months and I can assure you that I don't miss it. In fact, I find it quite liberating to live my life without having my nose stuck to a 5" screen 24-7.

Nicholas WeaverAugust 6, 2015 9:16 AM

The key is key transparency (like Signal does, with key fingerprints available for messages and the H(ephemeral-DH-key)->2 words on voice channels).

It doesn't matter if 99% of the population ignores it and doesn't care! The mere presence of a user interface for key transparency is sufficient to eliminate the backdoor problem with the keyserver unless the software itself is also sabotaged (which would be theoretically detectable for anyone capable of doing a forensic analysis of the iMessage software).

Simply put, the possibility of someone verifying (combined with the fact that the likely targets are more likely to verify) is sufficient to make the keyserver backdoor unusable.

It does strike me as strange that Apple hasn't added a particularly apple-ee key transparency option, such as having "view your keys" and "view their keys" as a series of pretty "shot on iPhone6" thumbnails. There is potential for someone to add on key-transparency in iOS9 with the VPN interface: intercept the communications with the key server (using an additional root certificate so the phone accepts it).

Especially since, although I'm NOT A LAWYER, I think the current architecture would actually allow Apple to be compelled under the existing CALEA statute. iMessage and FaceTime are replacements for "telecommunication services" (after all, the original selling point of iMessage is that 'blue doesn't charge you an SMS'), and the encryption exemption is only if the company does not retain the ability to decrypt the messages.

Any lawyer who does want to discuss this further, email me.

@Why?: That is incorrect, and I've been looking at this for a while in developing a hardening guide.

iOS is vastly better than anything else out there overall in terms of system soundness. There is solid sandboxing on applications (which is particularly bad for surveillance malcode), a good and highly user friendly permissions model, the disk encryption appears rock solid, and Apple is really really good about closing priveledge escalation exploits because those are jailbreaks. For a typical user, an iOS device is vastly stronger than either a Mac, PC, or Android device.

Look at it this way. Hacking Team went through Android like a hot knife through butter. Under iOS, its "Doesn't run on iOS8 period, on iOS7 you need to jailbreak the phone".

@Mike Scott: Its unknown how long the metadata is retained (although it needs to be retained at least a week with how delayed delivery works), but even if it is NEVER retained, it can still be proactively obtained and that can't be avoided.

BoppingAroundAugust 6, 2015 9:34 AM

JD,
> For those that have a smartphone, of any vendor, if you believe my statement is wrong,
> try a week without that device at all, or force yourself to use it for ONLY voice
> calls

A year and something. Maybe more. Probably more. I have never bothered to calculate. Recently I spent a few weeks without any kind of a phone at all.

I'd miss the large portable library that it is. The music player that it is. The simple camera, sometimes. The radio receiver. But I can certainly live without it.

TimAugust 6, 2015 9:51 AM

@Alan K & Macaroni-san

I use a dumb phone, which is off most of the time in the car (with charger), because I am selfish enough to regard it a tool for my conveneince, not others. The semi-amusing problem I have is convincing people to use my home phone number, not the cell phone number, and not to send me texts. Most people forget very quickly that my cell phone is never on, because my choice is so unusual nowadays.

K.S.August 6, 2015 10:13 AM

I am in the same boat, I do have a smartphone, but I intentionally never carry it except in very rare occasions when I anticipate I might need it. I am still waiting for a smartphone that allows me exert control over the platform. I don't intend committing any crimes, but due to the nature of infosec I do for living I don't want to be an easy target for railroad in case someone decides it is easier to go after me than fix the problem.

Bob S.August 6, 2015 10:25 AM

The Cybersecurity Information Sharing Act-CISAis the final nail in constructing the coffin of a electronic mass surveillance society. It will likely pass in the Senate by the end of this month. Besides allowing the government and corporations free access to all cyber data, it grants the corporations permanent immunity for collecting and disbursing it as well as create high barriers to transparency, thus keeping what they do secret.

CISA is the backdoor Mr. Rogers and Comey have been whining about. They will be crying tears of joy soon.

I will be dropping out of commenting here and other places the day it passes. The evidence they will be collecting on all of us may be used at later dates for prosecution for secret or as yet unwritten laws, plus who knows what other dangerous or costly skulduggery.

