Hacker News new | past | comments | ask | show | jobs | submit login
It's never been easier for the cops to break into your phone (theverge.com)
54 points by DeepPhilosopher 55 days ago | hide | past | favorite | 31 comments



Does anyone know how much of a black box these cellebrite (or competitor) systems are?

Like if we could get some into the hands of the best reverse engineers in software and hardware, how difficult might it be to figure out the methods by which they gain access (aside from standard brute force and the like)? Are these unreleased zero day software exploits? Or something that anyone with enough knowledge of of the hardware system could implement with say a few million dollars and a small team of capable people? How are updates delivered? Do we know that the devices don't provide remote access to the vendor themselves?


A french youtuber got their hands on one and they say the device itself isn't protected at all ! https://www.youtube.com/watch?v=lVx5auDj7Hs



Got his hands on one and all he could muster is a talking head video?


I don't imagine they are super hard, if they require wifi or usb or JTAG access, you can just dump it and figure out what it is doing, its not going to be any harder than reversing any other explotiation technique.

There would be thousands, if not tens of thousands of people in the world who can do it. Its much harder to create the exploit than to reverse it.


Older system:

Cellebrite UFED Cellphone Forensic Extraction Device Teardown https://www.youtube.com/watch?v=7LLGGCXH9MQ

UFED - its right in the name :] Video has little demonstration with older phones, one click bypass for all passcodes.


It's a pity that we (likely including the journalist) don't know more about how the cops got access to the iPhone beyond cloud backups: the one thing I'm taking away from this article is that passcodes can still be brute forced.


Well, look what vectors Apple thinks are used (most while you keep using it, some physical):

https://support.apple.com/en-us/105120


I think that bruteforcing the passcode is an unlikely attack vector, if they do "brute force it" it likely wont be with apples OS running, it would be some kind of custom attack.


Image device -> run image in emulator -> try 5 passcodes -> get blocked -> reload image -> try 5 passcodes -> get blocked -> ... -> try 5 passcodes -> unlock phone.


That's the point of the Secure Enclave, where the password keys are stored. It's designed to be impossible to image. Early attacks relied on pulling the power to the chip after it sent a failure message but before it updated the attempt counter, this is fixed on newer revisions to happen the other way around.


Are you a hardware engineer at apple speaking in official capacity? Not that I would believe that even you were. Of course the government can read their surveillance device.


How do you Image an iphone device?


I assume you can desolder the flash chip and directly dump its contents. Not trivial, but not too difficult for someone with the right skills.


That won't give you the encryption keys, which are stored in the Secure Enclave.


Isn’t the Secure Enclave another separate flash chip?


Yes but with the controller built in and hardware hardening.

They are designed precisely to prevent this kind of attack.

I bet most of the exploits used by these boxes have nothing to do with the secure element but just bypass security using exploits in standard system or USB code. Most phones will be captured with the OS running but just the UI locked, with all encrypted volumes already mounted.


If they can access the iCloud account then the phone can be backed up remotely then read the backup.


True but only if the user actually uses iCloud backup of course. I never did when I had an iPhone, for that reason, I don't want all my personal stuff in the cloud.

But this is not how cellebrite boxes work anyway. They focus on the device.


Assuming the user hasn't enabled end-to-end encrypted backups (which is an option, not the default)


Yeah, I had the same question. Because the grandparent comment explanation felt very much like the “…and then draw the rest of the owl” joke.


Along with this, the ISPs, phones and services online all have a close relationship with those requesting access from law enforcement. Rarely would most put up a fight for you or anyone else if your information was requested.

There are numerous ways for LE to view and manipulate your online experiences. Your phone can be viewed remotely like remote desktop over your cell connection without your knowledge. Defeating all end to end encryption in the process.

LE is given access to your application APIs and can control the results you get from job searches, your YouTube recommended videos and even the advertisements you are served.

Now you may think there are protections and they need a warrant. They do not in many cases. Most important to understand is that LE only has to follow the law and the rules if they want to use information they collect against you in court. Most requests do not go this far. So it is wide open for your information.

Even getting your phone and getting into it is easier than ever. However once you get here odds are it will face scrutiny in court.

I am hopeful a lot of this will continue coming out and being verified more officially. We live in a surveillance state and most people need to be educated about it.


This is very interesting. Would you be able to point to sources where we can learn more about these capabilities? A friend who is usually quite rational has lately been insisting this is happening to them (remote monitoring, harassment via search results and anything with an algorithmic feed). They haven't done anything wrong, but may have gotten on the wrong side of well-connected people, and are now concerned things could escalate (e.g. framing). If there were any indicators on their devices or elsewhere that they could look for, it could be helpful.


Is there any info yet on what kind of a phone the attacker had?

I still cannot find any article about this incident explicitly mentioning not even a specific model, but just whether it was Android or iOS at all.

While most of them keep referencing that old San Bernardino story where the attackers had an iPhone with an outdated security model even for the time of the incident (it was iPhone 5c iirc).


Try sorting by date and using an exclusion operater for San Bernardino.


Looks like there is now a confirmation[0] that it was an Android phone.

0. https://9to5mac.com/2024/07/18/trump-shooter-android-phone-c...


Don't know Apple, but Androids can be put into Bootloader and Recovery without password or pin. Most Recovery[s] give you access to the file system (if not, Bootloader can be used to install your own Recovery). Extract the files and run through whatever software you have for decryption.


Can you name a single Android phone or tablet model that is <10 y.o. for which you can access personal data with this method?


Nexus 6 (late 2014), as well as rare Nexus 5X (2015), where owner enabled "OEM unlock" option.

Obscure Chinese brands made such android phones for few more years.

All Google Pixels (2016 and later), and virtually any android phone made after circa 2018 are safe from naive bootloader attack: user data is encrypted, plus you have to "OEM unlock" to even get the recovery to run.


My mistake. Most of my Android devices are unlocked.


tl;dr

The FBI made a note that they accessed the phone, shared widely etc, https://www.fbi.gov/news/press-releases/update-on-the-fbi-in... , there isn't any other information regarding the case.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: