John McAfee Reveals How He'd Crack An iPhone
March 1, 2016 9:21 PM   Subscribe

 
Yeah, that technique might work for the DOS version of Leisure Suit Larry. Not for an iPhone.
posted by RobotVoodooPower at 9:27 PM on March 1, 2016 [24 favorites]


What he's proposing isn't just wrong; it's not even in the same zip code as the truth.

Much to the surprise of exactly no one.
posted by CheeseDigestsAll at 9:30 PM on March 1, 2016 [13 favorites]


At least he's not doing too bad in his presidential primary.
posted by Apocryphon at 9:33 PM on March 1, 2016


Is he dropping one on the floor? Please tell me he's dropping his iPhone on the floor.
posted by a lungful of dragon at 9:34 PM on March 1, 2016 [4 favorites]


Is he dropping one on the floor? Please tell me he's dropping his iPhone on the floor.

The information is inside the iPhone!
posted by nathan_teske at 9:36 PM on March 1, 2016 [19 favorites]


Dude designed one shitty antivirus program 25 years ago, sold the company and appears to have lived solely on a diet of LSD ever since. But sure, he's still up to date on the forefront of computer forensics and encryption.
posted by T.D. Strange at 9:42 PM on March 1, 2016 [31 favorites]


Now I'll probably lose my admission to the world hackers' community, however, I'm gonna tell you. You need a hardware engineer and a software engineer. The hardware engineer takes the phone apart and it [sic] copies the instruction set, which is the iOS and applications [sic] and your memory, and then you run a piece, a program called a disassembler which takes all the ones and zeroes and gives you readable instructions. Then, the coder sits down and he reads through, and what he's looking for is the first access to the keypad, because that's the first thing you're doing when you input your pad. It'll take half an hour. When you see that, then you reads the instruction for where in memory this secret code is stored. It is that trivial. A half an hour.

I think he might have been high when he said this.
posted by iffthen at 10:00 PM on March 1, 2016 [20 favorites]


Isn't this pretty much the plot of the first few episodes of Halt and Catch Fire, where they copy IBM's BIOS? I've been watching that on streaming too!
posted by Eyebrows McGee at 10:02 PM on March 1, 2016 [3 favorites]


Following these instructions, one can totally hack the Gibson AND play an early Protovision copy of Global Thermonuclear War.
posted by fifteen schnitzengruben is my limit at 10:05 PM on March 1, 2016 [12 favorites]


Cracking an iPhone would be easier than uninstalling McAffee Antivirus.
posted by klarck at 10:07 PM on March 1, 2016 [61 favorites]


Things used to be this way.

Apple changed them, and is changing them further. That's where the fear is coming from. Even if they can crack today's phones, the time is coming where they won't be able to crack tomorrow's. Thus the need for the precedent, now.
posted by effugas at 10:09 PM on March 1, 2016 [10 favorites]


Previously
posted by a lungful of dragon at 10:12 PM on March 1, 2016


Is he 14?
posted by ctmf at 10:17 PM on March 1, 2016 [3 favorites]


I think he might have been high when he said this.

The probability of that being false at any given time seems rather small.
posted by Halloween Jack at 10:18 PM on March 1, 2016 [11 favorites]


It's really amazing how you can see the stupidity in people's eyes. Like Werner Herzog describing a bear.
posted by cmoj at 10:29 PM on March 1, 2016 [3 favorites]


I just… wow. McAfee's plan is basically one step more realistic than "open the phone up with a screwdriver and then get some tweezers and a magnifying glass to hunt around for the passcode."
posted by DoctorFedora at 10:30 PM on March 1, 2016 [8 favorites]


I think he might have been high when he said this.

Yeah, probably when he said this too
posted by Doleful Creature at 10:31 PM on March 1, 2016 [5 favorites]


In other news, Cryptography Pioneers Win Turing Award:

Mr. Diffie and Mr. Hellman have long been political activists. Mr. Hellman has focused on the threat that nuclear weapons pose to humanity, and he said in an interview he would use his share of the prize money to pursue work related to the nuclear threat. He said he also planned to write a new book with his wife on peace and sustainability.