Someone said it here before, "National Security" trumps everything. Most people don't care.

Bob S.August 6, 2015 11:22 AM

Update:

McConnell pulled CISA off the floor and the Senate adjourned. We are somewhat safe for another month at least. Everyone, especially Congress, knows what this law will do, despite their lies to the contrary.

It makes all electronic communication wide open for mass surveillance by the government and corporations. The opportunities for profit, power and abuse are immense.

We are targets. Nothing more, nothing less.

SoWhatDidYouExpectAugust 6, 2015 12:02 PM

@Alan Kaminsky:

While smart phones are not a necessity, marketing has done a wonderful job at presenting the "impression" of necessity. They start them out young, where cell phones are now allowed in schools (at one time, pagers weren't allowed but now this worse disease is), even to the point of pre-schoolers using the devices to play games (the former kids TV of Saturday mornings) while acting as a babysitter for parents that don't take proper care of their children.

Jump to the end game - most of the collected data on the usage is ultimately worthless when these people become citizens of our evental 3rd world country and economy. Instead of chip in hand, it will take implanted chip under skin for continued data collection and most of that will still be worthless. Most large data collection efforts such as what we see today eventually fail or become ineffective, as exhibited by the IRS, some government databases, and the simple inability of technology to keep old data up to speed with new uses of that data (cost, storage space, computing power needed, effective analysis, etc.) It may be there won't be enough space on the planet to store it all or enough energy to use any of it for any meaningful purpose.

65535August 6, 2015 12:03 PM

@ Nicholas Weaver

“I think the current architecture would actually allow Apple to be compelled under the existing CALEA statute.”

Yes, would agree.

“Apple noted that it now has 92,600 full-time equivalent employees”

http://www.macrumors.com/2014/10/28/apple-2014-annual-report/

How many of those 92,600 employees have relationships with the NSA and/or another spy agency world wide?

The number is above one - but how high is it? I’ll bet a doughnut to dollar that the NSA has pwnd the iPhone and iOS phone. We will have to wait for the next leak to confirm that.

I agree with those posters who can successfully manage their day without an iPhone or “smart phone.” I have not used one in over a year. You are wearing a spy device around. It’s not worth it.

On the legal front, there is some good news.

"A federal appeals court ruled Wednesday that a probable-cause warrant under the Fourth Amendment is required for the police to obtain a suspect's cell-site data."- Arstechnica

http://arstechnica.com/tech-policy/2015/08/warrant-required-for-mobile-phone-location-tracking-us-appeals-court-rules/

Nick PAugust 6, 2015 1:07 PM

@ Nicholas Weaver

Another well-written essay and easy for layperson to understand. My only gripe with it is that anyone reading it would've had a misleading idea of how safe or at risk an iPhone is. On same week as your essay, someone posted this disturbing presentation on Apple's many bypasses and weaknesses with questionable justification for existence. After publishing, a number have since been closed. Yet, this whole time, the iPhones could've easily been compromised by FBI or NSA with physical access + tools (eg LEO's). The author also claimed certain data that's less locked-down can still be accessed with his forensic tools.

So, they certainly do a lot more for security but they've been backdoored this whole time. IIRC correctly, Der Spiegel even reported on NSA hitting them via computers they connected to. Could be misremembering on that one, though. Seems to me that trust in them is misplaced if the Five Eye's are in the threat model. However, for the others, they seem to provide more security than most mainstream phones in default configuration. I think, with customization and hardening, that Android can be made more secure from software attack. Yet, I'd like to see that thoroughly pen-tested before I'd believe it.

So I guess my overall question is why do you write as if there weren't half a dozen backdoors in iOS running this whole time? It would seem to turn your trust argument on its head for anyone with access to those. *And* there's the key server thing on top of it. As a specialist in high security, esp countering subversion, these are the kinds of patterns that scream "We're cooperating with snoops" and keep me way the hell away from a product. Comparing your essay to the above, the most believable part is the scenario where the debate is another fake one to boost their image while they cooperate behind the scenes. It's what many U.S. companies did pre-Snowden and what Lavabit was ordered to do. Not paranoid as much as an established M.O. that may or may not apply to Apple's situation.

