FBI hack to remain secret from Apple

The FBI has no plans to reveal how they hacked the San Bernardino shooter’s iPhone, not even to Apple.

In March, the FBI announced that they would be dropping their case with Apple after having purchased a hacking tool from a third party to aid in breaking into the phone. Apple had cooperated with the FBI, but would not create new firmware to break their own encryption. The high profile nature of this case brought the debate about privacy and security to the national stage. Although there was a judge assigned to rule on the case, the FBI’s purchasing of a hacking tool put the need for a ruling to bed.

Since then, the FBI has been mum on how this hacking tool was able to be successful and how it works. Prior to purchasing the tool, the FBI insisted that it needed Apple to update the firmware in order for them to do a hack on the shooter’s iPhone. The security on iPhone only allows 10 consecutive attempts to break the passcode before all data is erased on the phone.

Apple has a vested interest in understanding the hack, because the tech company would want to patch any vulnerabilities that allowed the FBI to use this tool to access the iPhone.  Hacking into this iPhone will make all iPhones vulnerable to the same sort of attack, which ultimately puts many iPhones around the world at risk.

An Apple attorney has stated that the company has no plans to sue the government to reveal how the San Bernardino iPhone was unlocked.

The government already has policies in place, called theVulnerabilities Equities Process, which governs disclosure of security problems to companies. This policy is notoriously shrouded in secrecy, but the government is generally supportive of vulnerability disclosure in order to ensure that vulnerabilities are not exploited by malicious hackers.

The FBI has found success with this tool, but it doesn’t mean that they are in a place to support vulnerability disclosure. The agency has already made plans to argue that it does not know enough about the hacking tool that it purchased to substantively explain how it works. FBI director James Comey has revealed that his agency spent more than $1 million to obtain the tool.

Article via TechCrunch, 26 April 2016

Photo El FBI no necesita a Apple para desbloquear un iPhone by iphonedigital [Creative Commons Attribution-NonCommercial-NoDerivs]

 


FBI hacks another iPhone, iPod

After all the stink made by the FBI about getting Apple to hack the iPhone, last week the FBI hacked the iPhone themselves. There are still no details on how the FBI was able to complete the hack. Their original request stated that they were in need of Apple’s help in order to avoid permanently erasing the phone. Now that there has been one successful attempt, the FBI is ready to hack again, this time for a murder case happening in Arkansas.

Cody Hiland, a prosecuting attorney in Faulkner County, told the Associated Press on Wednesday that the FBI had approved a request from his office and the Conway Police Department to crack an iPhone and an iPod. The devices belong to two teenagers that are being accused of murder. The day after the FBI announced that they had hacked the San Bernardino shooter’s iPhone without Apple’s assistance, an Arkansas judge agreed to postpone the trial of 18-year-old Hunter Drexler. Prosecutors in this case believe the devices may hold evidence related to the murders last July of Robert and Patricia Cogdell.

The actions of the government may be setting a dangerous precedent. Apple’s concern over hacking their own devices laid not only in their integrity as a company, but the privacy expected by their users. Now that the FBI has hacked the San Bernadino shooter’s iPhone, and helping to do the same for other cases, there will be an expectation that phones and devices will be unlocked for trials in the future. This Arkansas case is not the only request. A Justice Department request to unlock an iPhone linked to an accused drug dealer in New York was denied in February, but the department is appealing that decision.

All of this leaves Apple in a bad position. No company wants their devices hacked, even if it is the government doing so in the name of justice. Since we don’t know how the government unlocked the phone, it is likely that their method may end up being used by hackers and criminals. This would put all iPhones at risk and challenge Apple to continue to prevent decryption attempts in the future without all the knowledge of how these phones are being hacked.

Article via CNET, 30 March 2016

Photo: iPixel by Francis  [Creative Commons Attribution-NonCommercial-NoDerivs]


FBI-Apple showdown ends

Just before a court hearing schedule for Tuesday, the FBI decided to pursue and attack method that would not require Apple’s assistance. This effectively put the FBI’s case on pause, and created an anti-climactic end to the battle between the government and the tech giant over hacking into the San Bernardino shooters iPhone. A U.S. District Court in California ruled that good cause had been shown by the government for the delay and ordered it to file a status report with the court on April 5.

