Apple Deluged By Police Demands To Decrypt iPhones 239
New submitter ukemike points out an article at CNET reporting on a how there's a "waiting list" for Apple to decypt iPhones seized by various law enforcement agencies. This suggests two important issues: first, that Apple is apparently both capable of and willing to help with these requests, and second, that there are too many of them for the company to process as they come in. From the article:
"Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year.
An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, 'contacted Apple to obtain assistance in unlocking the device,' U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was 'placed on a waiting list by the company.' A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock' an iPhone 4S. But after each police agency responded by saying they 'did not have the forensic capability,' Maynard resorted to asking Cupertino. Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months."
Re:Is Apple being compensated? (Score:4, Insightful)
You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
It is irrelevant how much Apple spends to operate that backdoor.
Re:Is Apple being compensated? (Score:5, Insightful)
Re:Is Apple being compensated? (Score:4, Insightful)
You're kidding, right? The real issue is that Apple has a backdoor to decrypt its customers' private information. That is outrageous.
It would be, were that the case. But it's all but certainly not. There's no way Apple would put an actual back door into their products.
If you had read the article, you'd notice that the process takes four months. If they had a back door, it would take a few minutes. Also, had you read the article, you'd notice that Google will reset the password and send that to law enforcement.
But I'm sure that's not outrageous. Lol!
It is irrelevant how much Apple spends to operate that backdoor.
That's true, but only if there was an actual back door.
However, in all fairness, if you have proper evidence that Apple has a back door, I'll be right there with you. That would be wholly unacceptable.
Re:Is Apple being compensated? (Score:2, Insightful)
My complaint is that the police can fuck right off if they want to decrypt anything on mine.
Re:Is Apple being compensated? (Score:5, Insightful)
No, the backlog is 4 months. Nobody knows how long actual decryption takes, but the nature of these things is that it will either be minutes or thousands of years with a supercomputer dedicated to the task. Apple claims [apple.com] that it uses AES with a 128 bit key, so if they can unlock it that quickly they MUST have a backdoor to the encryption key.
This is absolute proof that they have your encryption key on file somewhere. Others have already verified that they do indeed use AES 128.
To cover themselves legally Apple will have to evaluate every request that comes in, handle the evidence securely (maintaining the chain of custody) and then handle the potentially sensitive and illegal decrypted data in a way that doesn't expose its staff. It's no wonder there is a backlog.
Re:How ? (Score:5, Insightful)
Until now, there is no way to safeguard our secret stored in i-Device from the prying eyes of Apple Inc
If you want something kept secret, you're a fool if you put it on your phone.
Re:Is Apple being compensated? (Score:5, Insightful)
You understand that in this case the police HAD a warrant. What's your complaint?
That encryption is not encryption if Apple can "undo" it.
Re:How ? (Score:4, Insightful)
Not at all if the computer (I don't know why so many call modern hand-held computers phones since they are not very phone-like) is using strong and trustworthy encryption which you control. I don't know the details in this case (Slashdot is seldom trustworthy), but if anyone except you can decrypt it using something other than brute force then the encryption is certainly not trustworthy. If that's the case then putting secrets on this computer that you call phone is absolutely a terrible idea, but I see very little problem with it if it's actually good encryption.
Re:Is Apple being compensated? (Score:4, Insightful)
You can crack the 4 digit lock screen in like 2-4 minutes.
Once you can access the encrypted contents, it's all a matter of brute forcing. It's made a bit harder because trying each key takes substantial amount of time, but with ten thousand keys as you said it is no problem. You can use more digits, or a password with keys and laters. About 8 truly random digits and characters should make it unbreakable.
You're commenting on forensics without knowing how to do forensics with a computer or electronic device. Please stahp.
The limitations of the device or OS are pointless. You wont key in 10,000 passcodes because you never do forensics on the devices themselves (in case of booby traps and to maintain data integrity and prevent the suspicion that the forensic examiner tampered with the data) you always do forensics on an image of the device's OS. This is easy to get off Android using FastBoot, I'm certain Iphones will have something similar. Then you simply run up the image with an emulator and crack away to your hearts content. If you're really in a hurry, you set up multiple emulators and crack them in parallel.
So I have no doubt that a 4 digit passcode can be broken very quickly (2-4 minutes is not an unfair estimate if they've used a common 4 digit passcode like 1234 or 9876 and you'd be surprised how many people do this, but I think it would be about 1-2 hours).
An 8 digit random passcode is far, oh so very far from being unbreakable it's not funny.