
Apple Is Said to Be Working on an iPhone Even It Can’t Hack - rquantz
http://www.nytimes.com/2016/02/25/technology/apple-is-said-to-be-working-on-an-iphone-even-it-cant-hack.html
======
tptacek
They're presumably already 99% of the way there. If the Secure Enclave can be
updated on a locked phone, all they need to do is stop allowing that, right?

To me, the more profound consideration is this: if you use a strong
alphanumeric password to unlock your phone, there is nothing Apple has been
able to do for many years to unlock your phone. The AES-XTS key that protects
data on the device is derived from your passcode, via PBKDF2. These devices
were _already_ fenced off from the DOJ, as long as their operators were savvy
about opsec.

~~~
drewcrawford
The real lynchpin here is not hardware, but iCloud. Apple can pull data out of
an iCloud backup, and the only reason the San Bernadino case even got off the
ground is because somebody at the county screwed up and effectively prevented
the backup from occurring.

iCloud backups can be secured so not even Apple can get in them, but it is
fundamentally much harder to secure (can't be hareware-entangled and still
restore to a new device), and it would significantly complicate iCloud
password changes. I'm sure they are working on it, but it is nontrivial.

That (software) problem is the real reason 99% of users are still exposed, as
you say the hardware and secure enclave holes are basically closed.

~~~
cmarschner
Naive quedtion perhaps, bit why wouldn't they be able to employ the same
hardware on icloud than on the phone?

~~~
hollander
Uploading the encrypted content has no value as backup, if you don't have keys
that can decrypt it. If the keys are backed up as well, all security is gone.

~~~
ethbro
Is it that hard to have the phone display an encryption key and have the user
copy it to dead tree?

As above, not a good idea for a default, but don't see why it wouldn't be
technically viable for opt-in protection.

~~~
philipov
The hardware key is designed to be impossible to extract from the device.
That's part of the security, so you can't simply transfer the data to a phone
where protections against brute-forcing the user key have been removed.

~~~
ethbro
> _An_ encryption key

To spell it out (1) request _new_ encryption key from device (let's call it
key4cloud); (2) encryption key generated, displayed for physical logging by
the user, & stored in the secure enclave; (3) all normal backups to iCloud are
now encrypted via key4cloud; (4) user loses phone; (5) user purchases new
phone; (6) new phone downloads data; (7) user enters key4cloud from physical
notes & decrypts backup

Yes, it requires paper and a pencil and user education (hence the opt-in). But
it's also incredibly resistant to "Give us all iCloud data on User Y."

------
cromwellian
Any device that relies on hiding secrets inside the silicon itself is subject
to hacking. Several secure-enclave like chips have been hacked in the past by
using electron microscopes and direct probes on the silicon. If BlackHat
conference independent security researchers have the resources to pull this
off, Apple and the NSA certainly can. Exfiltrating the Enclave UID could be
done by various mechanisms at the chip level, especially if you have access to
the actual HW design and can fab devices to help.

I mean, we're talking about threat models where chip-level doping has been
shown as an attack. This just seems to be a variation on the same claims of
copy protection tamper resistant dongles we've had forever. That someone
builds a secure system that is premised on a secret being held in a tiny
tamper-resistant piece, only the tamper resistance is eventually cracked.

It might even be the case that you don't even need to exfiltrate the UID from
the Enclave, what the FBI needs to do is test a large number of PIN codes
without triggering the backoff timer or wipe. But the wipe mechanism and
backoff timer runs in the application processor, not on the enclave, and so it
is succeptable to cracking attacks the same way much copy protection
techniques are.

You may not need to crack the OS, or even upload a new firmware. You just need
to disable the mechanism that wipes the device and delays how many wrong tries
you get. So for example, if you can manage to corrupt, or patch the part of
the system that does that, then you can try thousands of PINs without worrying
about triggering the timer or wipe, and without needing to upload a whole new
firmware.

I used to crack disk protection on the Commodore 64 and no matter how
sophisticated the mechanism all I really needed to do was figure out one
memory location to insert a NOP into, or change a BNE/BEQ branch destination,
and I was done. Cracking often came down to mutating 1 or 2 bytes in the whole
system.

(BTW, why the downvote? If you think I'm wrong, post a rebuttal)

~~~
tptacek
A couple issues:

* Decapping and feature extraction even from simpler devices is error prone; you can destroy the device in the process. You only get one bite at the apple; you can't "image" the hardware and restore it later. Since the government is always targeting one specific phone, this is a real problem.

* There's no one byte you can write to bypass all the security on an iPhone, because (barring some unknown remanence effect) the protections come from crypto keys that are derived from user input.

* The phone is already using a serious KDF to derive keys, so given a strong passphrase, even if you extract the hardware key that's mixed in with passphrase, recovering the data protection key might still be difficult.