Mr. Diffie, who has spent his career working on computer security at telecommunications firms and at the Silicon Valley pioneer Sun Microsystems, has been an outspoken advocate for the protection of personal privacy in the digital age.

He said in an interview that he plans to do more to document the history of the field he helped to create. “This will free me to spend more of my time on cryptographic history, which is urgent because the people are quickly dying off,” Mr. Diffie said.

posted by a lungful of dragon at 10:41 PM on March 1, 2016 [13 favorites]


Scanning the headline I thought I read "John McPhee" and wondered what iPhones had in common with birch bark canoes.
posted by mr vino at 12:08 AM on March 2, 2016 [13 favorites]


Wait? McAffee's not in jail? What? The last I heard he was sniffing bath salts in the Guatemalan jungle while on the run from Belize authorities - not running for president and appearing on Russian TV. Oh geez, where the hell have I been?
posted by hoodrich at 12:10 AM on March 2, 2016 [16 favorites]


I think the Government knows that if they tried to put John McAfee in jail he'd break out. No problem. He showed them how to break the iphone's security, no mere prison could hold him.

I have loved every interview with McAfee. The one with The Setup that Doleful Creature links to is so great and feels so utterly unreal. I'm pretty sure it was done over email but I would have loved to have seen the person who saw the reply, opened it, read it for the first time, and then had to check to see if their coffee was spiked with something.
posted by Neronomius at 12:33 AM on March 2, 2016 [4 favorites]


I don't know why people are saying it's drivel. I used to crack Commodore 64 programs with much the same method when I was a teenager, so unless computers and software have changed dramatically in the last 30 years it should still work.
posted by lastobelus at 12:38 AM on March 2, 2016 [65 favorites]


This is just the plot summary of an episode of CSI: Cyber, right?
posted by destrius at 12:54 AM on March 2, 2016 [7 favorites]


I don't know why people are saying it's drivel. I used to crack Commodore 64 programs with much the same method when I was a teenager, so unless computers and software have changed dramatically in the last 30 years it should still work.

You know what they say - if there's one thing that never changes it's computers and software.
posted by atoxyl at 1:40 AM on March 2, 2016 [28 favorites]


"These are forward-compatible, right?"
posted by DoctorFedora at 1:48 AM on March 2, 2016 [2 favorites]


OK, hang on.

Yes, computers used to be like McAfee describe. And yes, iPhones aren't. But he's absolutely right that the vast majority of real world environments work as he described, even when they totally claim not to. There's a tremendous amount of "secure in the absence of an attacker" garbage out there -- basically, all DRM. It really is only iDevices that are taking advantage of the central lie of computers (that there's just one computer, not a small network of mutually trusting or distrusting components) to create a new foundational level of security.
posted by effugas at 2:08 AM on March 2, 2016 [7 favorites]


Yeah, that technique might work for the DOS version of Leisure Suit Larry.

Is he a suspect? Because I never completely trusted that guy.
posted by fairmettle at 2:24 AM on March 2, 2016 [4 favorites]


If I had this guy in an interview, I wouldn't waste time asking him how to crack an iphone, I'd demand to know how I get McAfee off my desktop. Like actually, totally, off, not reminding me at every opportunity that my computer is not protected etc. etc.
posted by If only I had a penguin... at 4:00 AM on March 2, 2016 [2 favorites]


John McAfee hears you, penguin.
posted by Harald74 at 4:23 AM on March 2, 2016 [3 favorites]


But he's absolutely right that the vast majority of real world environments work as he described, even when they totally claim not to.

Don't the vast majority of environments use salted password hashing. McAfee is suggesting he should find the PIN stored as plaintext.
posted by 256 at 4:47 AM on March 2, 2016 [1 favorite]


Don't the vast majority of environments use salted password hashing. McAfee is suggesting he should find the PIN stored as plaintext.

