Security

[VIDEO] The video embedded in the main Loop post is purported to show a Cellebrite police kiosk, used to unlock cell phones. Here’s a link to the Cellebrite Kiosk product page. Indeed, does appear to be one and the same, even though the Scotland Police page does not specifically mention the name Cellebrite.

Though the phone in the video appears to have a USB-C connector, Cellebrite does claim to be able to unlock both Android and iOS devices (iOS 7 to iOS 12.3).

Reuters:

Apple Inc dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

And:

The tech giant’s reversal, about two years ago, has not previously been reported. It shows how much Apple has been willing to help U.S. law enforcement and intelligence agencies, despite taking a harder line in high-profile legal disputes with the government and casting itself as a defender of its customers’ information.

And:

When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan.

“Legal killed it, for reasons you can imagine,” another former Apple employee said he was told, without any specific mention of why the plan was dropped or if the FBI was a factor in the decision.

Because this story is about a decision made several years ago, it’s not clear that Apple will ever comment on it. But it’s another piece of the big picture of how Apple handles your privacy, how they respond to requests from the FBI, et al, to hand over information about seized phones.

9to5Google:

Last year, Google announced that all Android 7+ devices can be used as two-factor authentication when signing into Gmail, Drive, and other first-party services. Most modern iPhones can now be used as a built-in phone security key for Google apps.

And:

A built-in phone security key differs from the Google Prompt, though both essentially share the same UI. The latter push-based approach is found in the Google Search app and Gmail, while today’s announcement is more akin to a physical USB-C/Lightning key in terms of being resistant to phishing attempts and verifying who you are. Your phone security key needs to be physically near (within Bluetooth range) the device that wants to log-in. The login prompt is not just being sent over an internet connection.

Feels like a step in the right direction, a tool to help stop SIM-swapping. Ultimately, I’d love all my log-in services to offer a setting that limited logins to Face ID only, with Face ID required to change that setting as well.

The op-ed is a long, logical walkthrough of the claims by Attorney General Barr and the counterclaim on the values of both privacy and encryption.

But at its heart:

Apple is no doubt looking out for its commercial interests, and privacy is one of its selling points. But its encryption and security protections also have significant social and public benefits. Encryption has become more important as individuals store and transmit more personal information on their phones — including bank accounts and health records — amid increasing cyber-espionage.

Criminals communicate over encrypted platforms, but encryption protects all users including business executives, journalists, politicians, and dissenters in non-democratic societies. Any special key that Apple created for the U.S. government to unlock iPhones would also be exploitable by bad actors.

If American tech companies offer backdoors for U.S. law enforcement, criminals would surely switch to foreign providers. This would make it harder to obtain data stored on cloud servers. Apple says it has responded to more than 127,000 requests from U.S. law enforcement agencies over the past seven years. We doubt Huawei would be as cooperative.

A worthy read.

Inflammatory headline aside, this New York Times piece is chock full of interesting quotes:

Executives at Apple have been surprised by the case’s quick escalation, said people familiar with the company who were not authorized to speak publicly. And there is frustration and skepticism among some on the Apple team working on the issue that the Justice Department hasn’t spent enough time trying to get into the iPhones with third-party tools, said one person with knowledge of the matter.

And:

The stakes are high for Mr. Cook, who has built an unusual alliance with President Trump that has helped Apple largely avoid damaging tariffs in the trade war with China. That relationship will now be tested as Mr. Cook confronts Mr. Barr, one of the president’s closest allies.

And:

At the heart of the tussle is a debate between Apple and the government over whether security or privacy trumps the other. Apple has said it chooses not to build a “backdoor” way for governments to get into iPhones and to bypass encryption because that would create a slippery slope that could damage people’s privacy.

And:

Bruce Sewell, Apple’s former general counsel who helped lead the company’s response in the San Bernardino case, said in an interview last year that Mr. Cook had staked his reputation on the stance. Had Apple’s board not agreed with the position, Mr. Cook was prepared to resign, Mr. Sewell said.

And:

Mr. Cook has made privacy one of Apple’s core values. That has set Apple apart from tech giants like Facebook and Google, which have faced scrutiny for vacuuming up people’s data to sell ads.

“It’s brilliant marketing,” Scott Galloway, a New York University marketing professor who has written a book on the tech giants, said of Apple. “They’re so concerned with your privacy that they’re willing to wave the finger at the F.B.I.”

And:

A Justice Department spokeswoman said in an email: “Apple designed these phones and implemented their encryption. It’s a simple, ‘front-door’ request: Will Apple help us get into the shooter’s phones or not?”

This is a giant issue. I don’t think there’s any way for a master encryption key to be created that won’t eventually get leaked or stolen.

If such a key was created, is there a case so important that would make putting that key in the hands of the world at large worth the risk? To me, that’s the heart of the dilemma.

First off:

• Fire up your iPhone, head to Settings > Safari
• Now tap the link that says “About Safari & Privacy…” (it’s the second of these links, just under the Check for Apple Pay switch)
• Scroll down to the section labeled “Fraudulent Website Warning”

At the bottom of that paragraph:

Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.

Those words have raised a lot of eyebrows. The headline linked article digs into some history and lays out the concerns. Start off by reading the section “What is “Safe Browsing”, and is it actually safe?” That’ll set the table for why Google’s Safe Browsing is imperfect where privacy is concerned.

