Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:You can not find the truth in a legal document (Score 5, Informative) 129

Have you read what the court order to apple says? Actually says? I have read the actual court order.

It says:

1) It will bypass or disable the auto-erase function.
2) it will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, bluetooth, wifi, or other protocol available.
3) it will not purposefully introduce any additional delay between passcodes attempts beyond what is incurred by hardware
4) they are to provide a signed iPhone software file that can be loaded onto the device and run from RAM without modifying the iOS installation on the actual phone, the user data, or system partitions on the device's flash memory

Source: http://www.ndaa.org/pdf/SB-Sho...

So yes...they are required to allow for electronic entry of the passcode. And they have to write the software in a way that hasn't been done before... without touching the flash memory on the iPhone. You can not run iOS on the phone "from RAM".

This is absolutely a new piece of software that they will likely have to start with. Much more complicated than just "removing a few lines of code".

Comment Re:Just a stunt ... (Score 4, Insightful) 345

It is pretty common that people or businesses are being subpoenaed or ordered by the court to cooperate in a criminal investigation, and little care is given for your interest in the matter.

Subpoenas and court orders to cooperate in investigations have always been along the lines of "come to the courthouse and testify" and "Let us look at your records/books/transaction logs/call logs/records/and any other collection of facts you have within your possession." NEVER has a court order gone so far as to order a company to completely engineer a tool that does not exist.

Drama much ? Apple is asked to cooperate in a criminal investigation, at little cost to them (just a few hours of labor), and no cost to their other lawful customers.

I don't care how little or how much it costs, or how long it takes to accomplish. I don't care that they're being compensated for it. It's indentured servitude. They are being forced to apply their trade for the government's benefit with no right to refuse.

Comment Re:All devices require passcode to upgrade? (Score 2) 405

The best way to handle it is to make it an "if the unlock code is provided, then you can update the software of the OS and firmware of the device without wiping the encryption keys. If the unlock code is not provided, then I will let you update the software but first I will wipe the encryption keys." Since the encryption is all done in a hardware chip with it's own separate OS and update process, it would not be difficult to accomplish.

Comment Re:Signed updates are fine... (Score 3, Insightful) 401

You can fix that super easily:

secure enclave will accept software updates in two cases: 1) provide unlock code and keep the encryption key intact. 2) do not provide unlock code and then wipe the encryption key.

This is a secure method of doing it. You can either provide the unlock code and update the firmware of the secure enclave without wiping the device, or you can wipe your device and update the firmware of the secure enclave without the unlock code.

Comment Re:So the vulnerability is the updating mechanism? (Score 1) 401

The article is plain wrong. The article is quoting someone who writes Windows Rootkits for a living. I'm sure his technical expertise is sound, but he's talking about systems he may be unfamiliar with at a deep level.

For the specific hardware in this case, the iPhone 5C, Apple is capable of creating software that they can side load on to the device to bypass the time delays between key entry and key destruction, as ordered by the court. However, they must be in physical possession of the device. As far as i'm aware, there is no mechanism for apple to push software on to a phone without user intervention.

Apple does have the ability to remotely disable and remove apps from phones. The automatic update process, if turned on and set appropriate, will automatically download the updates, but will not automatically install without user intervention. I have not come across any case that says Apple has the ability to force new software on to an iPhone.

For current available new hardware (iPhone 5S, 6, and 6S) Apple does not have the ability to unlock the phones without wiping the user space on the phones. Per Apple's own iOS security document (https://www.apple.com/business/docs/iOS_Security_Guide.pdf) the time delays and key destruction are enforced in hardware. Even if you completely compromise the kernel of the iPhone, the secure enclave chip enforces the encryption, time delays and key destruction.

The iOS security document also states that the secure enclave has it's own separate protected software update process. You can update the software on the secure enclave in one of two ways: Provide the unlock code and you can update without key destruction, or you can destroy the key and force an update.

Basically, for current gen hardware, apple actually can say they have zero way to unlock the device, even if they wrote their own software to attempt to do so, even if they completely compromised the software of the device.

Slashdot Top Deals

Five is a sufficiently close approximation to infinity. -- Robert Firth "One, two, five." -- Monty Python and the Holy Grail