~~~
cromwellian
No, the chief protection against the PIN code hacking comes from the retry
counter. The FBI doesn't need the crypto keys, it just needs the PIN code. So
it needs to brute force about 10,000 PIN codes.

Any mechanism that prevents the application processor from either a)
remembering it incremented the count b) corrupts the count or c) patches the
logic that handles a retry count of 10, is sufficient to attack the phone.

Somewhere in the application processor, code like this is running:

if (numTries >= MAX_RETRY_ATTEMPTS) { wipe(); }

or

if (numTries >= MAX_RETRY_ATTEMPTS) { retryTime = retryTime * 2; }

Now there are two possibilities. Either there are redundant checks, or there
aren't. If there aren't redundant checks, all you need to do is corrupt this
code path or memory in a way that prevents it's execution, even if it is to
crash the phone and trigger a reboot. Even with 5 minutes between crash reboot
cycles, they could try all 10,000 pins in 34 days.

But you could also use more sophisticated attacks if you know where in RAM
this state is stored. You couldn't need to de-capp the chip, you could just
use local methods to flip the bits. The iPhone doesn't use ECC RAM, so there
are a number of techniques you could use.

[https://www.cl.cam.ac.uk/techreports/UCAM-CL-
TR-630.pdf](https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf)

~~~
tptacek
You aren't limited to 10,000 possibilities. You can use an alphanumeric
passphrase. The passphrase is run through PBKDF2 before being mixed with the
device hardware key.

On phones after the 5C, nothing you can do with the AP helps you here; the
10-strikes rule is enforced by the SE, which is a separate piece of hardware.
It's true that if you can flip bits in the SE, you can influence its behavior.
But whatever you do to extract or set bits in SE needs to not cause the SE to
freak out and wipe keys.

~~~
inopinatus
We can still imagine a state actor spending the megadollars to research a
reliable chip-cloning process, to bring parallel brute-forcing within reach. I
wonder if the NSA have been on a SEM/FIB equipment buying spree lately.

The ultimate way to defeat physical or software attacks is to exploit
intrinsic properties of the universe, which suggests finding a mathematical
and/or quantum structure impervious to both.

~~~
greendestiny_re
Your reply is the kind of comment I come to HN for - we've started off talking
about mobile device security and ended up discussing unbreakable quantum
encryption.

------
geertj
I've been very impressed with what I've learned in the last few weeks
regarding Apple's efforts to provide privacy for its customer using what it
seems some very robust engineering and design. I'm currently an Android user
(Samsung S6 edge) but am considering seriously going back to the iPhone
because of this.

The cynical side of me says that Apple's marketing tactics have worked. But
I've got a feeling, heck, I _want_ to believe, that this is actually driven by
company values and not a short-term marketing benefit.

~~~
criddell
I wonder if Microsoft came out with Palladium
([https://en.wikipedia.org/wiki/Next-
Generation_Secure_Computi...](https://en.wikipedia.org/wiki/Next-
Generation_Secure_Computing_Base)) today, if it would be hailed as a great
development for privacy or would still garner lots of criticism as it did 10
years ago.

Of Palladium, Bruce Scheier said:

> "There's a lot of good stuff in Pd, and a lot I like about it. There's also
> a lot I don't like, and am scared of. My fear is that Pd will lead us down a
> road where our computers are no longer our computers, but are instead owned
> by a variety of factions and companies all looking for a piece of our
> wallet. To the extent that Pd facilitates that reality, it's bad for
> society. I don't mind companies selling, renting, or licensing things to me,
> but the loss of the power, reach, and flexibility of the computer is too
> great a price to pay."

I think his fears have come true to some extent in iOS, but knowing what we
know now about government surveillance of everybody, it may no longer seem
like too great a price to pay. That is, if you trust the vendor. Apple seems
to be worthy of that trust. But Microsoft...?

Edit: formatting

~~~
markman
Wait, are you saying you trust apple yet not Microsoft or more than?

~~~
criddell
I do trust Apple more than Microsoft.