First real-world example that comes to mind: Ever try to find a stored wifi password on an Android phone? It's in plaintext.
posted by Shmuel510 at 6:24 AM on March 2, 2016


Yeah, but that's the password to something else. It's not the password to the phone!
posted by explosion at 6:32 AM on March 2, 2016 [1 favorite]


unless computers and software have changed dramatically in the last 30 years it should still work.


I'm guessing you've still got that commodore and are browsing via Lynx right now, or the new mefi gopher?
posted by spitbull at 6:35 AM on March 2, 2016


Pffft. Wifi passcodes in consumer use are not secure a thousand ways to Christmas, and getting physical access to a phone is unlikely to be a significantly important extra compromise route for that purpose. Technically, yeah, storing that in plain is unsatis, but it doesn't add much to the threat surface.

I had to crack a locked-down Win10 computer recently, which had no known passwords and was most unwilling to co-operate with booting from a USB key. I am not a practising security chap, and the last time I did this was many years ago, but it took me approx ten minutes with Google and a gleam in my eye to shuck that sucker like a oyster.

Consumer grade security is just not very good very often, for lots of reasons that have little to do with the available technology. McAfee - surely now Trump's pick for head of the NSA - probably knows this in some corner of whatever protoplasmic octopoid has evicted his brain, and heck, he knew how to do this shit back in the day.

The only thing that separates him from many of the tech pundits who go on the box is that he didn't bother to check in with Professor Google before blowing his mouth of. Ten minutes, John! That's all it takes!
posted by Devonian at 6:39 AM on March 2, 2016 [2 favorites]


John,

I had missed your interview on The Setup. In case you missed it while in the jungle, Hunter Thompson is dead (and did this shtick better).

Call me.

sudogeek
posted by sudogeek at 6:52 AM on March 2, 2016


You might have better luck sprinkling the cocaine directly on the iPhone.
posted by TheWhiteSkull at 6:58 AM on March 2, 2016 [3 favorites]


Cracked's take on McAfee, from 2013 (#1). Sometimes I feel like Jeannie Bueller; how the HELL does he get away with all that?!
posted by Melismata at 7:16 AM on March 2, 2016 [1 favorite]


I know next-to-nothing about computer security, so when I read McAfee's proposed technique I had no idea whether it would work or not. But even I knew right away that what he's suggesting has nothing to do with "social engineering," so just the lack of consistency between the first interview and the second one sets off the bullshit alarms.
posted by layceepee at 7:56 AM on March 2, 2016 [1 favorite]


I met McAffee last year at a software conference. He was very intense. Lots of ideas that were out there. He wanted to create a new branch of the military staffed by super hackers which he seems to think all look like the girl with the dragon tatoo. He also wants to get rid of the TSA, but to avoid increasing unemployment we would just pay the TSA people to stay home. Instead we'd have armed guards on every flight and permit open carry.
posted by humanfont at 8:02 AM on March 2, 2016 [2 favorites]


I had to crack a locked-down Win10 computer recently, [...] it took me approx ten minutes with Google and a gleam in my eye to shuck that sucker like a oyster.

How does that work? Was it using BitLocker full disk encryption?
posted by The arrows are too fast at 8:03 AM on March 2, 2016


What wine goes best with shoe, red or white?
posted by tommasz at 8:16 AM on March 2, 2016


White goes well with sole.
posted by mccarty.tim at 9:35 AM on March 2, 2016 [5 favorites]


To crack the security system McAfee thinks he's dealing with, which is definitely not the one actually used on the iPhone, one wouldn't need the pass code to be stored in plain text, or even in encrypted form. You would just need to find the compare and branch part of the code, where wrong entries jump to one routine and correct entries jump to the one that gains entry. Once you find that you modify it to always branch to the "right" routine no matter what the entry is. This is how I used to get around those parallel port hardware keys back when I knew how computers worked.
Of course, having the pass code be part of the data encryption key , which is how the iPhone security *actually* works, makes that much much more difficult.
posted by rocket88 at 9:52 AM on March 2, 2016 [3 favorites]


My name is John McAfee. I have spent my entire life (I am currently 68) developing security and privacy software systems...