Originally the FBI had wanted Apple to write software that would change the amount of password attempts that could be made before the phone erased itself. Currently, an iPhone will be erased after 10 unsuccessful attempts with the wrong passcode. The FBI stated that it would need Apple’s help to get around this hurdle, but apparently that has changed. This leave many to wonder how to agency might defeat the phone’s security.

“You can always attack the phone while it’s running. There are hundreds of people in the world, if not more, who can do that,” said Rod Schultz, vice president of product at Rubicon Labs.”They can attach a debugger to the device, and modify the instructions that are doing the policy check,” he told TechNewsWorld.

The password also could be recovered through a technique known as NAND mirroring. It requires making a copy of the iPhone’s memory. Then, after 10 wrong password guesses erased the phone’s contents, the memory would be reloaded into the phone and the FBI could take 10 more tries at cracking it. That process would be repeated several times until the FBI was able to hack into the phone. The downside is that it takes a long time, and that is most why the FBI didn’t want to do it.

The is some skepticism about the reasons why the FBI asked for the delay. “Those of us who are watching both the technology arguments and the legal arguments are somewhat skeptical of the claim that the FBI suddenly discovered they could get into the phone,” said Mike Godwin, general counsel and director of innovation policy at the R Street Institute.

“The legal arguments that Apple produced were quite strong,” Godwin told TechNewsWorld. “I think the FBI was worried it was going to lose based on the legal arguments.”

As for Apple, its public stance is that the issue must be settled outside the courts. “Tim Cook has never said Apple will never cooperate with the FBI,” observed R Street’s Godwin.

Article via TechNewsWorld, 23 March 2016

Photo: The Apple – FBI Electronic Encryption Fight RGB Triptych v1.3 by Surian Soosay [Creative Commons Attribution-NonCommercial-NoDerivs]


Obama bans slave products

Last Wednesday President Obama officially placed a ban on goods imported into the United States that are produced by slave labor. He signed a bill that includes a provision that bans imports of fish caught by slaves in Southeast Asia, gold mined by children in Africa and garments sewn by abused women in Bangladesh. This closes a loophole in an 85 year old tariff law that failed to keep slave produced products out of the U.S.

As long as domestic production couldn’t meet demand, the government has turned a blind eye to companies exporting these goods. The bill may be a game changer for U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement, the agencies responsible for preventing goods derived from slavery from entering the country. Last year, an exposé by the Associated Press found Thai companies were shipping seafood into the U.S. that was caught by enslaved workers. As a result of the reports, more than a dozen alleged traffickers were arrested, millions of dollars worth of seafood and vessels seized, and more than 2,000 trapped fishermen have been rescued.

“The old system that leaves the door open to child or slave labor if it’s used to make a product that isn’t made here in the U.S. — that system absolutely must end, and it will,” U.S. Senator Ron Wyden, an Oregon Democrat who spoke against the loophole on the Senate floor, said in a statement.

The legal gap has been in place for so long that politicians who pushed for the change aren’t exactly sure how it will affect businesses cited by human rights groups or the agencies responsible for blocking goods derived from slavery.

“Ending this provision gives those fighting forced labor the confidence they can challenge imports of these products without fear of being undermined by an archaic and outrageous provision of U.S. trade law,”  Keith Chu, a senator who voted for the bill,  said in an e-mail.

Sen. Sherrod Brown, D-Ohio said Wednesday that his office is already asking U.S. Customs and Border Protection to ensure they begin enforcing the new rules when the law takes effect in 15 days. “It’s embarrassing that for 85 years, the United States let products made with forced labor into this country, and closing this loophole gives the U.S. an important tool to fight global slavery”.

 

Article via Mashable, 25 February 2016; Mashable,12 February 2016

Photo: White House Maker Faire (201406180003HQ) by NASA HQ PHOTO  [Creative Commons Attribution-NonCommercial-NoDerivs]


Facebook exec arrested in WhatsApp case

Facebook is becoming the next tech giant to spar with law enforcement over privacy concerns.