------
JustSomeNobody
A lot of the comments on that article burn me up. People in the U.S. really
think there's a terrorism problem here. The only problem is that government
spending so much money on a non-issue! Politicians love to "debate" it because
they know it is one of those things that looks good to the naive citizens but
they really don't have to do anything because there's nothing to be done.

~~~
ewzimm
What really burns me is that this strategy is so well known. 1984 was written
almost 70 years ago, and yet we have millions of people begging for
persistent, unavoidable surveillance by authorities as part of a never-ending
war with an ambiguous enemy that our own policies are strengthening.

~~~
VladKovac
Referencing 1984 is childish in this context, we're talking about obtaining a
warrant for known suspects or already convicted persons. The enemy isn't
ambiguous, you're purposely muddying their image.

~~~
jzelinskie
I believe the GP was making a generality and not talking about just this
specific scenario. "Terrorism" is an ambiguous enemy and while the number of
deaths to terrorism is disheartening, it pales in comparison to many other
problems (e.g. car accidents or heart disease).

~~~
goldenkey
Let's not forget that because terrorism is ambiguous, our own government can
create mock attacks and blame them on 3rd parties. Furthering their own
agendas. Invoking fear and loathing in the citizens.

------
abalone
It's important to emphasize something: iCloud will always be "backdoored", by
design, and backing up to iCloud is what most users should and will be doing.

The reason iCloud data will always be accessible by Apple, and thus
governments, is not because Apple wants to make it accessible to governments.
It's so that Apple can offer customers the very important feature of accessing
their own data if they forget or otherwise don't have the password. That is an
essential feature, and why this aspect will never change.

When someone passes away, for example, it would be a terrible compounding
tragedy if all their photos from their whole life passed away along with them,
because they didn't tell anyone their password or where they kept the backup
key. So Apple wants and needs to provide an alternative way to recover the
account. (For example, they will provide access to a deceased person's account
if their spouse can obtain a court order proving the death and relationship.)

Harvard recent published a paper (called "Don't Panic") that essentially
states the same.[1] Governments shouldn't "panic" because in most cases,
consumers will not be exclusively using unbreakable encryption, because it has
tradeoffs that aren't always desirable.

And the reason why most consumer should be backing up to iCloud is similar:
that's how you prevent the tragedy of losing your data if you lose your phone.

Just something to keep in mind when discussing the "going dark" and
"unhackable" news items.

It is worth noting however that people who do "have something to hide" from
governments probably won't be using iCloud, if they know what they're doing.
Then again if they know what they're doing, they wouldn't use anything that is
backdoored anyway. So the naive criminals will still probably be hackable, and
that's about all we can hope for.

[1] [https://cyber.law.harvard.edu/pubrelease/dont-
panic/Dont_Pan...](https://cyber.law.harvard.edu/pubrelease/dont-
panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf)

~~~
surye
> When someone passes away, for example, it would be a terrible compounding
> tragedy if all their photos from their whole life passed away along with
> them, because they didn't tell anyone their password or where they kept the
> backup key.

Would you really expect Apple to recover the data in this scenario for the
next of kin? I certainly wouldn't, and I wouldn't want them to.

~~~
abalone
I definitely would if it was a regular iCloud Photo Library with decades of
family history, pictures of the kids growing up, etc. Imagine all that being
lost. It's not what most users would want.

If there was something the deceased person truly wanted hidden from their next
of kin, they could use stronger encryption for that. The Notes app, for
example, allows for note-level strong encryption. But it's not an ideal fit
for the more typical use case.

Anyway, they do it.[1]

[1] [http://www.cnet.com/news/widow-says-apple-told-her-to-get-
co...](http://www.cnet.com/news/widow-says-apple-told-her-to-get-court-order-
to-secure-dead-husbands-password/)

------
kazinator
This is all just theatre. The real motivation is to control the platform: to
ship a piece of hardware that dictates who can install stuff on it, instead of
the traditional hardware that lets you completely overwrite everything in it
if you have physical access.

Since 197X, people had home computers (and institutional computers for two
decades before that) on which the FBI could install anything they want, if
that equipment fell into their hands. This fact never made news headlines; it
was taken for granted that the computer is basically the digital equivalent of
a piece of stationery, written in pencil.

There is nothing wrong with that situation, and on such equipment, you can
secure your _data_ just fine.

No machine can be trusted if it fell under someone's physical access. Here is
a proof: if I get my hands on your device, I can _replace_ it with a
physically identical device which looks exactly like yours, but is actually a
man-in-the-middle (MITM). (I can put the fake device's board into your
original plastic and glass, so it will have the same scratches, wear, grime
pattern and whatever other markings that distinguish the device as yours.) My
fake device will collect the credentials which you enter. Those are
immediately sent to me and I play them against the real device to get in.