This is true. His anti-virus software was obviously coded by a new born infant.
posted by Splunge at 10:36 AM on March 2, 2016 [5 favorites]


It really is only iDevices that are taking advantage of the central lie of computers (that there's just one computer, not a small network of mutually trusting or distrusting components) to create a new foundational level of security.

This ties into the discussion the other day about the glibc DNS bug. Where failure to account for this lie reduced security in the case of glibc, deliberately accounting for it increases security in the case of iDevices. I find that interesting, even if it's just an argument for not burying your head in the sand, or something.

(As an aside, as more obvious flaws get ironed out, I suspect computer security will trend toward a similar situation to the airline industry - things are only vulnerable/at risk when lots of different parts of the system go wrong at once.)
posted by iffthen at 10:49 AM on March 2, 2016


I have spent my entire life (I am currently 68) developing security and privacy software systems

This is true. His anti-virus software was obviously coded by a new born infant.


:)

A little more seriously, he spent a few years being entrepreneurial and developing something that only marginally improves security at best, and appears to have spent the remaining years getting high.

I think he might have been high when he said this.

The probability of that being false at any given time seems rather small


Yeah, it was a pretty safe comment :o)
posted by iffthen at 10:53 AM on March 2, 2016


The only reason his proposed method is unworkable is due to code signing being enforced on iDevices. That signing can often be bypassed, though. That is precisely what jailbreaking does. The idea here is that rather than altering the firmware to allow unsigned code to run, you alter it to think that any passcode is correct.

As others have pointed out, that won't work (now, it would have a version or two ago) thanks to the PIN/passcode being used to generate the full disk encryption key. A key which is, supposedly, not stored on the device, but instead generated from the pass code every time the phone boots when the user enters it.

Point being, McAfee isn't completely BSing here, he just isn't completely up to date on what security mechanisms Apple has implemented. (They are nowhere near the first, by the way..TiVo was doing this in early-to-mid-2000s, starting with the Series2. Nokia started using code signing with secure boot on their Series60 devices starting with S60v3 around 2005 or 2006.

PCs started having the necessary hardware back in the late 2000s. (That's one of the things the TPM chip can be used for)
posted by wierdo at 11:14 AM on March 2, 2016 [1 favorite]


To be fair, "TPM" is nowhere near as cool a name as "Secure Enclave".
posted by flabdablet at 11:35 AM on March 2, 2016 [1 favorite]


I think he might have been high when he said this.

He appeared to be awake, yes.
posted by bongo_x at 12:02 PM on March 2, 2016 [7 favorites]


Point being, McAfee isn't completely BSing here, he just isn't completely up to date on what security mechanisms Apple has implemented.

Well yeah, but both his method and what Apple is doing to make his method no longer work (or at least a vague gist of it -- like most in my field I only pay enough attention to the whole issue to ensure I'm recommending/following current best practices) are fairly common knowledge amongst pretty much the entire IT field, and that he somehow failed to know this, or worse, failed to at least vaguely understand the implications, is what makes us think he's kookoo.

Not to say there aren't possible clever ways around it that some hacker might invent, of course.

By the way is Apple exposing this mechanism yet? It would be cool if there was a library for using this for web apps, so that the server gets certain columns encrypted, never sees unencrypted data, and client JS (un)encrypts using the ephemeral key.
posted by lastobelus at 12:28 PM on March 2, 2016


How does that work? Was it using BitLocker full disk encryption?

No, and that's really my point. It was supposed to have been secured so that it wasn't usefully recoverable in the event that 'legitimate' (ie, known password) access was lost, and you can do that easily enough. But that hadn't been done, although I think the people who set it up thought it had.