Diego Dzodan, a Facebook executive, was arrested by Brazilian federal police on Tuesday for “repeated non-compliance with court orders”, according to a statement released by police. Brazilian police want information from a WhatsApp account that is linked to a drug trafficking investigation. WhatsApp is a messaging service that is used monthly by more than 1.5 billion people worldwide. Dzodan was taken into what the Brazilian police call preventative prison and could be held for a week or more.

Facebook wants to ensure that it maintains the privacy of its users from government intervention. In WhatsApp’s case, the company may not be able to help Brazilian authorities because it does not store users’ messages. In addition, WhatsApp is undergoing increased end to end encryption, which will make it even harder for the company to turn over user data. WhatsApp said in a statement that it disagreed with the Brazilian authorities on the case. “We are disappointed that law enforcement took this extreme step,” the messaging business said. “WhatsApp cannot provide information we do not have.”

Facebook, which bought WhatsApp in 2014 for $19 billion in 2014, condemned the Brazilian government’s move releasing this statement:

“We’re disappointed with the extreme and disproportionate measure of having a Facebook executive escorted to a police station in connection with a case involving WhatsApp, which operates separately from Facebook,” a spokesman said. “Facebook has always been and will be available to address any questions Brazilian authorities may have.”

This isn’t the first time Brazil has gone head to head with WhatsApp. In December, a judge ordered the shutdown of WhatsApp for the country for two days after not complying with a criminal investigation, but the ruling was overturned the next day.

 

Article via CNET, 1 March 2016; The New York Times, 2 March 2016

Photo: WhatsApp / iOS by Álvaro Ibáñez [Creative Commons Attribution-NonCommercial-NoDerivs]


Apple will make iPhone harder to hack

Apple has plans to make their iPhone harder to hack amid the current controversy with the FBI.

The FBI wants Apple to create new firmware that would allow them to hack into encrypted data on an iPhone that belongs to a San Bernardino terrorist. Apple CEO Tim Cook is fighting the request citing the infringement on digital privacy. He also wrote an open letter to explain Apple’s position. Now the company is thinking of taking further steps and prevent passcode-free recovery mode in future iPhones.

The FBIs current request for backdoor access to the iPhone would require Apple to create software that would allow the FBI to bypass security features that prevent hacking. Specifically, the FBI has already looked at an online backup on iCloud of the phone, but they want Apple to disable a security feature that would allow them to have as many tries as possible to unlock the phone. In order to comply, Apple would have to change their operating system to no longer have this feature, which would make millions of iPhone users vulnerable.

As this issue has escalated, Apple is looking to prevent these types of request in the future. When it comes to iCloud security, Apple encrypts its data on its servers but still owns the decryption keys. So if the FBI asks Apple for iCloud data, Apple can decrypt iPhone backups and hand them to the FBI. Now the company is thinking of changing that.

Instead, Apply may give the private keys to the customer, which would remove Apple from being able to decrypt backups. This would mean that future government request for decrypted data would not be possible, but it also means that Apply would not be able to help customers either, since they would not be able to decrypt their backups.

In the Future Apple wants to find a way to limit or do away with DFU (device firmware update) mode. Apple created DFU mode for troubleshooting purposes, such as when your iPhone doesn’t work anymore because of a broken operating system.  If such a big crash happens, Apple lets you boot your iPhone into DFU mode, so that you can reinstall a fresh version of iOS without having to enter a passcode.

DFU mode is at the center of the debate because its current design makes the FBI requests possible, if Apple chooses to make the software changes. You can currently reinstall a new operating system without having to enter a passcode. In fact this is how many jailbreak the iPhone. But, if Apple requires that you enter your passcode to enter into DFU mode, that all changes. Apple would no longer have the ability to create software that lets the government hack into your phone.

In the wake of increasing government request of user data and the revelation of NSA breaches by Snowden, Apple has make it harder to hack iPhones. The tech giant looks to stay that course and increase security for the protection of its customers and their data.

Article via TechCrunch, 25 February 2016

Photo: Tim Cook explica su postura al FBI del caso San Bernardino by iphonedigital [Creative Commons Attribution-NonCommercial-NoDerivs]