
Why Apple's iPhone encryption won't stop NSA - todd8
http://siliconexposed.blogspot.com/2014/10/why-apples-iphone-encryption-wont-stop.html
======
peatmoss
I'd like for people to start thinking about security measures, including
encryption, as a cost function rather than as a boolean condition (e.g. safe
vs. unsafe; stop the NSA vs. not stop the NSA). I doubt there is anyone who
can stop the NSA from executing a targeted attack that breaches that
information.

My feeling is that _good_ security measures increase the marginal cost per
person surveilled. As the article points out, there are some kinds of
communications that Apple is obliged to provide access to. Those are likely to
carry low marginal costs per person surveilled, as law enforcement may have
the legal means to directly and unilaterally access that information. Even if
they don't, the capacity for Apple, telecoms, whoever, to operate in "God
mode" with respect to some kinds of communications means that mechanism is a
good target for agencies like the NSA to breach.

By contrast, even flawed technologies like iMessage (centralized key
management) raise the per-person marginal cost by forcing attacks to be
reasonably targeted. While the NSA could probably figure out how to attack
Apple's key management infrastructure to set themselves up with a virtual
iMessage device for an individual, doing so for _all_ the people would, in
principle, be fairly noticeable to Apple.

The more we can instrument technologies that force attacks from "bulk mode" to
"targeted," the better chance we have at actually curbing surveillance. Of
course, this still leaves the panopticon problem--if we accept that targeted
attacks will always be possible, and that any of us _could_ be watched at
roughly any time, the psychological chilling effects of surveillance remain.

~~~
spacefight
Rising the cost hurts the population much more in the long run - we, the
people, we pay the surveillance for us. No one else.

We must fight hard that we don't need to pay that tax any more - money which
flows in large sums directly to the military/industrial complex.

~~~
LeoNatan25
I think you misunderstood the term "cost" as used here.

~~~
peatmoss
Insofar as analyst hours, kwh, computing hardware, etc. can all be converted
to dollars, spacefight and I are talking about comparable units.

And the idea of reducing the cost for intelligence agencies to surveil us to
save money is an interesting one. While I agree that paying more taxes for a
dubiously useful "service" is bad, I disagree that the right response is to
reduce that marginal cost--i.e. be more transparent in the face of government
surveillance. Under a regime of high marginal costs, I'd like to believe that
the NSA would simply be more selective in its targets, rather than be
successful in securing additional funding.

~~~
aftbit
Not to mention, the larger the black budget, the harder it is to hide, and the
more outrage when something like Snowden happens.

------
ggreer
MitM with a 0-day payload? Acid etching and SEM? You would have to be an
extremely high-value target to legitimately worry about this stuff.

The post is attacking a straw man. Apple's iPhone security is meant to address
criminals, mass surveillance, and overzealous law enforcement. They're not
claiming a single phone will withstand the entire resources of the NSA devoted
to breaking it.

~~~
briandh
> The post is attacking a straw man.

It's a straw man, but not _his_ straw man. Pull up popular press articles
about iOS8's disk encryption and you'll find that a disturbing number of them
uncritically claim that it's meant to thwart the NSA. It's been driving me
crazy.

~~~
azonenberg
Exactly. I wrote it to set the record straight: Apple's crypto is intended to
guard against a limited class of attacks, and "the KGB is after me" is not one
of them.

------
jwise0
Although I agree with the premise -- a sufficiently dedicated attacker can
defeat many mechanisms you can come up with to protect your data -- many of
the points that the author makes seem to be based on either incorrect or
implausible assumptions.

For instance, the claim that modern cell protocols can be "silently" MITMed is
not really true; the current known attack to spoof a GSM tower, I believe, is
limited to using some vulnerabilities in older GSM protocols, and may not work
against modern 3G or LTE. And, indeed, the paper cited on a cryptosystem in
GSM 3G being weak enough to pull data off the air does not say that at all: it
simply weakens the cipher, but the conclusion of that paper itself says that
the attack may not be viable for current networks.

The author's view of how the UID works in the Secure Enclave is weak at best,
as well. The article that the author cites the possibility of the "Secure
Enclave code being able to read the UID key"; as comex mentioned yesterday
[1], this isn't true. (I know also that other SoCs work the same way that
comex mentions; this is a common pattern.) The author then goes on to discuss
what could be done even if the key bits were extracted from fuses (an attack
that I agree is possible); he claims a cycle time of 800 per iteration if
executed on a CPU, but in reality, the encryption is done on a dedicated AES
engine; I believe a cycle time closer to 4 per iteration is more likely,
giving timescale estimates over 2 orders of magnitude worse than the author
suspects.

