FBI breaks into iPhone of San Bernardino shooter without Apple's help

Kind of new this was gonna happen given the help they were getting.

Any device that encrypts data in a 'secret' manner must have the encryption key stored locally. Any system, such as a website that encrypts traffic between two points, shares a key between those points.

If the key is local, as in the case of a phone, then all it takes is sorting through the memory of the device to find the key. Easy sounding, hard to do. But because the key is local, then it's retrievable. That's the same way DVD and Bluray encryption were broken.

The method that many think they are using to break the phone is to make a virtual copy of the phone, and brute force the thousands of possible passwords. Then they can either replace the bit of code that would 'brick' the phone with code that won't brick the phone, or restore another virtual copy of the phone's memory and keep trying.

The really brute force approach is to shave the back of the integrated circuit off (or use acid if it's ceramic), put probes on the chip and find the place the password is stored. But that's generally for custom made or ASIC chips.

FBI: We need back door access to an IPhone.
Apple: We can't give you access to the phone in question.
FBI: Sure you can, we will make request in Federal Court Tim Cook will fight it, after months of grandstanding the FBI will announce they were able to access the phone without Apple's help and drop the case. In the end Apple wins as it's great public relations fighting to protect consumers privacy.
Apple: Deal!

Nope. RSA and Microsoft have had keys stored on external devices for around ten years now.

Bitlocker can use a USB to store the encryption key separate from the computer that is encrypted and I use that method to secure my important stuff at home.

Nope. RSA and Microsoft have had keys stored on external devices for around ten years now.

Bitlocker can use a USB to store the encryption key separate from the computer that is encrypted and I use that method to secure my important stuff at home.

'Device' in the sense of a phone. It has to be able to retrieve the key at will, and there is no guarantee of external or remote storage. No sane developer would ever assume that the key could be stored off the device on a mobile phone, because then there is always the chance of not being able to retrieve it.

Oh, did I just imply there were sane developers?

On smart phones my agency uses a Field Force Management (FFM) application that recovers the key from our servers if the phone is enabled in our environment. If it isn't then any attempt to access a network with the phone wipes it clean.

The downside is that you can't open these phones when they're out of range.

The San Bernardino shooter's agency has the same FFM app but they had not deployed it at the time of the shooting.

Betcha' they have now.

I've heard of that app. Sounds like a decent tool.

I've got encryption on both my Blackberries. 10 bad passwords, and they give up the magic blue smoke. Plus I can remote wipe them.

But my screen background is a note on how to return the phone to me in exchange for a $100 bill. For 12 hours only, then the phone is a paperweight.

I'm paranoid on security. If my phone ever gets lost I don't want it back.

The Trojan Horse wasn't a fairy tale.

Everyone who works in security is. Occupational hazard.

The worst part is, we limit ourselves because we don't want to appear too paranoid, yet we know we are only just skating by and hoping for a lucky break.

Now I see stories that the FBI say they are perfectly willing to go to court to get all players in the tech industry to remove encryption - and on the same fucking page, the FBI is warning us that internet connected cars are a security risk! Sorry boys and girls, you can't have it both ways!

Yep. The next car we buy I already have plans to sanitize all the cell phone, WLAN, and Bluetooth from it. No way in hell am I risking that.

Hehe, I read another article today and thought of you and that exact situation. Volvo wants to move away from keys and FOBs all together, and just put an app on your smart phone to control the car! You can then text people, and give them the ability to drive your car for a period.

What could possibly go wrong?

http://www.gizmag.com/volvo-keyless-acc ... one/41909/

Yet another reason why I won't be buying one of the new Chinese-made Volvos.