"Yet setting up a iPhone properly is no easy task and if one desires confidentiality, I think the only role for iMessage is instructing someone how to use Signal."

That was hilarious and a good ending. It's pretty much the template for how I use mainstream, communication services. ;)

ThomasAugust 6, 2015 5:11 PM

"Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese."

Remember when the Orion(?) was forced to land in China and the crew kept the doors locked until they had physically destroyed various bits and pieces?
A determined adversary with physical control of a device is a tough opponent!
I doubt a consumer device would withstand $TLA, assuming they want the data on it badly enough.

If nothing else the phone could easily be (hardware-)trojaned and should be considered tainted.
Even if I was sure of the security of the data on the device I might, at best, consider selling the device to $TLA as it's no use to me after they give it back.

@Alan
"I used to have a smartphone (Android). I got rid of it. Now I have a "dumb" cellphone that I use only for texts and voice calls, and I do very few of those."

+1

8782642August 6, 2015 7:17 PM

@Bardi and others

I always thought the least government controllable way to send messages would be via an ad hoc bluetooth network, especially during civil unrest. I mean, when I send a file to another, does it really go through any fixed server?

Yes, if it's off the Internet, the government will have a hard time controlling it. They can no longer remotely copy everything from fiber optic cables or dial in IP addresses and start hacking.

PirateBox is a solution. It's a system you can set up to create ad-hoc offline WiFi networks that keep no logs, letting users chat and share files anonymously. Although the WiFi is unencrypted, being offline means the government would have to have agents within range of the WiFi router to do anything harmful, which is highly unlikely. This makes PirateBox good for times of civil unrest or, in the case of western countries, times of civil complacency like now. It's also good for storing and sharing a stash of encryption software installers (Tor/GnuPG/Tails/etc) for when/if the doomsday comes and the government bans it all.

Dirk PraetAugust 6, 2015 7:48 PM

@ Nick P.

On same week as your essay, someone posted this disturbing presentation on Apple's many bypasses and weaknesses with questionable justification for existence.

I just read the entire Zdziarski presentation and came close to throwing up. From the summary:

  • There is no valid excuse to leak personal data or allow
    packet sniffing without the user’s knowledge and permission.
  • Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals.
  • Overall, the otherwise great security of iOS has been compromised... by Apple... by design.
Although some of the issues described seem to have been addressed in iOS 8.3, the overall picture is downright appalling, with multiple, seemingly built-in attack surfaces available to TLA's, corporations and criminals alike, both domestic and foreign. @Nicholas' excellent article just adds one more, admittedly reserved only for those agencies with the strongest (legal) leverage over Apple, but almost certainly present by design as well.

As a specialist in high security, esp countering subversion, these are the kinds of patterns that scream "We're cooperating with snoops"

I couldn't agree more.

@ Nicholas Weaver

Have you read the Zdziarski presentation? If so, are you still feeling as comfortable handing over your iPhone to a foreign TLA as you were before?

“I think the current architecture would actually allow Apple to be compelled under the existing CALEA statute.”

Perhaps our host could gently ping one of the EFF lawyers?

@ Alan Kaminsky

(Now) I have a "dumb" cellphone that I use only for texts and voice calls, and I do very few of those.

Same here. A smartphone does however come in quite handy when you're abroad and don't want to carry a tablet or laptop around all the time. For that purpose, I've put myself on the waiting list for a Blackphone 2 a while ago. It's definitely not the perfect solution, but those guys at least seem to be trying to create a communication platform that from a security/privacy vantage sucks less. And they're Switzerland based. Until @Clive & co. come up with something tangible, that's what I prefer for now. And only when needed.

@ 8782642

PirateBox is a solution ...Although the WiFi is unencrypted, ...

Thanks for the link, but in this age, anything unencrypted by definition is not a solution but a problem.

