
FBI Breaks into iPhone. We Have Some Questions - panarky
https://www.eff.org/deeplinks/2016/03/fbi-breaks-iphone-and-we-have-some-questions
======
abalone
Most likely it's already been fixed.

The iPhone 5C in question uses an A6 processor. It encrypts data by comingling
the passcode with the unique device ID to create a a strong 256-bit key, so
you can't just pull and brute force the flash memory chip. Meanwhile the OS
will wipe the key if you guess a wrong passcode too many times, making the
data forever inaccessible.

However there is one vulnerability with the A6 that some have theorized.[1] If
you could somehow get around the wiping part, you could keep guessing
passcodes. A typical 4 or 6 digit passcode could be guessed in under a day. So
it may be possible to copy the flash memory into a soldered-in test rig that
is effectively wipe-proof. It would restore the contents every time it's
wiped. So that's the best guess I know of for what happened here.

But starting with the A7 Apple added the secure enclave. This now enforces at
the hardware level an escalating time delay with each wrong passcode guess. It
goes all the way up to a one hour delay.[2] That's also where the (unreadable)
unique device ID resides, so there's no swapping out the processor with a rig.
The key is forever wedded to this protection against brute forcing.

That is pretty darn spiffy from a security standpoint. If it works as
designed, about the only hope anyone has of getting at data from an A7 or
later device is through iCloud backups.[3]

[1] [https://www.aclu.org/blog/free-future/one-fbis-major-
claims-...](https://www.aclu.org/blog/free-future/one-fbis-major-claims-
iphone-case-fraudulent) see also
[http://blog.cryptographyengineering.com/2014/10/why-cant-
app...](http://blog.cryptographyengineering.com/2014/10/why-cant-apple-
decrypt-your-iphone.html)

[2]
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

[3] Either that or some kind of peek into the secure enclave. It's
specifically designed to inhibit this at a hardware level, but perhaps a
nation-state could figure it out (e.g. verrrrry carefully grinding it down
without destroying it and looking at state with an electron microscope).

~~~
cromwellian
I wouldn't assume that nation-state attackers would be thwarted by the Secure
Enclave. Organizations which can deploy taps on undersea fiber optic cables
from nuclear submarines, attack centrifuges deep inside air-gapped underground
nuclear facilities, etc would likely be able to mount the kinds of specialized
attacks needed to break into HW trusted computing models.

Something that is tamper-resistant isn't tamper-proof.

It will likely take some time to develop a capacity to attack these chips, but
it is not impossible in principle nor intractable.

~~~
abalone
Hey, I updated my comment with a footnote on exactly that. Not sure if you saw
it. I agree it may be possible to develop an attack against the secure enclave
with a big enough budget and access to lots of sample chips to practice on.
But keep in mind secure enclaves are designed to self-destruct under these
circumstances, so I almost think it may entail pushing the frontier of
electron microscopy and/or techniques for exposing it that are more delicate
that grinding down the chip.

In other words yes, I'd bet money there's a "secure enclaves" team at the NSA
with a few million bucks to play with. Or teams.

~~~
cromwellian
Another possibility is a tailored-access type attack further upstream the
supply chain. For example, Apple relies on Samsung or TSMC to fab chips. It's
possible the chips could be modified before manufacture, or after, to contain
a flaw. I've read about such attacks demonstrated in principle already. There
was a worry about the Chinese government executing such attacks for example.

One of the downsides of the way global manufacturing works today that there's
so many stages in which components can be intercepted.

You don't know that the device you bought actually consists of unmodified
versions of the components that were part of the original design.

Could the NSA partner with the Korean government and Samsung to put a backdoor
into components? I wouldn't rule it out.

~~~
dogma1138
It would be considerably cheaper to just replicate the ASIC you want to attack
in your own silicon.

The secure enclave isn't so magic it's just a secondary processor that handles
cryptography it has it's own memory to store variable such as failed attempts.

Attacking the SOC might be more complex and expensive but eventually it's
exactly the same as attacking the NAND or any other integrated circuit.

For all we know the NSA could (and most likely does) develop their own in
circuit debuggers for common ASIC/SOC's and just dumps what ever unique values
the target SOC stores and takes a crack at it. This also isn't out of the
realm of possibilities for companies that specialize in in-circuit emulation,
hardware design, and forensics to create as a turn key solution.

~~~
abalone
_> it's exactly the same as attacking the NAND or any other integrated
circuit_

Not really. Secure enclaves have added defenses that NAND does not. They don't
have an API that lets you read their embedded secrets, for instance. You can't
just hook up a debugger.

You'd have to try to get at the state of its transistors with an SEM or
something. But additionally some have physical defenses against delayering
that will self-destruct their contents in the event of a physical compromise.
So while I ultimately agree that a nation-state could potentially craft an
attack against a specific design, you're understating the difficulty.

~~~
dogma1138
Hence why I said it was more complex and expensive if you are going to quote
some one please do so in full. Additionally NAND doesn't have an "API", NAND
mirroring works by desoldering the memory hooking it up to a device and
mirroring it to another chip by flagging the mirroring bit.

There are other ways to attack hardware, you do not need to get a SEM(or AFM
for that matter). Devices that probe transistors on a microscopic level exist
in the industry (e.g.
[http://www.tek.com/sites/tek.com/files/media/document/resour...](http://www.tek.com/sites/tek.com/files/media/document/resources/Probing%20Transistors%20App%20Note.pdf)),
hence the more complex and expensive part.

~~~
abalone
The tool you linked to actually requires an SEM.

Also, you cannot "desolder" the secure enclave and hook it up to a "mirroring"
device. That attack requires the NAND to be encapsulated in a desolder-able
memory chip that supports reading out state. Not the case with a secure
enclave.

