Security Flaw Allowed The FBI To Create The iPhone Cracking Software

Apple vs the FBI looks liked it would never end, originally starting with the FBI requesting (and then a federal judge ordering) Apple’s support in unlocking and gaining access to an iPhone in a court case. Apple looked to defend itself and ultimately the FBI recalled its actions when it received support from an outside party. It has now been revealed how the tool used by the FBI gained access to the iPhone through the use of a security flaw.

The security flaw, one that was previously unknown to Apple, allowed the creation of a tool to crack the four digit pin used to protect the phone from 10 failed attempts to gain access to a phone. The group that provided the tool to the government was a group of “grey hat” hackers who actively seek out flaws in software to then sell on to groups such as the government.

The exposed flaw affects both the iPhone 5 and iOS 9 iPhones, and may not affect work on newer versions of both iPhones and the iOS operating system. With FBI director James B. Comey saying that they may or may not disclose the security flaw to Apple, but with the latest leak revealing where they need to focus, Apple may now fix the problem before others are able to exploit it.

DOJ Appealing Order Found in Favor of Apple

Apple is everywhere in the news these days. From the rumoured features of their next generation of phones to the courtrooms. In a case that recently came to light in New York, the judge ruled that Apple could not be forced to unlock an iPhone by the All Writs Act. This didn’t sit well with the DOJ who are now appealing the order.

The case in New York features another iPhone, again locked by a passcode. Repeatedly trying different passcode risks the data on the phone, thanks to a security measure put in place that states when you fail to put in the passcode 10 times, it will erase the phone. With so many combinations, the FBI are looking to enlist Apple’s help to type in passcodes through software, without the data being erased.

I say looking to enlist, but the act used (the All Writs Act) has been deemed as some as an order from a judge where no legal precedent is available for the request. A judge in New York recently ruled that Apple couldn’t be forced to remove these settings or extract the data by use of the All Writs Act.

The DOJ don’t seem happy though with this ruling, asking the court to review the decision by the Magistrate Judge, with the hopes that they can get the iPhone unlocked and the continued in a similar fashion to the one currently taking place in California.

Apple and FBI Go Before Congress In Privacy Talks

Apple vs the FBI has been and looks to be, one of the biggest legal debates of 2016 with large groups like Microsoft even speaking out in defence of the iPhone developer in their bid to stop what they call a “dangerous precedent” from being set. The discussion has gone to a higher power with both parties now presenting their discussions to Congress.

Apple’s general counsel, Bruce Sewell, started with an opening point that has been used in every discussion since. Forcing Apple to unlock, or create software that lets the government bypass security, would do nothing but set a troubling precedent for the entire tech industry. In his opening remarks, Sewell said, “building that software tool would not affect just one iPhone. It would weaken the security for all of them”.

The big surprise came when FBI director James Comey agreed in part with this statement. “Sure, potentially. Any decision of a course about a matter is potentially useful to other courts”, these comments come just days after it was revealed that a New York judge had ruled that same act could not force Apple to unlock an iPhone.

The big surprise is that this response from Corney is different to those given previously by the FBI, who have claimed it was never about a precedent and they just wanted this one phone unlocked.

The conversations are just starting and soon governments and companies alike could be looking at new ways of handling encryption, either together or in hopes of protecting people from the other party.

Man Arrested for Not Giving Border Agents His Phone Passcode

When Quebec resident Alain Philippon arrived at Halifax Stanfield International Airport in Canada, he was stopped by border agents as he departed his flight from the Dominican Republic. When agents requested his phone passcode to search the device, he refused and was then “arrested under section 153.1 of the Customs Act for hindering.”

Question is, was he really hindering or was he simply protecting his own privacy. Did the agents have the right to search the device in the first place? For me personally, I have nothing to hide on my phone, but I’d still rather refuse it be searched for no apparent reason, much in the same way I don’t feel I should have to give out my pin number or email password.

A border agency spokeswoman told CNET: “The Customs Act (s99) authorizes officers to examine all goods and conveyances including electronic devices, such as cell phones and laptops.” She explained that the potential punishment for Philippon is a minimum fine of $1000 and a maximum fine of $25,000 and could include possible jail time.

Handing over your device is one thing, but giving someone your passwords is another issue. Where this sits with the law remains to be seen and Philippon will be in court on May 12th over the issue.