BuckAugust 6, 2015 8:00 PM

@Nicholas Weaver

Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese.
While this sounds foolish to me, I can see how it would be perfectly acceptable to most people... The assumptions are:
  • You are not committing any especially heinous crimes
  • You do not posses any intellectual property of greater value than the cost of gaining entry
  • You have yet to succeed in pissing off any sufficiently powerful entities
  • You don't mind that the encrypted contents of your device may be stored in perpetuity until your key has been stolen, and your perfectly innocent & moral communications are no longer deemed as such by society at large
  • Probably more that I have failed to consider here
A PIN that cannot be brute-forced or otherwise deduced is definitely essential to iPhone security in most cases. However, an unknown number of people posses Apple's signing key (through cooperation or outright theft) and can use it to provide you with "security updates" that just so happen to also share your most intimate & private communique...

@65535

I’ll bet a doughnut to dollar that the NSA has pwnd the iPhone and iOS phone. We will have to wait for the next leak to confirm that.
No we won't. Snowden may not have leaked it himself, but it's already out there (at an incredibly low price of $0): DROPOUTJEEP

@Nick P

It would seem to turn your trust argument on its head for anyone with access to those. *And* there's the key server thing on top of it. As a specialist in high security, esp countering subversion, these are the kinds of patterns that scream "We're cooperating with snoops" and keep me way the hell away from a product.
I guess it comes down to a different model of our perceived threat-actors. I have no doubt that Apple works diligently to keep out those that they consider to be malicious. Hasn't worked out too well when you bring iCloud into the picture, but... Seeing as nobody really 'owns' their iPhone, but more 'rents' it from Apple, they undoubtedly have an incredible insight into active threats being exploited in the wild. So, if you have no reason to believe that Apple and friends (or their capable enemies) pose any threat to you, it's probably not such a bad choice.

Contrast this with Google's Android platform, where the patching responsibility is delegated to the handset manufacturers and cellular service providers... As I understand it, the manufacturer has no real incentive to do this, as they would prefer you just purchase new hardware from them. I would have thought that the telcoms had more incentive to keep malware off their networks, but... Since they don't provide timely updates or even notify customers when they observe malicious traffic, I assume it's just easier to let their subscribers absorb the cost of extra bandwidth in the monthly bill. In theory, end-users could apply open-source security updates themselves, but... For various reasons this is not true in practice :-\

GraniteAugust 6, 2015 8:50 PM

If you notice, there is little to win while criticizing the establishment. Not only could you be ridiculed and labeled a tin foil hatter, but job security (as well as personal/familial security) are real targets from dissent.

Given the current state of affairs, you would be hard pressed to find someone who hasn't thought that maybe the conspiracy theorists (Cia manufactured term to discredit jfk narrative deniers, btw) are right about some things. Example: D posit this out loud, but at least one of the last 25 "lone gunmen" political events crossed your mind as fake/false flag politically motivated with use of patsy? No thinking, rational person would dare believe anything NIST or the apologetic rag, popular science's conclusions were on 9/11. That was a coup, and a very successful one at that, considering the sheer volume of propaganda, misdirection, disinfo, and psyops that were employed years before and after.

But peer pressure forces you to ridicule deniers because you daren't broach the topic without doing your own full investigation because - to date - you can't stand behind The official report. No one wants to be suicided, or have bad fortune suddenly befall them, so it is superstition, denial, and fear, and comfort zone attachment that keeps our mouths shut and both eyes blind.

We are all coping like deer in the headlights, as the incremental changes occur exponentially faster and manifest with bemused flagrace. The debate in my head is between moving to australia vs riding it out here, hopefully dieing for a cause alongside family. At this point, people don't laugh at that idea anymore, but OTOH, no one looks down on anyone who fled germany or poland before it was too late, either.

I don't claim to know what happened, who did it, why, or how long we have til ww3. But I can safely predict who will be writing our new history books when a winner is crowned. And we will love our new truth, or at least affirm its veracity by saluting daily an oath to it. You wont, however, catch me scoffing at any newcomer who stumbles upon alex jones and who takes him at face value for a while. I did. And now I know what controlled opposition is.

