1. The Topic of the Month for October is "Make this the Perfect Bugout Location". Please join the discussion in the TOTM forum.

Upgrade Your iPhone Passcode to Defeat the FBI’s Backdoor Strategy

Discussion in 'Technical' started by melbo, Feb 24, 2016.

  1. melbo

    melbo Hunter Gatherer Administrator Founding Member

    On February 17th 2016, APPLE CEO TIM COOK published an open letter opposing a court order to build the FBI a “backdoor” for the iPhone.

    Cook wrote that the backdoor, which removes limitations on how often an attacker can incorrectly guess an iPhone passcode, would set a dangerous precedent and “would have the potential to unlock any iPhone in someone’s physical possession,” even though in this instance, the FBI is seeking to unlock a single iPhone belonging to one of the killers in a 14-victim mass shooting spree in San Bernardino, California, in December.

    It’s true that ordering Apple to develop the backdoor will fundamentally undermine iPhone security, as Cook and other digital security advocates have argued. But it’s possible for individual iPhone users to protect themselves from government snooping by setting strong passcodes on their phones — passcodes the FBI would not be able to unlock even if it gets its iPhone backdoor.

    The technical details of how the iPhone encrypts data, and how the FBI might circumvent this protection, are complex and convoluted, and are being thoroughly explored elsewhere on the internet. What I’m going to focus on here is how ordinary iPhone users can protect themselves.

    The short version: If you’re worried about governments trying to access your phone, set your iPhone up with a random, 11-digit numeric passcode. What follows is an explanation of why that will protect you and how to actually do it.

    If it sounds outlandish to worry about government agents trying to crack into your phone, consider that when you travel internationally, agents at the airport or other border crossings can seize, search, and temporarily retain your digital devices — even without any grounds for suspicion. And while a local police officer can’t search your iPhone without a warrant, cops have used their own digital devices to get search warrants within 15 minutes, as a Supreme Court opinion recently noted.

    The most obvious way to try and crack into your iPhone, and what the FBI is trying to do in the San Bernardino case, is to simply run through every possible passcode until the correct one is discovered and the phone is unlocked. This is known as a “brute force” attack.

    For example, let’s say you set a six-digit passcode on your iPhone. There are 10 possibilities for each digit in a numbers-based passcode, and so there are 106, or 1 million, possible combinations for a six-digit passcode as a whole. It is trivial for a computer to generate all of these possible codes. The difficulty comes in trying to test them.

    One obstacle to testing all possible passcodes is that the iPhone intentionally slows down after you guess wrong a few times. An attacker can try four incorrect passcodes before she’s forced to wait one minute. If she continues to guess wrong, the time delay increases to five minutes, 15 minutes, and finally one hour. There’s even a setting to erase all data on the iPhone after 10 wrong guesses.

    This is where the FBI’s requested backdoor comes into play. The FBI is demanding that Apple create a special version of the iPhone’s operating system, iOS, that removes the time delays and ignores the data erasure setting. The FBI could install this malicious software on the San Bernardino killer’s iPhone, brute force the passcode, unlock the phone, and access all of its data. And that process could hypothetically be repeated on anyone else’s iPhone.

    (There’s also speculation that the government could make Apple alter the operation of a piece of iPhone hardware known as the Secure Enclave; for the purposes of this article, I assume the protections offered by this hardware, which would slow an attacker down even more, are not in place.)

    Even if the FBI gets its way and can clear away iPhone safeguards against passcode guessing, it faces another obstacle, one that should help keep it from cracking passcodes of, say, 11 digits: It can only test potential passcodes for your iPhone using the iPhone itself; the FBI can’t use a supercomputer or a cluster of iPhones to speed up the guessing process. That’s because iPhone models, at least as far back as May 2012, have come with a Unique ID (UID) embedded in the device hardware. Each iPhone has a different UID fused to the phone, and, by design, no one can read it and copy it to another computer. The iPhone can only be unlocked when the owner’s passcode is combined with the the UID to derive an encryption key.

    So the FBI is stuck using your iPhone to test passcodes. And it turns out that your iPhone is kind of slow at that: iPhones intentionally encrypt data in such a way that they must spend about 80 milliseconds doing the math needed to test a passcode, according to Apple. That limits them to testing 12.5 passcode guesses per second, which means that guessing a six-digit passcode would take, at most, just over 22 hours.

    You can calculate the time for that task simply by dividing the 1 million possible six-digit passcodes by 12.5 per seconds. That’s 80,000 seconds, or 1,333 minutes, or 22 hours. But the attacker doesn’t have to try each passcode; she can stop when she finds one that successfully unlocks the device. On average, it will only take 11 hours for that to happen.

