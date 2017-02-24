Hacker News new | comments | show | ask | jobs | submit login
Apple says recent Wikileaks CIA docs detail old, fixed iPhone and Mac exploits (techcrunch.com)
64 points by gerosan 2 hours ago





If you're not familiar with the iPhone platform and you're interested in just one technical detail to help navigate these stories, let it be this: the iPhone 3G platform bears very little resemblance to the modern, post-touch-ID phone. The platform security system at every level, from boot chain to hardware domains to OS security, evolved more in the last 10 years than any previous platform had in 20 years prior.

That doesn't make an iPhone 7 impregnable, but it should inform any analysis you do of stories about phones being tampered with "starting in 2008"; that's a little like talking about SMTP server security "starting in 1993".

I still wonder how much it would have cost the FBI to crack the passcode/phrase on a phone with secure enclave. I also wonder if an agency like the NSA has capabilities around these devices and would they be willing to expose such capabilities in another similar scenario. A final musing of mine is if they wouldn't just claim some group or another did it for $X,000,000 dollars to make it all seem plausible (e.g. the cost and attack scenario on the 5c was plausible and probably required desoldering the storage, but that won't help on a device with the enclave system).

The encrypted by default iOS 4 and the whole design around passcode handling in that release was the start of a very strong security posture for Apple and their iOS devices.

> I still wonder how much it would have cost the FBI to crack the passcode/phrase on a phone with secure enclave.

Apparently $1,500[1]:

"Cellebrite's CAIS now supports lawful unlocking and evidence extraction of iPhone 4S/5/5C/5S/6/6+ devices (via our in-house service only)."[2]

[1] https://www.macrumors.com/2017/02/24/cellebrite-lawful-unloc...

[2] https://twitter.com/jifa/status/834510775158976513

I always find it fascinating to read and understand the mistakes or yesteryear. Many of the same architecture flaws can be found in systems today, and likely tomorrow. Bugs, on the other hand, are fun because we tell ourselves we would never make those mistakes, and then proceed to make them.

That's exactly what an NSA stooge would want us to think!

I'm pretty sure they wouldn't want you to think about it at all.

I'm pretty sure that they stopped giving a rat's ass about what anyone thought a while ago.

This just made me realise that yes, 2008 was in fact almost 10 years ago...

CIA must have a bunch of embedded workers at Apple, Google, etc all adding subtle bugs that can later be used to hack the devices and services. I imagine other intelligence agencies must have them too. If they don't, then they're not doing their job.

Yes, it is an old exploit. This ArsTechnica article [1] has more on the timeline

[1] https://arstechnica.com/security/2017/03/new-wikileaks-dump-...

if you're interested in how iOS security works, apple publishes white papers on the subject.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

I wonder how old the leaked CIA docs are though. Are there any contextual clues that it's current?

Someone might have sat on a copy for years before leaking.

Edit: Quick scan shows there are some docs with dates in 2013, 2014, 2015. So at least some of it is fairly recent. No real way to tell, though, if it was all pulled at once, assembled over time, etc.

The CIA exploits are important because most people never update anything. It doesn't matter if you have fixed the OS for the exploit if the fix is never installed.

Thankfully, Apple is pretty proactive about getting people on the latest version of the OS. IIRC, iOS 10 runs on over 80% of devices now.

People still have to actually run the update. Most non-tech types I know, never ever run software updates.

according to actual data rather than anecdote, iOS 10 is installed on ~80% of devices, and only 5% have something older than iOS 9.

https://developer.apple.com/support/app-store/