In the US, handing over your passcode could be deemed self-incrimination, something that the Fifth Amendment exists to protect you from. How something similar could apply to this case, could have lasting repercussions on how border agents handle their searches of our devices in the future.

Apple Interested in Automatic iPhone Unlocking Technology

Apple is reportedly working on a new technology that gives iPhone smartphone owners the chance to automatically unlock their devices when they are at home or in the office – and the feature will also make sure the device automatically locks when out of “safe” range.

The system can identify iPhone location and smartphone owners are able to designate specific locations where the phone can be unlocked.  If implemented, the need for a passcode or fingerprint to unlock the phone is no longer required, giving users a rather interesting manner for security.

Here is what the patent notes:

“Because some locations may be inherently more secure, such as a user’s home or office, these locations may be considered ‘safe’ and require less stringent security.  Conversely, some locations may be considered higher risk or ‘unsecure.’  In these locations, it can be desirable to implement stronger security protections.”

Location can be based on mobile phone signal, GPS, Bluetooth, Wi-Fi or determining location to other smartphones in the same area.

The increase in theft and loss of smartphones has led to new security technologies aimed at helping keep devices secure – and this is just a natural evolution of that practice.

Thank you to The Guardian for providing us with this information

Image courtesy of iMore

Australian Apple Devices Get Hijacked Using ‘Find My iPhone’ Feature

Apple’s Find My iPhone feature is one of the most important features of the company’s security, having the ability to find, lock and even erase and iPhone, iPad, iPod or Mac’s data in case it is stolen or lost. However, what would happen if it would somehow got ‘hijacked’? Some Apple users from Australia might have an idea on that now since their devices were hijacked by a hacker or a group of hackers.

The hacker (or group of hackers), no details confirming the number or identity has been officially confirmed, locked the devices using Apple’s own Find My iPhone feature and held them for ransom having set a PayPal account to transfer the money in order to regain access to the devices.

What is known about the individual(s) is that he/they go by the name of “Oleg Pliss”. The ransom amount varied from $50 to $100 and the instructions were quite clear, to transfer the named amount of money to the PayPal account displayed in the message. Fortunately, users who have set a passcode on their accounts were able to regain access to it quickly due to the fact that nobody can add or change a passcode on a device that already has one.

Less fortunate users however had to deal directly with Apple Support and solve their hijacking problems. The reports indicate that the incident occurred only in Australia, though there are some reports indicating similar issues in New Zealand and the UK.

The exact method of hacking has not yet been confirmed, though it is believed that it has something to do with users recycling the same passwords captured in other internet breaches.

Either way, Apple users have been recommended to change their passwords to a more unique combination or even enable the two-factor authentication and set passcodes on all of their devices.

Thank you Endgadget for providing us with this information
Image courtesy of Endgadget

Apple Exploit Can Disable ‘Find my Phone’ and Have Your Device Erased On Firmware 7.0.4

It appears that yet another bug cropped up in Apple’s latest iPhone iOS 7 firmware. The latest finding apparently lets you bypass the user password and deactivate the Find my Phone feature, hiding it from the iCloud.com page on which you can effectively track its location in case of losing it or having it stolen.

It is reported that replicating the bug is simple enough, and that repeated attempts were successful, according to MacRumors. The exploit was found on the current 7.0.4 firmware and can be performed by making a few changes to the iCloud account menu as shown in the video below.

[youtube]http://www.youtube.com/watch?v=QnPk4RRWjic#t=268[/youtube]

MacRumor reported to have replicated the exploit on firmware 7.0.4, but could not replicated it on the upcoming 7.1 firmware, leading to the possibility of it being fixed in the upcoming firmware release. To be noted is that the exploit can disable Find my Phone and have the iOS device erased, but it will not bypass Apple’s Activation Lock theft deterrent system. The handset will still be rendered unusable since it will always ask for the Apple account password for every action, such as downloading an app.

It is also noted that the exploit works on devices that do not have Touch ID or Passcode enabled, therefore it is recommended to enable at least the Passcode on your handsets if you do not own an iPhone 5s, at least until the iOS 7.1 firmware gets released and the exploit fixed.

Thank you MacRumors for providing us with this information
Video courtesy of MacRumors