    But the FBI would be happy to spend mere hours cracking your iPhone. What if you use a longer passcode? Here’s how long the FBI would need:
    • seven-digit passcodes will take up to 9.2 days, and on average 4.6 days, to crack
    • eight-digit passcodes will take up to three months, and on average 46 days, to crack
    • nine-digit passcodes will take up to 2.5 years, and on average 1.2 years, to crack
    • 10-digit passcodes will take up to 25 years, and on average 12.6 years, to crack
    • 11-digit passcodes will take up to 253 years, and on average 127 years, to crack
    • 12-digit passcodes will take up to 2,536 years, and on average 1,268 years, to crack
    • 13-digit passcodes will take up to 25,367 years, and on average 12,683 years, to crack
    It’s important to note that these estimates only apply to truly random passcodes. If you choose a passcode by stringing together dates, phone numbers, social security numbers, or anything else that’s at all predictable, the attacker might try guessing those first, and might crack your 11-digit passcode in a very short amount of time. So make sure your passcode is random, even if this means it takes extra time to memorize it. (Memorizing that many digits might seem daunting, but if you’re older than, say, 29, there was probably a time when you memorized several phone numbers that you dialed on a regular basis.)

    Nerd tip: If you’re using a Mac or Linux, you can securely generate a random 11-digit passcode by opening the Terminal app and typing this command:
    python -c 'from random import SystemRandom as r; print(r().randint(0,10**11-1))'
    It’s also important to note that we’re assuming the FBI, or some other government agency, has not found a flaw in Apple’s security architecture that would allow them to test passcodes on their own computers or at a rate faster than 80 milliseconds per passcode.

    Once you’ve created a new 11-digit passcode, you can start using it by opening the Settings app, selecting “Touch ID & Passcode,” and entering your old passcode if prompted. Then, if you have an existing passcode, select “Change passcode” and enter your old passcode. If you do not have an existing passcode, and are setting one for the first time, click “Turn passcode on.”

    Then, in all cases, click “Passcode options,” select “Custom numeric code,” and then enter your new passcode.

    By choosing a strong passcode, the FBI shouldn’t be able to unlock your encrypted phone, even if it installs a backdoored version of iOS on it. Not unless it has hundreds of years to spare.

    Upgrade Your iPhone Passcode to Defeat the FBI’s Backdoor Strategy
    Last edited: Feb 24, 2016
  2. T. Riley

    T. Riley Monkey+++ Site Supporter++

    I do not understand why law obeying citizens worry about the FBI getting into their phone. Personally I don't give a damn. Move along now, nothing to see. If I needed that level of privacy I damn sure would not use any phone or the internet. Nor do I understand the objection of any red blooded conservative American to the FBI forcing Apple to unlock that one phone used by a DEAD Muslim who killed 14 innocent people. I write software for a living and I never included any security feature in my software I did not know how to defeat when I included it, and neither did Apple. It's all a publicity stunt by Apple and more Americans may die because of it.
    AD1 likes this.
  3. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    I applaud Apple (I don't own any of their products) for their stand.
    Use of technology shouldn't be giving up ones right to privacy.
    Just because one uses encrypting or maintain privacy from prying eyes doesn't mean it's illegal.
    Homer Simpson and Cruisin Sloth like this.
  4. Tikka

    Tikka Monkey+++

    The terrorist didn't own the phone; the county owned the phone. The owner of the phone requested Apple to unlock it and they refused.
    When they refused the rightful owner; I changed my opinion to publicity stunt.
    AD1 likes this.
  5. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

  6. Tikka

    Tikka Monkey+++

    Then all the droning is a waste of our time.

    As every article I've read stated the county reset the phone which is the standard procedure at most corporations. The media needs to make up what they call their mind.

    As usual, there are so many differing stories. At this point in time, I don't believe Apple, the FBI or the media. To be honest, I never did in the first place.
    AD1 and VisuTrac like this.
  7. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    The truth is out there but it's probably been erased or munged up pretty good by now.
  8. Tikka

    Tikka Monkey+++

    The media and the players stand in the way of that ever happening.
  9. stg58

    stg58 Monkey+++ Site Supporter+ Founding Member

    Then there is the debate on which is more secure Android or iOS it has been written that the barbarians prefer Android but the wild card with Android is the hardware it is loaded on and if the Android OS has been modified by the hardware manufacturer.
    Since Apple controls iOS and the hardware I would lean towards Apple..
  10. Tikka

    Tikka Monkey+++

    "The FBI has admitted that a reset of the San Bernardino shooter’s iCloud passcode was done with the agency’s consent in the days following the terror attack at the Inland Regional Center that left 14 people dead.

    Apple said that had the passcode to Syed Farook’s iPhone not been reset, the company would have been able to initiate a backup of the phone’s data to its associated iCloud account in order to retrieve its contents. However, with the passcode on the phone no longer matching the one on iCloud, the only remaining option is the decryption of the phone itself."