I am pretty sure professionals like Bruce are well aware of what is happening and kindly plant mustard seeds (which to a casual reader, gives the impression of naivete or perhaps, toeing the line). These breadcrumbs perhaps alert a subconscious readiness mindset that hopefully most will attain when the time for flight yields to our other instincts. There are so many techniques and counter-ops employed that anyone claiming to make sense of it is just trying to sell you something. But there are members of academe that care as much for their careers as they do humanity, so we must read between the lines, and more importantly, we must do our due diligence in discerning what the motive behind any action is before trusting or accusing. Its predicted that within a couple years most comments and reviews will be paid for by vying interests. Hone your chaff sorting abilities now, soon it will all be wheat.

That said, I welcome your scorn, maybe we can share a laugh 50 years from now over how we let ourselves be duped again by more magic - magic planes, magic box cutters, magic wmd, cell phone calls, steel beans, etc etc Til then, be ye moderate, yay... Even in your moderation.

Ps: prob last posting for me too. Ive stuck my neck out before and seen the power of government and their network of good ol boys. Rights? Due process? PLAYOFFS????

cynicalAugust 6, 2015 9:49 PM

I'm skeptical when it comes to iphone privacy, but there's a recent slew of bad press on apple security problems accompanied by bear raid on stock. This spell seriousness at stake for the general consumer.

Nick PAugust 6, 2015 11:12 PM

@ Dirk Praet

Tangible? Here's you a start. Embedded, hypervisor companies might give you the source under NDA if you want to compile it yourself. Use an Android with a MIPS processor when they come out in 2016-2017 for obscurity benefit as most won't switch. Use WiFi-only handheld as in above guide with a VPN to your own network, a custom box that does the calling local, and software that routes calls through it. Still some hands on work involved but at least you can have a phone that's quite hardened and still open-source.

@ Clive Robinson

Apple never half-asses a key differentiator. That includes batching security FAILS. At least we haven't seen their services fail to check that the password entered matches that which is stored. I recall them doing that on part of Mac OS X Server a while back. After I saw that, I was done with Apple products for security. I mean, the "immune to viruses because we use UNIX and Mach" thing was a clue, too.

Note: I said it before and I'll say it again: Apple should just clean-slate their whole thing with as much API compatibility as they can. They can afford to do it. Android will be only one standing a chance of catching up and it would be a hell of a lot of work due to diversity. Apple keeping their crappy foundations in hardware, firmware, and OS are what's holding them back in both efficiency and security. Smart that they're hardware accelerating certain things but they could do *way* better.

s47tg8nAugust 7, 2015 1:36 AM

"There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing. This might explain Apple CEO Tim Cook's somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor."
- Bruce

Wow. If only we had more info. This is the first I've heard of it. Is this rumor posted anywhere else online, or just here?

What exactly are the implications if Apple loses in the FISA court? They're already a PRISM partner, so NSA already has access to Apple's user data (ie. iCloud). What more could the government want? Is this really only about iMessage/Facetime chats and iPhone disk encryption, or is there something more?

Dirk PraetAugust 7, 2015 5:44 AM

@ Nick P

Tangible? Here's you a start

I'm familiar with the project, but it's far from ready for prime time. It would also seem that it hasn't been updated in a while. I've been looking into Firefox and Ubuntu Phone too, but found them little appealing.

The current state of affairs is pretty sad. iPhone security is compromised by design, stock Android for all practical purposes a Swiss cheese with carriers and manufacturers paying very little attention to security updates. Although I hadn't gotten my hopes up too high for Windows 10, it's even more disappointing than I had anticipated, and in essence has degenerated into a data collection and advertising platform rather than a general purpose OS. Little reason to think Windows 10 Mobile is going to be any different.

I think that for the time being I'm still going to hold on to my old dumb phone.

Clive RobinsonAugust 7, 2015 8:13 AM

@ Dirk Praet, Nick P,

I think that for the time being I'm still going to hold on to my old dumb phone.

Sadly as GCHQ advised UK Prime Minister Margret Thatcher back in the 1980's mobile phones --and they were realy dumb back then-- are a very real security risk in secure areas. Which was why she baned them from many places. Something that remained in force untill the likes of Tony Blair decided otherwise for his and his ilks convenience.

