Cellebrite is not revealing the nature of the Advanced Unlocking Services’ approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite’s attack method may be blocked by an upcoming iOS update, 11.3.
“That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts,” Guido wrote in a message to Ars. “That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue.”
Regardless of the approach, Cellebrite’s method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.
This once again confirms the importance of establishing strong, long, passwords for iOS devices. Sure they’re less convenient but they provide measurably better security.
The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.
If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.
I’ve been putting a lot of thought into how to structure my life, not just on a day to day basis, but with the intent of accomplishing something meaningful this year. Some of that relates to personal projects I want to pull off.1 But perhaps the most important thing I want to do this year is develop a really boring habit.
Mike Vardy wrote about his intent improve his personal fitness this year. His description of past attempts to become fit and how that differs from his current behaviours resonated with me. He wrote:
When I was trying to achieve a “body for life” before, I was single and doing it mainly to improve my physique for any potential ladies that I may wind up dating. I wasn’t really doing it for myself.
In contrast, this time he’s doing:
it for myself — and my family. My wife deserves to have a husband who’s in decent shape, and my kids deserve to have a father who can keep up with them. When my youngest turns thirteen, I’ll be fifty. I want to be able to roughhouse with him at that age and not feel it for weeks afterward. I’d also like to give myself the best shot at seeing my kids’ grandkids. Without exercise and proper diet, that just ain’t going to happen
In the past I tried to become more fit by taking it to the extreme. I also felt I had to hide what I was doing to avoid recriminations from family and people I lived with. I exercised when no one was around, or up, and hid the fact I was going on long challenging walks to avoid all kinds of hurtful commentary: getting fit was something that people were bemused about, at best, and openly mocked, at worst. I don’t have that kind of negative energy around me now and, instead, I have the support of people I love.2
I don’t know that my motives are quite the same as Mike: I’m not a father, and don’t intend to become one, nor am I doing this because I think someone else deserves my body in one format or another. No, I’m doing this purely because I would like to be in a situation where I can just say ‘sure, let’s climb that mountain’ and get going. I want to be able to hop on a bike and cycle across one of Canada’s smaller provinces because it would be neat to take that ride. And, more importantly, I want to get in the habit that regular active exercise is just so routine that it’s a normal, established, and boring part of my life.
Tim Cook was asked in the Apple earning call that took place in February about the company had considered whether, and if so how, their battery replacement program might affect replacement rates. The implied comment was the replacements might reduce the likelihood that consumers would upgrade to the new versions of devices, on grounds that some upgrades had historically taken place because people bought new phones as a result of their old ones slowing down or their batteries not providing adequate charge to get through a day. Cook responded that Apple:
did not consider in any way, shape, or form what it would do to upgrade rates. We did it because we thought it was the right thing to do for our customers. I don’t know what effect it will have for our customers. It was not in our thought process of deciding to do what we’ve done.
This is a great answer. Though I do suspect that the battery replacement program will delay some upgrades, I don’t know that such a delay would be inherently bad for the company. Jason Snell wrote that the iPhone 8 — not the X — was a really amazing phone for most people because they tended to be coming from devices that were release two or more years ago. As a result, people that were coming from iPhone 6, 6s, and 5s devices didn’t just get the updates of the iPhone 8 but also all the updates that came to the iPhone 7 and, in some cases, iPhone 6s.
In effect, people who waited three or more years to update ended up being wowed by all of the features in the new iPhone. These are everyday users who really do use words like ‘magic’ and literally utter ‘wow’ when things happen. They laugh with joy when Siri just does something right, or they have calendar items automatically added from their mail. These are the everyday consumers that Apple is making its money from.
These normal users are the ones that are going to be blown away whenever they do an upgrade, and are going to be especially appreciative of all the incremental updates that take place in the extra year they might delay an upgrade. They’re going to talk to their friends and family and co-workers. They might also talk about how the battery situation sucked while, simultaneously, mentioning how no other company offers a similar replacement program. Probably the only equivalent they’ll be able to think of was Samsung’s global recall of devices that were literally exploding in people’s hands.
Quotation of the Week
“By retreating into ourselves, it looks as if we are the enemies of others, but our solitary moments are in reality a homage to the richness of social existence. Unless we’ve had time alone, we can’t be who we would like to be around our fellow humans. We won’t have original opinions. We won’t have lively and authentic perspectives. We’ll be – in the wrong way – a bit like everyone else.”