Apple are trying to portray themselves as a champion of security, making
clueless users believe that the security of a device rests in the
manufacturer's hands. This could all be in _collaboration_ with the FBI, for
all we know. Two versions of Big Brother are playing the "good guy/bad guy"
routine, so you would trust the good guy, who is basically just one of the
faces of the same thing.

~~~
ksk
>it, instead of the traditional hardware that lets you completely overwrite
everything in it if you have physical access.

How do you plan to flash all the HDD/USB/Network controllers? Not to mention
the CPU/GPU microcode, and countless other random chips inside your computer
that are executing firmware you have no access to.

We're already hosed. Its just a matter of whats considered a 'reasonable'
barrier.

~~~
kazinator
If I have no access to the firmware, but neither does anyone else, then it's
just a part of the hardware. That is okay.

I don't care whether a given processor is microcoded via a tiny ROM, or
whether it is all hard-wired gates; the difference is just in the instruction
execution timings.

We are not "hosed" in any way by this.

As soon as the microcode is writable, then we have questions: can _anyone_
write any arbitrary microcode and put it in place? Or is there some tamper-
proof layer containing that only accepts signed microcode, and who has the
keys?

~~~
ksk
>If [...] but neither does anyone else, then it's just a part of the hardware

That has never been the case, for practical manufacturing reasons.

>As soon as the microcode is writable, then we have questions:

It has been writable for more than a decade I think.

~~~
kazinator
Uh, microcode has been around since the 1960's!

Any aspect of the machine which is data-driven is _de facto_ hardware if that
data is fixed in read-only memory.

Consider than an AND gate can just be memory. The two inputs can be treated as
a two bit address: 00, 01, 10, or 11. If we stuff in the values 0, 0, 0, 1
into the 1-bit content cells at these addresses, we have an AND gate.

If this memory is ROM, then the overall circuit is not distinguishable from a
conventional AND gate where a few transistors do the signaling directly.

------
n0us
What is to stop the DOJ from requiring them to produce a phone that has a
hardware backdoor? If they are required to produce a software backdoor then
building an iphone which is immune to such vulnerabilities seemingly solves
that problem but I don't see the leap towards compelling Apple to build
vulnerabilities into hardware as a large one.

I'm not well versed in security so excuse me for my ignorance but what if
there were a way to solder chip onto the board that allows access to the
secure enclave. Every time an iphone is made a companion chip is produced that
contains some kind of access key which only works for that device and someone
is required to foot the bill for storing them.

~~~
chinathrow
What if another agency already has an NSL in place requiring exactly the same
(backdoor, weak crypto params, weak by design secure enclave) and they simply
are under a gag order to talk about?

~~~
aioprisan
NSLs can only ask for information, not force a company to build a product.
That kind of request would have to come through legislation and apply to all
US companies in a similar situation.

~~~
teacup50
That's not really true; as evidence, I give you Room 641A:
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)

"Room 641A is a telecommunication interception facility operated by AT&T for
the U.S. National Security Agency"

As long as you have a backdoor, and Apple does, shady government agencies can
and do come knocking. We've got plenty of shady government agencies, and can
never guarantee that we won't have more in the future.

~~~
X-Istence
That was most likely a backdoor deal between AT&T and the NSA. There was no
legislation enacted. AT&T was not REQUIRED to install that room.

~~~
teacup50
We still don't know what the deal was. Arguing the nature of what we know
about NSLs is a bit pointless when things like 641A are happening.

Our interpretation of already unconstitutional NSLs guarantees nothing.

------
alfiedotwtf
If you want to keep a secret, you must also hide it from yourself"

    
    
        - George Orwell, 1984
        - Apple, 2016

~~~
kbart
Just a nitpick, but _1984_ by G. Orwell was first published in 1949 what makes
it even more impressive.

~~~
alfiedotwtf
That was intentional

------
Evolved
@everyone: All this hubbub and no guarantee the phone wasn't already wiped
and/or doesn't contain any sensitive information because they didn't use that
phone for those purposes.

@Udik: I could just keep my tax documents in printed plaintext on top of my
dresser but I opt to keep them locked up. Privacy and security are important.
If people who utilize privacy/security tools are up to no good then why does
the U.S. Gov't have a clause for not revealing information due to State
Secrets? Why do we set our Facebook profiles to private? Why have passwords at
all on anything? Are you beginning to see the point?

------
condour75
that's the endgame of government surveillance requests: it's increasingly in a
company's best interest to have the best security possible so they can't be
compelled to hack their own devices.