If you read Peter Wright's "Spy Catcher" from back then he gave the game away on just what you could do with old POTS audio bandwidth in the way of breaking cipher systems. More recently it's been shown that individual key presses can be recognised in the same audio bandwidth, and all sorts of other audio channel tricks.

Further, your mobile can be used as an 'illuminator' of electronics with data in cables and circuit board traces being cross modulated onto the mobiles transmitted carrier signal. Have a google for non religious etc use of TEMPEST and TEAPOT as well as HIJACK, what you will find whilst mainly speculative will give you further information to think on.

Thus it's best to consider all mobile and cordless phones and some twoway radios etc to be very bad news when in or around a secure area...

Just for fun think of the joys I have dealing with multiple Kw HF transmitters...

Clive RobinsonAugust 7, 2015 8:23 AM

@ Nick P,

At least we haven't seen their services fail to check that the password entered matches that which is stored. I recall them doing that on part of Mac OS X Server a while back

Yup they were following Microsoft's lead on that if you remember Win95...

You should also remember "chron" lessons from early *nix where your job would be run with SU privs. Both MS and Apple subsiquently made similar errors... Then there was "printing to file" using user selectable print spool areas... Ahh the list of repeats beats the modern "Pop Charts" hands down ;-)

Nymphette Selfie ArchiveAugust 7, 2015 11:49 AM

Since Apple is an Irish company, rather than fighting gagged in a FISA show trial, why not just file a counterclaim in the ICSID? There Regulation 22 requires public registration and pushes for published awards or excerpts. If the US Stasi ever has to make their case in public, we'll all get forensic proof of arbitrary privacy interference, and the world can go to town criminalizing US espionage and sabotage.

Nick PAugust 7, 2015 1:08 PM

@ Dirk Praet

Probably a good idea.

@ Clive

Boot into DOS. Type "rename c:\windows\*pwl c:\windows\*zz." How could I forget something I did so often? ;)

Many years later, Apple apparently tried to match that security level.

AppleUserAugust 7, 2015 2:31 PM

@s47tg8n Exactly, if iOS is built with backdoors by design and Apple is giving PRISM data to the government, then WHAT MORE COULD THE GOVERNMENT WANT???

65535August 7, 2015 6:04 PM

@ Clive

“Worse, there is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.”-malwarebytes

https://blog.malwarebytes.org/mac/2015/08/dyld_print_to_file-exploit-found-in-the-wild/

Wow, good catch Clive!

@ Buck

No we won't. Snowden may not have leaked it himself, but it's already out there (at an incredibly low price of $0): DROPOUTJEEP

Now, it is coming back into my foggy memory. What a hack and a Zero price. Apple has been pwnd!

Lou KatzAugust 8, 2015 7:58 PM

There is another way. Get a dumb phone for calls and texts. Take an old smart phone,
remove the SIM (or cancel the service if you have a no-SIM item). Now you can play your
music, read your books, surf the web on wi-fi, etc, yet not be tracked (wi-fi off for the
extra paranoid).

Kaur KuutAugust 9, 2015 6:50 PM

The author first claims
> Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over

but then goes on to say that
> But many (perhaps most) users don't configure their phones right. [...] use the fingerprint reader (which the officer has a day to force the subject to use).

Has the author actually used an iDevice with a fingerprint reader? The biometrics are encrypted and must be first unlocked with the device password on boot-up. Thus, an iDevice with just a complex password has the same security as an iDevice with a complex password + fingerprint, when turned off.

uh, MikeSeptember 5, 2015 2:58 PM

FISA forces Apple to provide U.S. Government backdoor. Apple loses market share, which drops to zero outside of the USA. Overseas company (Samsung?) builds phones without backdoors. U.S. Government attempts to classify these phones as munitions. Posse Comitatis gets kicked around. Meanwhile, Apple sues the U.S. Government for restraint of trade and, perhaps even, extortion.

Secure communication technology will soon have to come from the likes of Germany: a nation state that is not part of the British Intelligence Commonwealth.

I wonder if truly secure phones will one day be licensed. We have a constitutional right to weapons, but not to phones.

Americans are under attack by the U.S. Government. Yes, it's true, the battle is waged on more than one front. This is one of them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.