~~~
makomk
The NAND is encapsulated in a desolderable memory chip that supports reading
out state. There's an anti-replay counter, but supposedly that's just stored
in another external NOR flash chip with the Secure Element having no onboard
flash storage at all - the process Apple builds their chips on doesn't support
on-chip flash memory even if they wanted it.

~~~
abalone
Interesting. What's your source? Apple's whitepaper suggests otherwise, to my
reading:

 _" The device’s unique ID (UID) and a device group ID (GID) are AES 256-bit
keys fused (UID) or compiled (GID) into the application processor and Secure
Enclave during manufacturing."[1]_

What this says to me is that while rewritable data storage is indeed kept in
regular commodity flash memory chips, it's all encrypted by a unique device-
specific key that _is_ somehow burned into the secure enclave. So that one
little secret kept inside the enclave would allow it to store everything else
off-chip.

[1]
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

~~~
makomk
That unique device-specific key provides no protection against replay attacks.
So in practice, the newer Apple devices don't appear to provide any more
protection against an attacker with physical access than the one that the FBI
just cracked - they should be able to get everything they were demanding in
their warrant without Apple's help on any iPhone.

~~~
abalone
Maybe I don't understand what you mean by "replay attack" in this context, but
the secure enclave does in fact provide protection against brute forcing
passcodes. It is detailed in Apple's security whitepaper (see p12). Basically,
you have to give the passcode to the secure enclave to get the data decryption
key which is derived from the device-specific key contained therein. And the
enclave enforces time delays between wrong guesses.

If you can envision a procedure for hacking around this I would love to hear
it.

------
chucknelson
Two questions that I still have on this:

(1) Does the public accept that the FBI is even telling the truth on this
(i.e., did they actually "break into" this iPhone)?

(2) If they did gain access to the iPhone's info, was it actually through the
use of a vulnerability, or did they discover some other info that led them to
the passcode?

~~~
koenigdavidmj
And if they gained access, did they have it all along and lie about it all
along? I suspect it is a career-limiting maneuver to prosecute the FBI.

------
yuzi
I've gotten so used to gargantuan lies from both governments and corporations
that worst case scenarios now seem the most likely. It's easy for me to
believe that apple already did the work with an agreement put in place to keep
it all under wraps by having the FBI drop the request.

------
studentrob
> If the FBI used a vulnerability to get into the iPhone in the San Bernardino
> case, the VEP must apply, meaning that there should be a very strong bias in
> favor of informing Apple of the vulnerability. That would allow Apple to fix
> the flaw and protect the security of all its users. We look forward to
> seeing more transparency on this issue as well.

It seems reasonable the FBI could still notify Apple of their method of entry
and then later notify the public in time.

The EFF, as much great work as they do, is showing a bit of impatience here.
Perhaps they feel they have a bone to pick with the government, as the
government seems to feel they have one to pick with tech. Neither party looks
great by leveling such public complaints prematurely.

~~~
dogma1138
The FBI said that they've gained access to the phone via a 3rd party (the 3rd
party (who it was, not that one was used) is unconfirmed, potentially
cellebrite) so most likely they have no way to inform Apple of anything.

Not to mention that if indeed this was a physical attack NAND mirroring or
ASIC replication there isn't really what to inform Apple about.

Apple can't design a chip that wont be borken, all of them including those
which use a secure enclave can be broken by physical attacks.

------
mariodiana
The FBI has shot themselves in the foot on this one, if you ask me.

Let me just say at the outset that I am entirely unsympathetic to the FBI with
respect to the Apple case. I side with Apple unreservedly. But the FBI started
this case because they claimed there was "no other way" to get into the phone.
Then, Lo and behold!, it turns out that there was another way.

The next time the FBI tries this, I think the public reaction will be that the
FBI can find a way, just like they did the last time. In other words, the FBI
is now the Boy Who Cried Wolf.

------
nodesocket
Apparently a 3rd party from Israel
([http://www.cellebrite.com/](http://www.cellebrite.com/) [unconfirmed])
helped the FBI which begs the question, how did they do it? Do they have
universal access to all iOS devices or just this particular device?

If there is a known vulnerability, I'm willing to bet Apple will find it
rather quickly. I'd imagine Apple has engineers pouring over the source code
now.

~~~
BinaryIdiot
It is not known that Cellebrite helped them. The rumors that they did stem
from a contract they have with the FBI that is unrelated.

In fact the contract they have with the FBI doesn't supply anything that can
break into an iOS 9 device so unless they had a separate product line not
included in a contract only two months old it's unlikely it was them.

~~~
dogma1138
Cellebrite has allot of products that aren't advertised directly which are
provided through their CAIS services (and there are also at least additional 2
unlisted service tiers).

They have allot of turnkey solutions for various markets as mobile forensics
is only a part of their portfolio, but quite a few of their forensic services
and products are not publicly listed.

*I worked for an Israeli information security firm that is a research partner and service provider for cellebrite.

------
meritt
It's going to be amusing when Apple tries to sue the FBI under VEP and they're
told pound sand.

~~~
bigiain
It'd make great Apple marketing PR though :-)

Did you see Charlie Stross's speculation that from Apple's end this is all
about them becoming a retail bank via Apple Pay:
[http://www.antipope.org/charlie/blog-
static/2016/03/follow-t...](http://www.antipope.org/charlie/blog-
static/2016/03/follow-the-money-apple-vs-the-.html)

~~~
rashkov
Really interesting article, thanks.

------
sickbeard
It doesn't have to be vulnerability to get around it. I think the EFF is a bit
too eager here, assuming that encryption is absolute when it is far from it.
All encryption gets cracked sooner or later.

------
imh
If the FBI pays a third party to break in, does VEP still apply?

------
nickysielicki
FBI allegedly* breaks into iPhone.