Apple's major sin in the eyes of the FBI and friends isn't that it has created strong encryption, or even made it widely available. It's that it's engineered the default state to use the good stuff. I don't know your average criminal, let alone terrorist, but if they're anything like the average user with security concerns the major flaw in the armour they don isn't the technology nor the availability of the technology, it's that it's easy to configure it wrongly or overlook something important - even if you do try quite hard to parse the information available and set things up right. That's what the security services et al rely on, and Apple's approach - where you can't get it wrong, because the system works hard to enforce security on your behalf - is anathema.
posted by Devonian at 1:04 PM on March 2, 2016 [4 favorites]


Trump/ McAfee 201.... ugh, nevermind
posted by not_the_water at 1:16 PM on March 2, 2016


If you can bypass the code signing on the device, you can upload software that disables the password-guess limit and lets you bruteforce the PIN. Might take a while if it's alphanumeric but it probably isn't. The FBI wants Apple to sign an update that does that, so they don't have to go to the effort of finding an exploit that bypasses code-signing. An actual cracker could maybe pull it off without Apple's help, if they can find an exploit.

My understanding is even this won't work on the newer iPhones because the guess-limit is enforced by a separate chip that's hardened against attack, so an ordinary system update won't do it.
posted by BungaDunga at 1:44 PM on March 2, 2016


By the way is Apple exposing this mechanism yet? It would be cool if there was a library for using this for web apps, so that the server gets certain columns encrypted, never sees unencrypted data, and client JS (un)encrypts using the ephemeral key.
posted by lastobelus
There are js crypto libraries that decrypt data from the server, and use a client-side secret to create the full private key. I'm pretty sure Spider Oak (a Dropbox-like service with better privacy) and Lastpass do that to some extent.

However, it's not the ideal crypto platform by any stretch. Javascript in the browser is prone to tampering, since extensions are essentially rootkits. It's only an okay idea if there's a guarantee against man in the middle attacks, which is why HTTPS is so important. And this is also why passwords are usually sent as plaintext POST fields, because javascript crypto is unlikely to add much security that you don't already get from the secure channel. And you'd need to make sure the encryption works on all browsers, and decide how to handle clients with disable javascript. Basically, it's hard to trust client side javascript, and easier to trust HTTPS, which makes it fairly redundant. The big exception is where you don't trust the server owners with your data, which is where you see Lastpass.
posted by mccarty.tim at 2:48 PM on March 2, 2016 [1 favorite]


I'm curious if this is his plan B, since he first said social engineering. Plan A has me curious. Was he going to walk into the Apple Store with the iPhone and say, "Hi, I'm having trouble getting the encryption hardware, on this, my personal phone, to dump its private keys. You'll help, won't you?"
posted by mccarty.tim at 2:53 PM on March 2, 2016


My understanding is that the phone in question is a 5C which would not have the Secure Enclave in a seperate micro kernel and all the hardware isolation that this entails. I'm curious how this all gets protected at the software layer and why it isn't vulnerable to some kind of clone and crack approach.
posted by humanfont at 3:16 PM on March 2, 2016 [1 favorite]


PCs started having the necessary hardware back in the late 2000s. (That's one of the things the TPM chip can be used for)

Yes and no. They try to accomplish the same goals but it's not really the same thing. Apple put an secure AES engine in the DMA path. This makes it near invulnerable to a cold boot style sideband attack like you'd see with Bitlocker and a TPM chip. Because it locks the disk with the OS going to sleep it removes the various sideband attacks that you see with OPAL 2.0 SED SSDs. Also the key is never resident in RAM so you can't use a Thunderbolt or Firewire DMA attack which will see Bitlocker happily give up the key.

PC security is a like a fucking sieve to the FBI.
posted by Talez at 4:05 PM on March 2, 2016 [2 favorites]


On rereading the docs. The AES engine is present on the 5c and the UID used as part of the key can't be read directly (in theory).
posted by humanfont at 5:07 PM on March 2, 2016 [2 favorites]


Another thing to pick up on:

That's where the fear is coming from. Even if they can crack today's phones, the time is coming where they won't be able to crack tomorrow's. Thus the need for the precedent, now.