~~~
robhu
Surely it is a company's best interests to have 'good enough' looking security
to serve their PR purposes while also secretly providing government access to
maximise government kudos and all the benefits that would entail?

~~~
buro9
Not really.

For many customers of hardware and software trust is what is being sold.

As trust is eroded 'good enough' is no longer good enough. The only way to
continue to be trusted is to be more secure, and as the grandparent points out
the endgame there is that the encryption puts the software and hardware beyond
the reach of the company that produced it.

~~~
megablast
While the majority could not care less, and would be more than happy to sell
out their own privacy for a "safer" world.

------
drcode
Darn... this, along with the fact that the MacBook Pro my work gave me is so
much better than I expected, is making it harder for me not to become full-on
Apple convert.

------
nickpsecurity
My last write-up on smartphone risks applies to this discussion.

[https://news.ycombinator.com/item?id=10906999](https://news.ycombinator.com/item?id=10906999)

Apple is far from having a secure phone right now. NSA certainly has ways to
bypass this based on my attack framework and their prior work. They just don't
want them to be known. They pulled the same stuff in the past where FBI talked
about how they couldn't beat iPhones but NSA had them in the leaks & was
parallel constructing to FBI. So, the current crop are probably compromised
but reserved for targets worth the risk.

That said, modifying CPU to enable memory + I/O safety, restricting baseband,
an isolation flow for hardware, and some software changes could make a system
where 0-days were rare enough to be worth much more. Oh yeah, they'll have to
remove the debugging crap out of their chips and add TEMPEST shielding. Good
luck getting either of those two done. ;)

~~~
kevinnk
> They pulled the same stuff in the past where FBI talked about how they
> couldn't beat iPhones but NSA had them in the leaks & was parallel
> constructing to FBI.

Do you have a link to a leak that shows this? I couldn't find anything with a
simple google search.

~~~
nickpsecurity
It was in the leak on mobile OS's. They not only found iPhone vulnerable but
mocked their users.

~~~
kevinnk
Could you be more specific? I've followed the NSA leaks with some interest,
but not particularly closely, so I'd be really interested in seeing the actual
presentation/document/whatever.

For reference I've googled every combination of "nsa apple mobile OS leak" I
could think of and couldn't find a primary source.

~~~
nickpsecurity
I Googled "nsa leak iOS" and found the first one:

[http://www.spiegel.de/international/world/how-the-nsa-
spies-...](http://www.spiegel.de/international/world/how-the-nsa-spies-on-
smartphones-including-the-blackberry-a-921161.html)

Helps to type in just what you want and what will specifically have your
answer. Mobile will give you garbage most of the time. Apple as well. A
technical document will usually reference iOS. Also, you can use quotes to
ensure something appears.

Interesting enough, me typing what you typed into Google still led to same
leak and others showing potential backdoors. Hmmm.

~~~
Udo_Schmitz
If you are asked for a source it doesn't look great to begin your answer with:
"I googled …" About the linked article: out of date (2013, mentions iOS
4.3.3). Very thin on actual information. 90% of article is about Blackberry
but insinuates same risks for iOS. As a German I wouldn’t trust Der Spiegel
anyway: when it come to IT issues my fellow countrymen are often fueled by
longstanding anti-americanism and technophobia :/

~~~
nickpsecurity
He said he couldn't find anything on the topic Googling. When anyone does
that, the first thing I do is Google exactly what they said. Usually turns up
something. Then I point that as if I wonder how much research they actually
did. If they otherwise seem alright, I might also give tips on how I get
decent results out of search engines.

"About the linked article: out of date (2013, mentions iOS 4.3.3). Very thin
on actual information. "

It's what I got out of a quick Google. I was unwilling to spend more time on
that angle as my list of risks plus Apple's development practices shows we
should consider it untrustworthy by default. I just don't feel like putting
too much time into finding the specific evidence NSA might hit a specific
version of a product that wasn't secure in its entire history. Also, which
came from a company whose products did things like require an admin login on
certain services but not check if password matches records: just the existence
of a password in submission was enough. Better to spend that time on
researching actual security. ;)

------
ianamartin
What I want is a service that deletes all my online presence after I die. A
deadswitch. All texts, messages, emails, facebook posts, pictures anywhere,
_everything_.

I want it all to go when I do. Hell, I want some of it to go now.

