iPhone spyware lets police log suspects' passcodes when cracking doesn't work
https://www.nbcnews.com/tech/security/iphone-spyware-lets-cops-log-suspects-passcodes-when-cracking-doesn-n1209296
One question I have for people familiar with iPhone hardware is how it is possible to transfer files or install an app of any sort while the phone is locked? Is the cache partition not protected by Secure Enclave?
@voltronic ^ I'm wondering that too.
@john_b
For example, in normal circumstances when you plug in a locked iPhone to a Mac or PC, what happens?
Android phones (at least all the ones I've used) will show a storage device and assign it a drive letter, but it will not mount until the phone is unlocked and you press "allow".
@voltronic Yep, all my experience is with Android, and it's exactly as you describe.
Debugging connections also don't work until you unlock the phone and allow the host to connect.
@john_b
I can confirm, from my years of rooting and playing around with alternative OSes.
Interesting stuff here. The whole idea of the trusted/paired accessory thing seems a really odd choice in the context of increasing USB security.
https://blog.elcomsoft.com/2019/09/usb-restricted-mode-in-ios-13-apple-vs-graykey-round-two/
@voltronic @john_b Do you consult, my company Obsidian Intelligence is manufacturing a new encrypted phone, we are just getting our first test models with the custom Qualcomm chip we designed in a few weeks would be interesting to see what you could uncover to help us identify attack vectors and fix them before we go into production
@voltronic @john_b finding good people is so hard right now, the struggle is real appreciate you being honest though!
@killabit I'm always interested in new phones (particularly those which aim to prioritize encryption and security) but I'm afraid that I wouldn't really be qualified for probing at the hardware level.
@john_b @voltronic I'm gonn hit up MG when we get closer to production but man people are getting gobbled up so fast right now it's crazy, cyber security sector just added 750,000 jobs
@killabit
I'd be interesting in learning more about your company and the secure phone you are manufacturing if you can point me to some resources. I'm not finding any /active/ websites for your company or your phone, but I did find its name. I won't post it here if you're not ready to announce it.
@voltronic @john_b we are still in stealth mode but not for much longer building out the operations internally while dealing with manufacturing and making sure there is no interdiction from manufacturing to us is tiring and complex the site and public facing stuff can wait for now... there is the proof of concept site I can show you but the hardware has drastically changed since we connected with the right people to get a manufacturing contract, the velocity increase businesses wise was intense
@voltronic Okay now that I've actually read the article I'm even *more* baffled on how this could be effective against a reasonably-secured OS. This isn't just pulling data off of a cache, but also requires actually installing software on the phone without user authentication. That shouldn't be possible, period.
@john_b @voltronic Oh this kind of thing works. It's an ancient technique. It's just another way of brute-forcing a password. But, it will fail if your device is properly secured with 2-factor authentication or other methods. Fortunately for cops, most people haven't a clue when it comes to security.
Hold up: first, an iPhone will go into infinite lockout after a sufficient number of failed passcode attempts.
Second, you simply cannot install software onto an iPhone that you can't unlock.
Tell me how this "works" in light of these facts, because I can't see it.
Do you actually have evidence of that happening, aside from anecdotes that basically emanate from Graykey?
Me, I don't think most cops have a clue when it comes to computer security.
Well, if I just search for "sasquatch" or "adrenochrome vampires" or "antigravity", I can find "quite a few articles stating this is a thing".
The fact is that either GreyKey seems to be full of shit, or Apple is full of shit, and I saw plenty of permanently-disabled devices when I was repairing them.
@mcfate @voltronic @john_b Cops usually don't have a clue, but security companies do. I've seen a Graykey box in operation. It's kludgy and it takes forever, but I've seen it eventually get there twice. I've also seen it fail as many times.
See, that's where I'm thinking this is at. I'd bet its overall success-to-failure ratio is minuscule, and certainly far out of proportion for what people pay for this thing.
@mcfate @voltronic @john_b I don't know what it's selling for currently, but it was in kissing distance of five figures when they were showing it off at law enforcement security shows.
I feel confident it's at least 80% a scam.
@mcfate @voltronic @john_b NO bet. I know several police departments, usually the ones with someone who had a security clue, who declined to buy it.
^
"For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device. Law enforcement can then use the passcode to unlock the phone and extract all the data stored on it."