Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Leap Towards a Career in Ethical Hacking with 60+ Hours of Prep Toward CISM, CISA, & More Certification Exams at 95% off ×

Comment Re:Why does this matter? (Score 1) 127

Yup, they don't have any Seagate 3TB drives this time around... because they were so bad they ditched them all late last year. Meanwhile, as you mention, the ST4000DM000 (at 2.54% failure, sample size 34k drives) is doing better than the WD drives. The ST4000DX000 stat is not statistically significant, as they don't have many of those drives.

Comment Re:Why does this matter? (Score 3, Insightful) 127

No, it will affect you if you choose to ignore the results and buy a *3TB* Seagate drive.

When will people stop picking stupid manufacturer sides when it comes to drive reliability? It has nothing to do with manufacturers and everything to do with models. *Every* drive maker has put out shitty models that fail in dumb ways, from HGST (ex-IBM)'s DeathStars to Samsung's firmware fail (I still own a bunch of HD204UIs with an unfixed firmware bug that eats data if you dare use SMART self-tests) to Seagate's 3TB failures. Picking manufacturer sides just means you'll get hit whenever they make the next broken drive.

If you actually look at their per-drive stats, you'll see that Seagate's 4TB drive is, so far, *more* reliable than WD's current drives. I have a bunch of those and they're mostly running fine - though I had one drop off the controller last weekend (came back after reboot), first failure in years, I need to look into that. We'll see. Right now, 4TB Seagates seem to be the best bang per buck with decent reliability. Next year it might be another brand/drive.

Comment Re:Apple Watch not fast enough... (Score 4, Interesting) 98

I have no idea what emulator he's using, but it gets the prize for slowest x86 emulator of the year. Windows 95 is *lightweight* compared to anything modern, even under an emulator.

Let's see, quick test here. Samsung Chromebook, which is a dual-core Cortex-A15 (ARMv7) at 1.7GHz. Let's set cpufreq cap to 500MHz (Apple Watch is 520MHz). Install Win95 on a PC under QEMU, copy it over to the Chromebook, compile QEMU (for some reason it's not in the Arch Linux ARM repo...), and boot it up.

Boot time, from qemu launch to desktop and no "hourglass" cursor? 90 seconds. Emulating a PC on a 500MHz ARMv7.

Okay, so the Apple watch probably uses a lighter weight core than the Cortex-A15 on the Chromebook, but still, that doesn't anywhere near account for this kind of discrepancy. Oh, and QEMU is actually emulating a full 64-bit CPU (which of course Win95 doesn't need).

Comment Re:No hacking required... (Score 1) 286

Actually, there is no EEPROM in the SoC. The ROM firmware is, well, a true mask ROM (the first stage), and the rest is loaded from external NAND flash. It's actually impractical to put EEPROM onto the same chip as a modern high-end SoC: it would be too cost-prohibitive or take too long to develop, because EEPROM needs special processing steps that regular CMOS chips don't. You'll never find EEPROM/Flash on a leading edge, high-end process, it's always older stuff. This is why eFuses and other OTP technologies are used, because some of them can be done without any special processing steps. And why just about any decently powerful device always has a little 8-pin flash chip to hold the firmware next to the main SoC. You only get embedded flash with low-end microcontrollers.

Some (particularly older) OTP chips are just EPROM (one "E") - the kind you erase with UV light - without the UV window. EEPROM is actually UV-erasable too, and one of the things often done to reset security "fuses" in EEPROM-based microcontrollers is to apply UV light in the right spot. Chip designers end up using shield metal above the bits, sometimes not very successfully (I recall one such chip was hacked by putting the light at an angle to get in under the upper metal shield). But this is the realm of lower-end microcontrollers with embedded EEPROM/Flash.

Comment Re:Didn't (Score 1) 286

Currently this is true, but with the oncoming invention and use of quantum computing, a key-recovery attack on 256-bit AES will become trivial.

Nope. Even assuming practical QC is coming, it only halves the practical key size for symmetric ciphers. 256-bit AES becomes as strong as 128-bit AES. You don't need a Universe worth of time then, just the entire power output of the Sun for a few seconds (under impossibly ideal circumstances). Still not going to happen. And that's assuming Landauer's principle applies the same way to qubits, which I'm not even sure it does - qubits might be more expensive to handle energy-wise.

QC breaks (currently in use) asymmetric crypto. It doesn't break symmetric crypto, only weakens it.