After I'm gone, I want to leave no part of my existence on the internet.

I realize that's not possible. But I want to minimize my footprint.

It is totally possible for a local device. I have a deadswitch on all my
computers. If I don't log in and set an alive flag via the command line in any
of my computers for more than a week, that computer securely wipes itself.

Let it be known, I have nothing to hide. I just think this is the best way to
do things.

Edit: My reason for this is the frequency with which I encounter people who
are no longer alive. It's a harsh thing to look at a link to someone who said
something, and you used to know and then suddenly realize, "Oh shit. He's
dead. And I used to be his best friend."

I know facebook has memorial pages, but those are difficult to get.

~~~
dclowd9901
When something you create is public, you no longer have a right to dictate it.
You do not have a right to be forgotten. That would be an attempt at some sort
of thought control, and you don't get to tell us that this comment you just
wrote can and should be forgotten. If I choose to remember it, outside of your
wishes, there's nothing you can do about it.

Private information is another matter, but when people presume they have
rights to choose how others think, it really makes my blood boil.

------
wahsd
One aspect of what all this comes down to is that governments don't want to
have to do real work or even prioritize their tracking and surveillance.

What encryption and security really does is create scarcity of access to
information and data in order to force a market solution where government
groups have to prioritize their efforts and apply them deliberately.

~~~
studentrob
Yes. The DOJ is looking for the easy way to do their job. It's not the only
way.

------
studentrob
Good. Congress shall pass no law abridging freedom of speech, and code has
been ruled free speech.

The only reason previous wiretapping laws were passed is because they weren't
in the limelight and the public never had a chance to weigh in. _Let 's make
this an election issue_

~~~
TazeTSchnitzel
> Good. Congress shall pass no law abridging freedom of speech, and code has
> been ruled free speech.

Unless it breaks DRM!

~~~
teacup50
Which, ironically, is exactly what Apple is protecting here. DRM.

~~~
rimantas
DRM for your own data is called privacy.

~~~
teacup50
Apple, a 3rd-party, holds the master keys, and you don't.

So no, that's not DRM for your own data.

~~~
pc2g4d
But that's simply not entirely true. The encryption keys for the phone's data
reside on the phone and are only available with the PIN/password.

Apple does hold the keys for software updates, which can be pushed without
user approval. Maybe that's what you were referring to.

------
zobzu
"Impossible for security agency to hack"

Nothing is 100% proof, crypto certainly isn't. It's going from child's play to
"you actually need to knowledge" to "this is actually hard now" (but.. not
impossible).

~~~
Piskvorrr
Perhaps "infeasible" is a better word: "possible, but it would take about 300
years."

------
jarcoal
Don't they just need to tell people to switch away from 4 or 6 digit pins and
use longer passwords?

~~~
trowawee
I wish Apple would start pushing passphrases. Easy enough to remember, plenty
strong, already usable with the current system on iphones.

~~~
rm_-rf_slash
Nobody would adopt them. It's annoying enough to deal with 4 digits when it's
cold and I'm wearing gloves and I just want to change the song I'm listening
to.

Passphrases suck enough whenever you have to log back in. Are people really
gonna put up with that _every time they want to use their phone?_

On the other hand, if there were a convenient way to _toggle_ between
passphrases and 4-digit unlock, (especially if you had to use the passphrases
to toggle back to 4-digit) then I would be all for it.

~~~
plorkyeran
I'd love to have a long passphrase that has to be entered after booting and
every 48 hours, and then a 4-digit pin that's usable when TouchID is for when
I'm unlocking my phone with my nose.

~~~
shawn-furyan
Exactly. Short passwords/longish pins suffice for short durations if they are
random (i.e. not guessable), particularly if the device requires external
hardware to brute force due to attempt duration scaling.

I currently use a generated long password on my Android phone and have adapted
to the extra work, but having the option to enter a password once a day and a
pin or shorter password throughout that day would be a welcome convenience
option, and it's not really significantly more onerous than just a pin.

------
jarjoura
Hmmm... this absolutest attitude by Apple begs the question for me, are we
SURE we want to have phones that absolutely cannot be unlocked when the owner
is no where to be found/dead?