Matt Green has a good writeup of the confusion associated with Apple’s decision to relocate Chinese users’ data to data centres in China. He notes:
Unfortunately, the problem with Apple’s disclosure of its China’s news is, well, really just a version of the same problem that’s existed with Apple’s entire approach to iCloud.
Where Apple provides overwhelming detail about their best security systems (file encryption, iOS, iMessage), they provide distressingly little technical detail about the weaker links like iCloud encryption. We know that Apple can access and even hand over iCloud backups to law enforcement. But what about Apple’s partners? What about keychain data? How is this information protected? Who knows.
This vague approach to security might make it easier for Apple to brush off the security impact of changes like the recent China news (“look, no backdoors!”) But it also confuses the picture, and calls into doubt any future technical security improvements that Apple might be planning to make in the future. For example, this article from 2016 claims that Apple is planning stronger overall encryption for iCloud. Are those plans scrapped? And if not, will those plans fly in the new Chinese version of iCloud? Will there be two technically different versions of iCloud? Who even knows?
And at the end of the day, if Apple can’t trust us enough to explain how their systems work, then maybe we shouldn’t trust them either.
Apple is regarded as providing incredibly secure devices to the public. But as more and more of the data on Apple devices is offloaded to Apple-controlled Cloud services it’s imperative that the company both explain how it is securing data and, moreover, the specific situations under which it can disclose data it is stewarding for its users.
I was excited about the idea of the Apple HomePod but the more I learn about it, the less it seems to make sense for my home. I only use one set of speakers — connected to my TV — for the Apple TV as well as Playstation 4.1 But it seems like I can’t hook my TV proper to the HomePod? And if that’s the case, then I’d just have another speaker in my house not doing anything particularly novel or special.
OK, and a crappy Bluetooth speaker in the bathroom for podcasts while showering. ↩
iOS is still incredibly janky. Since updating to iOS 11 I’ve had to periodically do full device resets in order to stop podcasts from trying (and failing) to download in perpetuity; there’s no other was I’ve found to stop the process and, if I don’t, the battery drain rate is approximately 10-15% per hour, when the device is just sitting idle. And on a device that only has wireless service (no mobile data connection) I have to turn the wireless radios on and off about once per week to get Siri to actually take requests. Without a doubt this version of iOS is the worst I’ve ever had to muddle through…
The constraint on the Move goal is my rest days. I don’t do yoga on Tuesdays or Thursdays. Instead, I cook, usually in big enough portions that I can use the leftovers for lunch the next day. The relevant thing here is that cooking takes time; I can’t work out and cook at the same time. Without rest days, I hardly cook at all, which means I spend more money on takeout, which is generally worse for me than the foods I prepare myself.
The Apple Watch doesn’t care about any of this. Rest days are the limiting factor on my ability to hit my Move goal — while I easily hit 700 calories by the Watch’s measure on my workout days, I move a lot less when I take time off from working out. But rest days are crucial for exercise: they let your body recover. Without recovery, you don’t get the strength you’re trying to build, and you place yourself at risk for overuse injuries.
At times I remind myself of what Blahnik said: this is a minimum. You’re supposed to beat it. This reminder makes me feel worse, not better. I stop letting the Watch set my Move goal. It is too unkind to me.
The Move goal is adjustable — I can lower it at any time — but there’s no way to program the Watch to consistently honor my rest days. I just have to manually lower the goal for that day, and then raise it for the next one. Unfortunately, this requires too much of my attention. I have actual things to do that are more important than manually telling my fitness app to let me rest, so mostly I forget to do it until it’s too late. Even when I remember, I wind up with a different problem: I forget to reset the Watch to a higher Move goal the next day. I spent one week being psyched that I hit my goal only to discover that I had only hit the lowered goal.
In my case, it drives me nuts that if I’m sick for a few days that my fitness streaks go to hell. Or if I’m travelling, and I can’t move as much as normal because I’m stuck in a flying coffin for 6-16 hours I get penalized. It’s a serious failing of the current iterations of the software though, also, a failing that Apple or other companies could correct if they just invested the time and energy. Maybe they could talk to real or normal users of their technologies?