On Apple, Encryption, and Privacy: A Word About Decryption

Rethinking & Repackaging iOS Apps

Share

In February 2016, Apple announced that it would fight the FBI’s court order to break the encryption of the iPhone of one of the San Bernardino attackers. We wrote a blog post on that decision; this is a follow-up to that original piece.

The FBI has revealed that it successfully gained access to the data stored on the infamous iPhone. This was accomplished without (so the story goes) Apple’s help. Assuming this is the case, and that a purely technical third party means was used to break the PIN, we're left with a few questions.

How Was the iPhone Unlocked?

The technical details of exactly how the phone was unlocked remain a secret. Speculation, though, is rife. Was it some kind of firmware or software attack, perhaps? A boot ROM exploit? Bluetooth exploit? An IOKit exploit? Or maybe a hardware attack? Firmware or software seem the most likely vectors, but realistically it’s probably a bit of both. If it was hardware, kudos to the forensic team.

However it was accomplished, the unlock-an-iPhone-5C trick is almost certainly a repeatable process, although the cost effectiveness could vary depending on the technical details. Which devices are susceptible to the mysterious technique? We'll have to wait and see. From a risk management perspective, it's reasonable to assume that at least the iPhone 5C or maybe even anything with an A6 chip is affected. Physical access is almost certainly required.

Whatever the technique, strong passphrases stand a far better chance of remaining secure compared to 4-digit numeric passcodes. Newer devices such as the iPhone 6 that have a Secure Enclave are less likely to be affected by the technique.

Regardless, the Secure Enclave is not perfect. It's simply software on a chip. Software has bugs, and hackers are pretty good at finding bugs. It wouldn’t be surprising if someone already has 0day for the Secure Enclave.

Implications for the Future

The notion that a company can be compelled by court order to alter an operating system to facilitate government and/or law enforcement backdoors remains untested in a court of law. Because of this, we almost certainly haven't heard the last of court orders of this nature.

As encryption becomes more mainstream and pervasive, law enforcement will continue to petition for increased access to encryption circumvention technology. The FBI vs. Apple case is the tip of the iceberg and more of this type of legal action is almost inevitable.

All of which raises interesting questions, like: Will the public know of such legal actions, or will backdoors be pursued under some kind of gag order or National Security Letter?

What You Can Do

Take reasonable precautions to keep your information secure – use a strong passphrase, keep your phone's software and hardware up to date, and be mindful of the data you store on your electronic devices.


Carl livitt

About the author, Carl Livitt

Principal Researcher

Carl Livitt is a Principal Researcher at Bishop Fox. He has decades of experience in mobile and application security, hardware and embedded devices, reverse engineering, and global-scale penetration testing.

Carl is credited with the discovery of many vulnerabilities within both commercial and open-source software. He was brought in as a third-party expert to lead the team that confirmed several security issues with St. Jude Medical implantable devices. His work eventually led to an official communication from the FDA.

Carl has served as a contributing author to Hacking Exposed Web Applications 3rd Edition as well as a technical advisor for Network Security Assessment 1st Edition. He has been interviewed on NPR and quoted in publications including USA Today and eWeek. Carl co-authored the iOS reverse engineering framework iSpy, which was featured at Black Hat USA's Tools Arsenal.

More by Carl

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.