When the FBI Has a Phone it Can't Crack, It Calls These Israeli Hackers

Discussion in 'privacy general' started by Dermot7, Oct 31, 2016.

  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,320
    Location:
    Surrey, England.
    By Kim Zetter
    https://theintercept.com/2016/10/31/fbis-go-hackers/
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,140
    I would sure love access to the mathematical paradigm they are using to crack the encryption. Its likely just those 4-6 pin numbers and they are bypassing the 5 tries and your deleted scenario.

    Have any of you ever heard of them opening a forensically bricked laptop with a REAL password, say on LUKS?
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,969
    LOL. Yet another case where the spooks get spooked ! Just like Finfisher etc
     
  6. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,320
    Location:
    Surrey, England.
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
    https://www.forbes.com/sites/thomas...rnment-can-access-any-apple-iphone-cellebrite
     
  8. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,699
    Well hey, if I don't have a smartphone, they can't unlock it ;)
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
    https://threatpost.com/apple-tackles-cellebrite-unlock-claims-sort-of
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Apple weakened their iPhone encryption considerably, two years ago.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,699
    Really? Do you have a cite for that?
     
  13. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    https://thehackernews.com/2016/09/apple-ios10-encryption.html

    Basically what that means is, the earlier algorithm generated 10,000 iterations of the key when you entered the password which took long enough that a brute force attack was limited to just a few thousand attempts per second.
    The newer one only generates the key once, allowing for several million attempts per second.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,699
    I'm not sure that I understand that. Apple changed from SHA1 hashes to SHA256 hashes, which is a huge improvement in security. But then there's the PBKDF2 aspect. If SHA1 is 10K more secure than SHA256, maybe it's a wash.
     
  15. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Well, the PBKDF2 algorithm is just a way to make the authentication process take longer, you can choose how long it takes by setting the amount of iterations. This can vastly increase the resistance to brute force attacks which depend on testing millions or billions of passwords as fast as possible.
    As far as the security of the SHA1 v SHA2 against crypto analysis, I could be wrong but as far as I know SHA1 is vulnerable to collisions when used for digitaly signing, but I dont think that affects its use in block ciphers, in fact I have a sneaking suspicion it is better than SHA2 in block ciphers.

    So yeah anyway regardless of which hash algorithm is used in the cipher, brute force resistance is more important in the context of password cracking. At 6 million per second, dictionary attacks with multi billions of entries takes only a few minutes with just a regular desktop PC.
     
    Last edited: Feb 28, 2018
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,699
  17. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    253
    ByJoseph Cox and Lorenzo Franceschi-Bicchierai (Motherboard)
    Feb 7 2018, 10:04am
    Inside the secretive industry that helps government hackers get around encryption.
     
  18. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    253
    Elcomsoft CEO Vladimir Katalov, referenced in the above article, subsequently stated that the flaw he found was corrected in iOS 10.1 beta then at its general release. Right at this minute, I can only find a reference for this in a response of his at the company site blog (bottom of page––Oct. 31, 2016).
    https://blog.elcomsoft.com/2016/09/...overed-backup-passwords-much-easier-to-break/

    But there is this from Apple's 10.1 security documentation which I assume is the reported issue:
    https://support.apple.com/en-us/HT207271
     
  19. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    A weak hash wasnt the issue. Apples removal of the PBKDF2 algorithm that slowed down repeated password attempts was the issue.
     
  20. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    253
    @RockLobster
    Now I'm not sure we're talking about the same thing. Side note––as you probably know, Apple can be obtuse in its security documentation. Your and @mirimir 's post reminded me of this issue––back then I looked into it for an iPhone user. I'll pass on the info so they can look into it; thank you both.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
    https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack
     
  22. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I think this is still all about brute forcing the password.
     
  23. wshrugged

    wshrugged Registered Member

    Joined:
    Jun 12, 2009
    Posts:
    253
    https://blog.malwarebytes.com/secur...one-unlocker-poses-serious-security-concerns/
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
    US State Department Buys $15,000 iPhone Hacking Device
    http://news.softpedia.com/news/us-state-department-buys-15-000-iphone-hacking-device-520394.shtml
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    11,056
    Location:
    Here
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.