Even with 128-bit keys, keep in mind that the largest symmetric key ever broken was a 64-bit key, and that was broken by a large distributed computing project (70k hosts). For QC to break a single 128-bit crypto key (64-bit difficulty in QC), we'd need to have quantum computing power equivalent to that. That's probably half a century away - QC is in its absolute infancy. And that's for a single key. By then we'll all be using 256-bit crypto for everything and it'll be completely moot. I use 128-bit FDE at home for my most important data and I don't feel the least bit insecure. I might switch to 256-bit in a couple years when I upgrade my boxes again and then I'll be set for eternity (unless some catastrophic flaw is discovered in AES).

I'm curious though, why would you just erase the key after 10 attempts. Surely they could just add a full 13-pass erase of all the data, and reset the phone back to factory settings.

The battery wouldn't last long enough for a 13-pass erase of the data. The whole point of FDE with an erasable key is that if you erase the key you don't have to do an actual data wipe. In practice, wiping the key is as good as wiping the data. Breaking that kind of crypto is outside the threat model, and if you can do that, then there are many other things you can do that would break security in other ways. Assuming an attacker can't break AES-256 is perfectly reasonable.

Comment Re:Didn't (Score 1) 286

Or the NSA slipped a back door into the hardware and/or software allowing them access without needing the encryption key.

Unlikely, since Apple designed the chip and it's not manufactured in the US, and Apple controls the software end to end (it's signed).

It's also quite possible the NSA purposefully created a (known only to them) weakness in AES and how it generates "random" numbers to greatly reduce the key space they would need to search.

Unlikely, since AES neé Rijndael was designed by two Belgian cryptographers, has no "magic" unexplained numbers (unlike the Dual-EC-DRBG "random" number generator that we know the NSA backdoored, or the ECDSA curves which we suspect they might have), and has been extensively cryptanalyzed. AES doesn't "generate" any random numbers. It's a block cipher.

The NSA isn't some all-powerful entity. They're a bunch of sneaky bastards, but assuming they have backdoors in anything and everything is excessive application of a tinfoil hat. Snowden said so himself: good crypto works. And Apple are a bunch of paranoid bastards.

Comment Re:Didn't (Score 1) 286

Actually, the encryption key that would be erased is the data partition's full disk encryption key (which is not unlocked/decrypted by the PIN, it's unlocked/decrypted internally using the phone's UID key). So even though your PIN only protects user data at a higher level using a separate key (not metadata, and not all files on the phone), once your 10 attempts are gone, the entire data partition's lower level FDE key is wiped and all of it, data and metadata, is as good as gone.

Personally, I think it's perfectly fair to say that a key-recovery attack on 256-bit AES is impossible. Modulo future cryptographic breaks (which are unpredictable), with currently known attacks, you need > 2^254 operations to perform key recovery on 256-bit AES. Assuming that happens at room temperature, Landauer's principle and some back of the envelope math says you'd need the entire power output of every single star in the Milky Way for about as long as the age of the Universe just to count that high, nevermind actually try an AES decryption operation. At some point it's just silly to keep talking about things like brute force being "possible but impractical" for certain key sizes. It's impossible, saying otherwise will just confuse people who don't understand the ridiculousness of the numbers involved.

Comment Re:Didn't (Score 1) 286

RAM-resident firmware is still firmware. Ever used a Linux machine? Ever looked in /lib/firmware? All of those are firmware files to be loaded into RAM on various devices that require RAM-resident firmware to run.

Originally I actually used the words software and firmware interchangeably in the article, because the distinction is pretty much moot with devices like the iPhone which blur the line between embedded devices and general purpose computers, but I changed them all to "firmware" for consistency, to avoid confusing someone who doesn't understand the lack of distinction in this context. The old meaning of the term "firmware" in the sense of "something programmed into a ROM" stopped applying once we got devices with re-writable memory like EEPROM and Flash. Now it just means "software for an embedded device" (usually excluding things like apps and other add-ons). It doesn't matter what kind of memory it is stored on. There are devices out there that download their firmware from the Internet every time they boot up. It's still firmware.

If you want to be technically pedantic, what the FBI wants is a custom signed restore ramdisk (and associated iBEC and iBSS to boot it) that can be loaded from DFU mode. My article deliberately avoids going into pointless minutiae about the iPhone's boot process to keep it accessible to a wider audience.

Comment Re:No hacking required... (Score 1) 286

Presumably the UID is written to a memory cell on the SoC using links that open (like a fuse) when a high current is passed through (like the old PROM memories used to).

Ah, this is where it gets fun. There are actually quite a few OTP storage technologies. Fuses, like what you mention, are one. They're not necessarily on top (indeed, they'd usually be on lower, finer pitch layers, since the whole point of a fuse is that it has to be thin), though, so to read them you'd still need to strip off metallization layers, but that's just a matter of a controlled acid bath. It's not really so much about burning/melting the fuse like a traditional macroscopic one: what actually happens is accelerated electromigration of the metal trace due to excessive current density, so it's not driven primarily by temperature and there isn't a need for the fuse to be on top (and no material is emitted, just somewhat scattered outward as the metal migrates). You'd probably need a scanning electron microscope at the densities used in modern chips, but even I have access to one of those, so that's not a huge deal (turns out secondhand SEMs are cheap these days).

However, these days antifuses are common. Those work, broadly speaking, by causing a short circuit across gate oxide in a transistor using excessive voltage, or a similar technology. You can't really read those out trivially because the change is buried in a thin layer somewhere. Can you come up with a process that would make them visible to a SEM? Maybe. This is actually something I'm interested in researching, personally. But it's far from trivial (and I'm relatively clueless about silicon design).

I have no idea what technology Apple used in their SoC, though they're paranoid enough about security that they probably chose something hard to read out.

Comment Re:No hacking required... (Score 1) 286

Those unique keys are probably recorded at the time of manufacture and saved to a DB (against the serial number of the phone or board).

According to Apple, they UID key is generated during manufacturing and not recorded anywhere except on the device itself.

I'd expect the software would filter out touches less than 10ms or so.

Chinese PIN cracking devices for older versions of iOS (exploiting pin attempt counter flaws no longer available) did it via USB. I think it accepts USB HID input or something dumb like that. However, the retry time is dominated by the reboot required after every rollback. So you get 4-5 tries in a few seconds, then 90 or so seconds of waiting for it to reboot. The NAND reset can be instantaneous (for a decently designed emulator), but you still need to reboot the phone. Indeed, as I mention in the blog post, this is practical for 4-digit PINs (days), 5-digit PINs (a month or so), and gets annoying for 6-digit PINs (that's closer to a year, still useful if you really want the data, but not as much).

Comment Re:No hacking required... (Score 1) 286

The NV memory part is also encrypted with a key derived from a unique key fused into the CPU SoC (that is too long to be bruteforceable). To do the attack as you describe, they'd have to take the plastic off of the SoC (not the NV part, you can just pull that off the board and read it), and then use a FIB workstation to modify the metal routing and read off the fused UID key to be able to decrypt the external memory and attempt a PIN bruteforce. I explained this and other attacks here. That attack is technically possible, but unlikely, as it has a high chance of failure and it's very expensive.

What they're likely actually doing is not that. They're probably just reading off the NV (NAND Flash) memory chip, then attaching an emulator to the phone instead, performing 4-5 PIN tries using the phone itself, then rolling back the emulated memory contents and trying again. This doesn't require any silicon-level hacking, just desoldering one chip and instead soldering in a (custom, but not terribly hard to develop) NAND emulator instead.

Comment Re:No device is secure and they may never be so. (Score 1) 286

You got the "magical black box" part right, but you got the rest wrong.

All you have to do is use a passphrase (not a PIN) long enough to not be bruteforceable. Building a 100% secure device that limits the number of attempts at guessing an insecure PIN is impossible. Building a 100% secure device that protects your data using a secure passphrase is trivial: just use good encryption at rest.

Putting data in the cloud, at best, does nothing for you security-wise, and at worst, makes it that much easier to get to. It doesn't matter whether your data is in the cloud or on your phone. What matters is that it is encrypted with strong crypto, and that only you know the key. Then, as long as the crypto isn't broken, your data is safe. No (practical) crypto is "guaranteed" to never be circumvented, but modern crypto algorithms properly implemented are getting pretty close to there being a good chance nobody will ever be able to break them in a practical manner. Only time will tell.

If you want a phone secure against data extraction after being seized, you have two decent options: get an iPhone, or get an Android Nexus phone (anything else is probably not trustworthy, if only because most other manufacturers suck at security). The Nexus line has better data security at rest (it uses full disk encryption), while the iPhone line only encrypts most, but not all, data, and no metadata. In both cases, if you make sure the phone is powered down before it falls into the hands of an attacker, there is just about nothing they can do to get at your data.

Incidentally, we're talking about symmetric crypto here, not asymmetric crypto - quantum computing can implement a practical attack against current common asymmetric crypto algorithms, but not against symmetric crypto.

Slashdot Top Deals

13. ... r-q1