It's such a grey area and I will probably get down voted for commenting this
way. I 100% agree that the power, in the wrong hands, is horrible, but can't
we talk about this in a way where there's some kind of middle ground? All I've
been reading are either extremes.

~~~
TheCondor
Write your pass code on a piece of paper, put it in an envelope, and staple
the envelope to your will and deposit it with your lawyer. Nothing prevents
you from telling loved ones your pass code.

They give you the choice.

------
drdrey
The original story has changed its title to "Apple Is Said to Be Trying to
Make It Harder to Hack iPhones".

I was a bit surprised by the clickbait-y nature of the HN title, but we can
see in the nytimes URL that this "Apple Is Said to Be Working on an iPhone
Even It Can’t Hack" was the original title, eh.

------
draw_down
They'd have to be crazy not to. Weird that no one else who makes phones seems
to give a shit, though.

------
awqrre
The problem with software is that none have been 100% secure yet... I doubt
that Apple will be able to achieve that in the near future. Someone should
send a phone to John Mcafee at the very least [1][2] ...

1\. [http://www.pcgamer.com/john-mcafee-on-his-fbi-iphone-hack-
of...](http://www.pcgamer.com/john-mcafee-on-his-fbi-iphone-hack-offer-our-
government-is-illiterate-in-cybersecurity/)

2\. [http://arstechnica.com/staff/2016/02/mcafee-will-break-
iphon...](http://arstechnica.com/staff/2016/02/mcafee-will-break-iphone-
crypto-for-fbi-in-3-weeks-or-eat-shoe-on-live-tv/)

edit: added source #2; see Google for additional sources...

~~~
jjnoakes
What an awful article. And it isn't even the real article.

------
blinkingled
Could Apple not push an OS update that can compromise everything they are
doing to make the iPhone unhackable? As long as user has to trust Apple
there's always going to be the possibility that FBI/NSA/Whoever force Apple to
update a target's iPhone to enable tracking/recording of whatever information.

It's not an attainable goal in practice. Today they generate a per device
customized update that can be installed without user intervention. Even if
they tomorrow enforce user intervention they still retain the capability to
push a targeted update for a specific device on law enforcement/court order.
The user has no way of telling what the update did.

~~~
tekklloneer
It's very difficult, especially since they aren't open source. However, they
could attain a state where to compromise a device requires the user accepting
a malicious update, which would make the FBI's current request moot.

(although there's a whole separate set of legal attacks unexplored)

------
zekevermillion
The article doesn't cite a source. It doesn't even say that it is anonymously
sourced from someone close to Apple (who presumably is leaking). That makes me
wonder if the real source of this info is Apple-approved, and sort of an
indirect way of engaging policymakers. I get the sense that Apple is picking a
fight b/c the DOJ has violating an unwritten agreement, basically that Apple
will provide all the help requested, informally, as long as the DOJ doesn't
push for court orders or new laws that tie Apple's hands in constructing its
devices and the software that runs on them.

~~~
TillE
That's normal style in mainstream journalism, weird as it is. If you read a
lot of sports journalism for example, you'll see a ton of articles which are
literally just a summarized transcript of a phone call a reporter got from an
agent, written as if it's just pure factual information that appeared from
thin air. At least in those cases it's trivial to guess who the source
actually is.

Again, it _is_ objectively very strange to not even hint at what the source of
your information is. But it's also standard practice.

~~~
zekevermillion
Yeah, standard practice maybe. I guess I'm more interested to know if this
story is sourced from Apple (unofficially) or is it based on a more indirect
rumor that's going around...

------
parkej60
When will personal technology legally be considered an extension of our minds?

Full disclosure I understand this was a persons work phone. This is a
statement which is solely being posted to stimulate theoretical discussion.

------
wantreprenr007
As much as I <3 Apple, they're still a SPoF just like Lavabit or anyone else
with centralized servers that aren't "SWAT-resistant." If iDevices could work
without iCloud and usefully communicate with each other directly (sans cell
network too), that would be impressive... storage, processing and wireless
tech are all getting cheaper... p2p "iCloud" might be within the realm of not-
quite-insane.

(Somehow, I feel iMessage and related apps are MITMable because there is no
mandatory, mutual, out-of-band validation of a recipient's identity.)

------
malandrew
If Congress does pass such laws, I would love it if Apple considered security
so important to it's product vision that they'd be willing to use their cash
reserves to restructure the company and engineering and moving it's security
engineering to a country that pledges never to force it to compromise on
security. Apple is no stranger to keeping internal secrets and keeping
concerns isolated. I have no doubt that they could find a way to guarantee
security. IMHO governments are security bugs to be patched.

------
beshrkayali
If this means that there's going to be some hardware measures in the iPhone
itself that would prevent multiple passcode entry attempts then that'd be
good. Otherwise, as long there's that "troubleshooting" system that can
update/reinstall the firmware without the passcode and all measures taken to
prevent brute forcing the passcode out are built in the software, it's all
talk. There's nothing enlightening in this article.

------
nxzero
Unless the implementation is public and verifiable, which is unlikely, the
idea that there is a "secure" iPhone is just that, an idea.

------
bunkydoo
This marks a very interesting time in my opinion. We have corporations with
more money with governments making (or at least attempting to make) certain
social decisions once reserved for only public sector government officials. If
Apple is successful here, it will usher in a new era of what a private company
can do.

------
riquito
They can have perfect hardware crypto, but they can always send a new OS
update to every phone with "if your account id is in top 100 wanted, send a
copy of everything to x.y.z". Nobody would ever know (until it's too late, at
least)

(of course if the phone is not in use anymore it doesn't apply)

------
gaia
My Nexus 6 running Android 6.0.1 is encrypted and uses hardware backed
credential storage.

If the software (Android) had the same type of protection (if the wrong PIN is
entered 10 times it destroys the key), would this device be at par with the
iOS approach?

------
Aoyagi
So what are the odds that this is just an act, whether Apple knows about it or
not?

------
joezydeco
Could DOJ slap Apple with an injunction forbidding deployments of new iOS
releases until the San Bernadino case is concluded?

If Apple can't launch new iOS versions, can they still launch new iPhones?