It's not all bad, though. The author makes at least one _very_ good point:
0day on the device, while it is powered on, could be enough to simply run the
entire device through the onboard crypto. The exploit doesn't need to be
complicated enough to modify the system software permanently -- as long as it
can be used once, that's good enough.

I think the crux of the matter is that this crypto scheme is not _designed_ to
stop the NSA, anyway: it's designed to stop comex and to stop the local
police. If you need an NSA-proof device, you need a much much smaller attack
surface to begin with.

[1]
[https://news.ycombinator.com/item?id=8410819](https://news.ycombinator.com/item?id=8410819)

~~~
jokoon
> I think the crux of the matter is that this crypto scheme is not designed to
> stop the NSA

I think the NSA has so many tools available when it comes to hack into
people's data, it doesn't really matter how you secure yourself, there are
many ways for the NSA to spy on people if they really want to. Right now I
don't think anyone can really pretend to secure their data from the NSA.

It might make it harder for them, but if you really want to hide from the NSA,
I don't think it's really realistic to just be informed about cryptography and
computer security. You would really need to just not use computers at all.

~~~
aftbit
Airgaps and secured physical access are _probably_ good enough.

~~~
stouset
You are only considering technological attacks.

------
DavidAdams
What's often missing from the discussion around Apple's new encryption regime
is that it serves two primary important purposes: it gives privacy-oriented
consumers a little bit of peace-of-mind about the surveillance state and the
safety of their personal data (a plus for Apple) and it relieves Apple from
having to be involved in routine, low-stakes law enforcement subpoenas and
other requests (a plus for Apple), so it's a double win for Apple to make he
change. Whether or not it actually deters NSA snooping is beside the point.

------
mooneater
If you look at the incentives for Apple in this scenario: It's best for them
if we all think their phones are secure. And it's also best for them if they
dont piss off LEO. So the rational thing for them to do, is convince us all
they have strongly encrypted their phones, while continuing to provide some
type of back door, but hiding it well. Parallel contruction etc etc

~~~
SoftwareMaven
I can't think of any reason why its "best" for Apple to keep LEO happy. LEO
don't pay them anything and actively increase the difficulty they face running
their business as well as reduce the trust the people who do pay them (ie
their customers) have for their products, actively hurting their business.

The big fear is that pissing off LEO will result in harmful regulation, and,
while that is certainly possible, history has shown the technology moves
forward regardless. Consider the US trying to prevent the spread of
cryptography. They lost that battle[1], and any government who picks a new
battle will eventually lose it, too.

1\. The only injuries in that battle were US companies trying to sell software
overseas because they were forced to include sub-par crypto.

~~~
mooneater
"I can't think of any reason why...": [http://www.businessinsider.com/the-
story-of-joseph-nacchio-a...](http://www.businessinsider.com/the-story-of-
joseph-nacchio-and-the-nsa-2013-6)

~~~
adamlett
The amount of money Apple makes from (US) government contracts is utterly
insignificant compared to what they make from selling directly to consumers.
Which revenue stream do you think they would be least likely to gamble with?

------
jsaxton86
Friendly reminder: don't embed images from other people's websites, especially
if you're looking to get on HN/Slashdot/reddit/whatever.

First, it's rude. The owner of the second website has to deal with the burden
of hosting traffic on your site and gets nothing in return. In this case, the
blog kept downloading an image from siliconpr0n.org, effectively DoSing the
website and taking it offline. Horrible. Hopefully tomorrow everything is back
to normal and the owner of siliconpr0n.org isn't stuck with a massive bill
from his host.

Second, there's no guarantee the image will stay online. Maybe the directory
structure on the site will get reorganized or something. Maybe the website
will go offline for good, only to get picked up by a domain squatter. Maybe
the owner of the website will decide to change the direct-linked image to
something else you weren't expecting. You have no idea.

~~~
azonenberg
You're assuming I'm not affiliated with siliconpr0n.

I'm actually one of the main contributors to the site and took a lot of the
photos on it, just not that particular one. John (my friend who actually
admins the server) is fully aware of the situation and just raised the
resource limits to counter the DoS. If either of us uses an image somewhere
that we expect to stay online for a while, we make a point of leaving it in
place when reorganizing directory structures etc.

