FBI drops Apple case after cracking iPhone

by Posted on Posted fromBronze Coast Alameda

Dear FBI—

I under­stand that some­times gov­ern­ment is slow to get tech­nol­o­gy right. And I ful­ly sym­pa­thize; it’s hard to keep up with all the trends and new gad­gets and acces­sories. Every­thing changes so quick­ly these days.

But this news is dis­ap­point­ing. It’s just waste­ful. Those iPhones are expen­sive. I know; I have one. What with this being an elec­tion year, all the can­di­dates are promis­ing to cut waste. It might not be too long before you can’t even get a new iPhone if you dam­age the old one.

Don’t wor­ry. This one is pret­ty sim­ple to explain. You almost had it right, you just got the steps in the wrong order.

If you put the iPhone in the Apple case first, then the phone won’t get cracked when you drop it.

Also, I don’t rec­om­mend drop­ping it, if you can help it.

Good luck!

Published by splicer

6 Replies to “FBI drops Apple case after cracking iPhone”

  1. Apple
    I love the mul­ti-lay­ered puns!

    On a seri­ous note, I think Apple blew it. They had a huge mar­ket­ing wind­fall in being able to say, “Our soft­ware is so secure even the FBI can’t crack it. Relax know­ing that your data is safe with us unless you are a mass-mur­der­er.” Now what do they say? “A guy can walk in off the street and crack one of our phones in 28 min­utes.” (alleged­ly)

    And after refus­ing to help the FBI in a ter­ror­ist case, they are demand­ing that the FBI help them fix their soft­ware so they can’t do it again? Big brassy ones!

    1. The crack tak­ing 28 min­utes
      The crack tak­ing 28 min­utes does­n’t sur­prise me in the least. This is no cryp­to­graph­ic hack. It is mere­ly a means of cir­cum­vent­ing the four-dig­it pass­code which pro­vides entry to the phone. Apple’s design intro­duces ever-increas­ing delays between wrong attempts: get your pass­code wrong once and you are asked again with­in a sec­ond. The sec­ond time might be two sec­onds, then five sec­onds and so on. IIRC, after eight wrong guess­es at the PIN the inter­val is an hour. Option­al­ly after the tenth guess the iPhone can erase itself.

      Once this sys­tem has been cir­cum­vent­ed, a four-dig­it code can be brute-force hacked quick­ly. The fact that the crack took near­ly 28 min­utes indi­cates to me that they are still using a device that phys­i­cal­ly taps the num­bers onto the touch­screen. Oth­er­wise 10,000 iter­a­tions should be pos­si­ble in less than a second.

      I don’t think that Apple need­ed to say any­thing at all; it is obvi­ous that the FBI seemed unable to crack the phone. Per­haps by help­ing the FBI destroy the secu­ri­ty mea­sures they could have kept the crack some­what qui­eter, but we’re prob­a­bly more secure know­ing about the crack.

      I assume that Apple prob­a­bly knows how the pass­code was cir­cum­vent­ed; I can think of a cou­ple ways to do it, but it would require me to access or reverse-engi­neer pro­pri­etary Apple tech­nol­o­gy. If Apple is inter­est­ed in how the crack was per­formed, I would­n’t be sur­prised if patent infringe­ment and/or DMCA suits followed.

  2. PS
    Now I see the FBI has sent a let­ter to every law enforce­ment agency in the coun­try offer­ing to help unlock iPhones as long as the PD fol­lows prop­er pro­ce­dures as to war­rants, etc.

    1. Prop­er pro­ce­dure
      What trou­bles me is the ques­tion of what con­sti­tutes prop­er procedure.

      The courts have already ruled that law enforce­ment can require a sus­pect to unlock a phone with a fin­ger­print read­er, though they can­not make that demand with a PIN-locked phone. A PIN is infor­ma­tion, where­as the phone itself is physical. 

      If all a law enforce­ment agency needs is phys­i­cal pos­ses­sion of the phone of some­one who has been arrest­ed (but not charged) said «prop­er pro­ce­dure» require­ment seems hollow.

  3. Secu­ri­ty
    Rely­ing on Apple’s (or any­one else’s) four dig­it pass­word or the court sys­tem is not secu­ri­ty. If you want secu­ri­ty, encrypt your own files with audit­ed open-source encryption.

    1. Nee­dles and PINs
      [quote=Dad]Relying on Apple’s (or any­one else’s) four dig­it pass­word or the court sys­tem is not security.[/quote]

      Indeed. But there are always com­pro­mis­es of one sort or anoth­er. How are you going to read your pub­lic-key encrypt­ed mes­sages on your phone with­out the pri­vate key to decrypt those messages?

      Answer: You don’t. You use a pri­vate key that has itself been encrypt­ed with a dif­fi­cult-to-remem­ber 40+ char­ac­ter passphrase. And store that passphrase in a pass­word man­ag­er so that it can be copied and past­ed. That pass­word man­ager’s vault isn’t fly­ing around the inter­net, so you can have an eas­i­er to remem­ber and type pass­word on that. And the phone itself is phys­i­cal­ly in your pos­ses­sion, so long as that is true (and you have the capa­bil­i­ty to remote­ly wipe the phone if it leaves your phys­i­cal pos­ses­sion) slow­ing some­one down is real­ly all you should need.

      But it ought to *actu­al­ly* slow an attack­er down. Four dig­its with­out an inter­me­di­ate delay can be cracked in a few hours by some­one with fin­gers, patience, and the abil­i­ty to count to 9,999. I’ve done it. Don’t ask why. 🙂

      Point is, the only per­fect secu­ri­ty is destroy­ing the infor­ma­tion, which makes it use­less. There ain’t no per­fect secu­ri­ty, which is why Zim­mer­man named his famed encryp­tion soft­ware Pret­ty Good Privacy.

Leave a Reply