I agree, with a twist. I bet the NSA already has ways to get into properly secured iPhones, but the FBI generally pursues things that end up in court, so they need a way to plausibly parallel-construct. The FBI is also widely viewed as the most technically incompetent of the big US intel agencies, so I wouldn't be surprised if they're leaning more and more on the NSA. (I think there's documents floating around that show the FBI has been doing that already in various drug cases, but I have to rush out and don't have time to find a link.)
posted by iffthen at 5:12 PM on March 2, 2016


What he's suggesting would work on phones, say, 10 years ago.

I say this, because I did this to a moto v360 phone 10 years ago, using only their dev tools. (Specifically, the "seem editor"). It was a snap.

It's entirely plausible that Mr. McAfee has been living off the grid for the last 10 years, given his crazypants escapades in South America that have been making news.
posted by habeebtc at 7:00 PM on March 2, 2016 [1 favorite]


Don't the vast majority of environments use salted password hashing. McAfee is suggesting he should find the PIN stored as plaintext.

Even an 8 digit PIN only has 10000000 (~2^23) possibilities. That cracks instantly. You can get maybe another ten or eleven bits of security with key stretching (scrypt etc) but past that you're talking seconds to unlock the phone.

And that's 8 digit PINs. The reality is offline attacks screw you. Which is why Apple went to online defense -- you get ten tries, and that's it.
posted by effugas at 7:45 PM on March 2, 2016 [1 favorite]


So if I'm reading this correctly you basically take iOS.exe and rename it iOS.txt and open it up in Notepad and change the "Security Lock=On" line to "Security Lock=Off", then save it and change the name back to iOS.exe and run it and it's fine.

Hit me up on mIRC, FBI, I chill in all the big channels.
posted by turbid dahlia at 8:25 PM on March 2, 2016 [7 favorites]


And that's 8 digit PINs. The reality is offline attacks screw you. Which is why Apple went to online defense -- you get ten tries, and that's it.

Not just an online defense. There's a user imperceptible delay and a back off period built into the process. At one hour per guess it'll take 114,155 years to brute force an 8 digit pin.
posted by Talez at 4:22 AM on March 3, 2016 [1 favorite]


Manufacturers trying to prevent unauthorized code from running on their systems dates at least as far back to the original NES patent in 1986, though methods have advanced as technology has advanced. I doubt Tivo was the first to sign code, though they did cause the GPL to be advanced to version 3 at some level.
posted by fragmede at 1:09 PM on March 3, 2016


In case you thought this whole thing wasn't stupid enough.

of course that really seems like all the more reason to not unlock the phone
posted by ckape at 6:40 PM on March 3, 2016 [1 favorite]


TiVo was the first mass market consumer hardware to use a signed firmware, kernel, and userspace image, that I am aware of. There were kernel bugs in the first several versions that allowed one to bypass the userspace signing without replacing any hardware, though.

You basically had to use the signed kernel to boot an unsigned kernel (silly TiVo didn't turn off the option that allows a Linux kernel to load another Linux kernel) that didn't check the userspace signature.

It would be a lot tougher on an iPhone since the user can't get a copy of the source, though. Either way, there is an extremely high chance that the NSA has Apple's private key anyway. That's not to say the FBI does or that NSA is going to let on that they have such things. I think iffthen is probably onto something with the idea this is more about parallel construction than an actual inability to get the data. Otherwise the request would be in the form of a NSL and Apple wouldn't be legally able to talk about it.
posted by wierdo at 5:08 PM on March 4, 2016


My understanding is even this won't work on the newer iPhones because the guess-limit is enforced by a separate chip that's hardened against attack, so an ordinary system update won't do it.

That component is also updatable, as proven by a change in behavior (I think the retry time increments) in the 6 series in the last year. So there's been some speculation that if Apple were forced to do this here there'd be a possible avenue for them to accomplish it with this component as well.
posted by phearlez at 1:20 PM on March 5, 2016


« Older A Crash That Shattered a Group of Friends   |   human experience in the built environment Newer »


This thread has been archived and is closed to new comments