~~~
studentrob
By saying what exactly? That an unhackable iOS is illegal? That's not
currently true and it is the precedent that everyone believes the DOJ would
like to set, but that the DOJ keeps denying.

~~~
joezydeco
I'm just thinking out loud, but who knows? DOJ has been pretty creative about
making this issue more critical than the other times they've tried to unlock
iOS devices (because, of course, _terrorism_ )

What if the feds decide that an O/S update closes a zeroday that the NSA was
using (note they've been _really_ quiet here) and interferes with an FBI
investigation in process?

And yeah, DOJ keeps saying it's just the one device, just this one time. What
happens if they suddenly change course just to prevent iOS from getting _more_
secure?

~~~
studentrob
There is currently no law on the books that compels Apple to act here. That is
why Comey asked Obama to ask congress for a law. Obama said no and advised
using the AWA.

They won't try to pass this law until after this election year. It's too
sensitive an issue and will fracture the voter base along unexpected lines,
thus giving Trump a chance at winning.

------
Gratsby
How about you simply encrypt your data store? There's no reason you can't
encrypt things in such a way that your operating system does not have direct
access to it.

------
jokoon
I thought they already couldn't hack the iPhone.

------
frb
Sorry for the cynicism, but am I the only one feeling that this is a huge
marketing stunt for the new iPhone 7 with super encryption?

------
morninj
This is excellent, but unfortunately it will not protect any data on the
millions of iPhones that already exist.

~~~
dylan604
It would be a huge middle finger for Apple to design this new iPhone as a free
upgrade for all current iPhone users. With their cash reserve, it would be a
huge PR spin.

There are however those pesky share holders to keep happy.

------
emodendroket
Can Apple make an iPhone so heavy even they cannot lift it?

------
alexnewman
Hope they learn how to Build baseband proc

------
tempodox
Tim Cook has gained my respect over this.

------
ADRIANFR
This title reminds me of a quote from The Simpsons: "Can God create a rock so
heavy that even he cannot lift it?"

------
pmarreck
Good.

------
joering2
This is one of those moments I wish Jobs was still here.

Had he lost to the DOJ, here is what would (might) have happened:

\- he would gladly unlocked this phone and bill DOJ for the time spent on
redesigning IOS

\- going forward, he would label each phone's box in red letters: CONTAINS
GOVERNMENT-REQUIRED BACKDOOR (I doubt Gov can forbid him from doing that)

\- he would then stop selling devices in Apple stores directly and only allow
to order them in stores with direct home delivery from Apple website hosted
and operated outside USA.

\- all the shipping would be done directly from China by-passing US-tax system
all together.

\- shortly after he would remove the backdoor IOs for devices that are not
directly sold on US soil

That would be a big fat middle finger to the DOJ.

~~~
venomsnake
And then Jobs would find himself for a long long prison term after the DOJ
decides to go full power with him for something otherwise unrelated or small.
You commit a lot of federal offenses by just existing in the USA. Or every
other country. There is always something that they can nail you for.

~~~
codeisawesome
This is quite horrible but, if his diagnosis had come _after_ such a middle
finger... I wonder if he would care.