~~~
jsaxton86
I had no idea, sorry. Most of what I said about direct-linking doesn't apply
if you're affiliated with the website you're direct-linking to.

------
andrewksl
I'm pretty sure Apple never claimed to be able to stop the NSA. Walling off
any obvious back doors both for itself and anyone else that may want access
through said door is not the same as saying that what was once a house is now
a reinforced bank vault.

------
ranty
I'm sorry, but this is just plain wrong.

Let's take "since the key is physically burned in"... You don't need to burn
it in, it could easily be stored in a few bytes of on-die sram. As for the
assertion that a de-powered chip can't wipe itself? You can just go out and
_buy_ a self wiping chip ... you don't need to be either Apple or the NSA,
just have a credit card.

~~~
azonenberg
If the key is kept across a battery replacement or repair procedure, then it's
going to be hard-wired/fused into the chip. SRAM needs to be powered
constantly to retain data.

Credit cards/smartcards include self-destructs that will erase the nonvolatile
memory (flash) in certain cases if power is applied while a tamper signal is
asserted. They cannot erase data while in the "off" state. One of the problems
with fuse-based memory is that it's easier to dump off the silicon than, say,
Flash.

Although I haven't decapped an A7 yet (as soon as I get my hands on one, rest
assured I will) adding flash to an IC fab process is very expensive and adds
somewhere around a dozen new masks, so OTP fuse memory (which doesn't need any
new masks) is typically used instead of flash for on-die ID codes etc.

~~~
ghshephard
Just so I understand - this process of dumping the keys off the iPhone would
typically something that the owner would notice? Is it feasible to take
someone's phone, dump the silicon, and then return the phone to them?

------
sigjuice
[http://xkcd.com/538/](http://xkcd.com/538/)

------
Evolved
What is stopping companies from implementing timers to prevent brute force
attacks? Limit password entry attempts to 3 then if still wrong then wait 1
minute. One more wrong entry then wait 3 minutes then 15 minutes then 1 hour,
4 hours, 8 hours, 24 hours etc.

Doesn't iOS do this if you don't have "erase data after 10 failed attempts"
set?

Why can't all systems have this implemented or is this bypassed another way
which then allows someone to brute force to their heart's content?

~~~
jMyles
1) This article seems to describe actually having physical access to the
device.

2) As for "all systems," if you mean a place where public guessing is possible
(like a web app), then this measure opens up an easy DOS surface. Want someone
not to be able to access their account? Know their email / username? Just burn
up all their 'guesses' and they'll have to wait.

~~~
Evolved
Good points. What do you think about a 2FA-type of setup where if someone
tries this then it sends a message to the device that asks if you are trying
to access something through a webapp and if you say no then it blocks access
until the correct password is entered or until it is accessed from the same
device that previously successfully accessed it on a consistent basis (say 5
times within the past week or month).

Could IP-blocking be implemented or a double timer where if someone tries to
DoS the account by entering too many passwords too quickly then that is also
limited such as trying to submit too many comments to HN too quickly?

------
frogpelt
I didn't get the impression that Apple was trying to tell us our data was safe
from other people snooping because of their new encryption practices. Instead,
Apple is removing themselves from the list of corporations who are forced to
turn over our data because they no longer have access to it.

In other words, trust Apple not to betray you because they no longer have the
ability. That's the message I think they are trying to send.

------
higherpurpose
I hope Apple's security employees are reading these articles and are already
working on "solutions" to fix the security system's weaknesses that people
like the author of this post or Matthew Green are pointing out.

------
hawleyal
Nobody said it would.

------
Thesaurus
There's a thing called PRISM in case OP forgot. Get this click-bait off of
here.

------
maskedinvader
An interesting read, I would agree with the author, Apple is making it
difficult, not impossible for govt to get your data. TLDR, apple's claim is
misleading, govt can get data in other ways

~~~
LeoNatan25
How is Apple's claim misleading? The cryptography is sound, and that is the
only thing Apple is "claiming". In this article, titled somewhat sensationally
to clickbait, points out valid claims, but they have little to do with Apple's
cryptographic solution.