    My problem is I'm confused. :)
  11. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    Drapes and Curtains no longer match.
    No one knows who the daddy is.
    But freedom loving individuals will eventually pay for the folly.
    Homer Simpson likes this.
  12. Tikka

    Tikka Monkey+++

    Well said!

    In a sea of liars, the truth will not be found.
  13. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    seriously though.
    If you are using technology you should encrypt every chance you get.
    Over-write multiple times when you want to delete something (delete the file, fill up device with new useless stuff, erase that, repeat a couple of times .. prevents original file from being retrieved)

    Technology is great but it will also be the down fall of many an individual
  14. BTPost

    BTPost Old Fart Snow Monkey Moderator

    Just an NOTE, here: Apple did advise the FBI, and worked with them, to deal with this iPhone, but the County made the easy Hack Path unworkable, when they reset the AppleID on the Account. The County ALSO paid for, a optional Management Package that if Implemented, completely, would have given the County, COMPLETE Control over this iPhone. HOWEVER they never implemented the complete Management Package, that they PAID FOR, and left off the part that would have given the Compete Control, over the iPhone. So now tell us ALL, Just who is at Fault, for NOT being able to access the Data on this iPhone? The County? The FBI? or Apple? For you folks that RAIL against Apple, for giving their Users, the ability to SECURE, their Data.... Then be the First one, on your Block, to Open up your Phones, Computers, Mail, Bank Records, and Health Records, to the .GOV, with NO Restrictions... You can do it today, All by yourself... as you say, "You have nothing to HIDE, So what is stopping you...."

    As for Me, and MY House, We will keep our Data, Locked UP, and Encrypted, and Keep our Messaging, and Comms, SECURE, with the best available Hardware and Software..... Why do you think I worked so hard on MonkeyNet, along with some of the Brightest Monkeys, on the Site, and made that Technology, available to ANYONE, who feels the Need for TOTALLY SECURE Comms??? My family uses it, and we do so because it is our RIGHT....
    Homer Simpson and VisuTrac like this.
  15. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    Plus post naked pics of themselves and their family members and take down their window coverings. ;)
    BTPost likes this.
  16. ghrit

    ghrit Ambulatory anachronism Administrator Founding Member

    While you're all discussing Apple's stand on privacy, take note that Gates has come out and stated that Apple is wrong, and a backdoor should be made and loaded. Think on that while you are enjoying all the things that W10 does for you, and how easily it does it.
  17. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    Oh I've got no expectation on privacy on my windows boxes, nor the internet in general.
    I figure some day, the chickens will come home to roost. Come what may, at this point, it's out there and if they wanted to twist it about, they could probably find a court and make it stick, it's not like our legislators are rescinding any laws. I'm sure there are a bunch I don't know about that I've broken.
  18. ghrit

    ghrit Ambulatory anachronism Administrator Founding Member

    Knew that about you ---.o_O Me neither.:cool:
  19. BTPost

    BTPost Old Fart Snow Monkey Moderator

    Ghrit, that is why my Windoz Computers are ALL Virtual Machines that run as Applications on my iMac, and MacBooks, are only XP Software, and rarely if ever connect to the Internet, even as Virtual Machines.... Way to many "nasties" floating around out there, to trust a MicroSquash Box, to be naked, on the Internet... even behind firewalls and MULTIPLE Routers, with Packet Sniffing...
  20. DarkLight

    DarkLight I self identify as a Blackhawk Attack Helicopter! Site Supporter

    Two words:
    Microsoft, PRISM

    Microsoft was reportedly one of the first "signatories" to PRISM. When we as a company had a pow-wow with them in early 2014, I asked them point blank about that. The response was to direct me to their website about security. I pushed them and they started making noises about how they don't release this, that or the other thing. I pushed again and asked, in effect, if anyone in the room had the authority or even the desire to assure me that a) Microsoft was not involved with PRISM and b) they implemented technology to prevent the US Government from ever accessing any of their cloud systems and data.

    Half way through the conversation, every person who had been involved in the two day conference started showing up, real casual like. Kind of a show of force. We (the company I work for) went from a 1:1 ratio of "us vs. them" to being outnumbered 4 to 1. Not like they could or would do anything but it was really weird.

    After I pushed that last time, they said that they couldn't go into that and asked to move to a different topic as there was nothing to be gained from further discussion.

    Prior to that, however, they claimed (falsely) that they had never lost a court case against the government to reveal customer data. I say falsely because at that time, they had already lost the first case and the first appeal. While they hadn't given up the data, they had in fact lost twice. The concerning thing was that the case is about data in Ireland. This bit was just an interesting diversion though because I already knew they were lying to us about losing.

    Point being, Microsoft is more than happy to hand over whatever the government asks for and I seriously have less than zero doubt that Windows 10 is designed specifically to aid in that "sharing".
    melbo likes this.
survivalmonkey SSL seal        survivalmonkey.com warrant canary