Which leads to:

The problem is that Safe Browsing “update API” has never been exactly “safe”. Its purpose was never to provide total privacy to users, but rather to degrade the quality of browsing data that providers collect. Within the threat model of Google, we (as a privacy-focused community) largely concluded that protecting users from malicious sites was worth the risk. That’s because, while Google certainly has the brainpower to extract a signal from the noisy Safe Browsing results, it seemed unlikely that they would bother. (Or at least, we hoped that someone would blow the whistle if they tried.)

But Tencent isn’t Google. While they may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it. At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.

OK, now you’re caught up. Is this a tempest in a teapot or a genuine privacy concern? Looking forward to an official response from Apple.

UPDATE: And here’s Apple’s official statement:

Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.

To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.

The headline seemed sensationalistic, started reading filled with skepticism. That said, I did find the article well written and full of interesting detail.

A few examples:

Apple requires that all iOS web browsers—Chrome, Firefox, Brave, or any other—be built on the same WebKit engine that Safari uses. “Basically it’s just like running Safari with a different user interface,” Henze says. Apple demands browsers use WebKit, Henze says, because the complexity of running websites’ JavaScript requires browsers to use a technique called just-in-time (or JIT) compilation as a time-saving trick. While programs that run on an iOS device generally need to be cryptographically signed by Apple or an approved developer, a browser’s JIT speed optimization doesn’t include that safeguard.

As a result, Apple has insisted that only its own WebKit engine be allowed to handle that unsigned code. “They trust their own stuff more,” Henze says. “And if they make an exception for Chrome, they have to make an exception for everyone.”

The point being made here is that Apple bottlenecks all browser activity through WebKit. To me, this seems a solid approach, as long as WebKit is bulletproof.

The problem with making WebKit mandatory, according to security researchers, is that Apple’s browser engine is in some respects less secure than Chrome’s.

There’s the rub. If that’s truly the case. Seems to me, no matter the choice Apple makes here, there will be security holes. The key is how quickly Apple responds to identified flaws. My (possibly uninformed) sense is that Apple closes loopholes before they become widely known, or quickly issues a patch if exploits do become public.

As to Messages:

Hackable flaws in iMessage are far rarer than those WebKit. But they’re also far more powerful, given that they can be used as the first step in a hacking technique that takes over a target phone with no user interaction. So it was all the more surprising last month to see Natalie Silvanovich, a researcher with Google’s Project Zero team, expose an entire collection of previously unknown flaws in iMessage that could be used to enable remote, zero-click takeovers of iPhones.

Read Apple’s reply to the Project Zero accusations.

More disturbing than the existence of those individual bugs was that they all stemmed from the same security issue: iMessage exposes to attackers its “unserializer,” a component that essentially unpacks different types of data sent to the device via iMessage.

All very interesting. I’m betting that Apple is working hard to identify and fix attack vectors in WebKit and better sandbox Messages. I think it’s a safe bet that none of this information is new to Apple.

A statement from Apple about last week’s Google vulnerability blog post:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case. Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe.

Appreciate the clarification here.

Juli Clover, MacRumors:

Apple is introducing an expanded bug bounty program that covers macOS, tvOS, watchOS, and iCloud as well as iOS devices, Apple’s head of security engineering Ivan Krstić announced this afternoon at the Black Hat conference in Las Vegas.

Someone is going to pay for those vulnerability details. Way better for everyone if it’s Apple.

Tim Hardwick, MacRumors:

An Israeli security firm claims it has developed a smartphone surveillance tool that can harvest not only a user’s local data but also all their device’s communications with cloud-based services provided by the likes of Apple, Google, Amazon, and Microsoft.

From the paywalled Financial Times article that broke the story:

The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.

This grants open-ended access to the cloud data of those apps without “prompting 2-step verification or warning email on target device”, according to one sales document.

And don’t miss this response from Apple:

In response to the report, Apple told FT that its operating system was “the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers.”

Um. That is quite different from a denial, makes me think this story is true. And once the tools are out there, you know they will find their way into black hat hands. Hopefully, Apple will silently update my devices with a leapfrog update to obsolete these tools.

Charlie Warzel, New York Times, writing about this experiment by Harvard researcher Dan Svirsky:

Svirsky ran a series of tests where he had participants fill out online surveys for money and made them decide whether to share their Facebook profile data with a survey taker in exchange for a bonus (in some cases, 50 cents). In a direct trade-off scenario, Svirsky found that 64 percent of participants refused to share their Facebook profile in exchange for 50 cents and a majority were “unwilling to share their Facebook data for $2.50.” In sum: Respondents generally sacrificed a small bonus to keep from turning over personal information.

And:

But things changed when Svirsky introduced the smallest bit of friction. When participants were faced with what he calls “a veiled trade-off,” where survey takers had to click to learn whether taking the survey without connecting to Facebook would be free or cost them 50 cents, only 40 percent ended up refusing to share their data. And 58 percent of participants did not click to reveal which payment option was associated with privacy, even though doing so cost them nothing more than a second of their time.

I came across this article in this Daring Fireball post. From the post:

The lack of friction in the Sign In With Apple experience — especially using a device with Face ID or Touch ID — is a key part of why I expect it to be successful. It’s not just more private than signing in with Google or Facebook, it’s as good or better in terms of how few steps it takes.

The genius of the Google button is reducing friction for the user, easing them into sharing data from an already existing account. Even if your browser or app makes it easy to enter your email and password, using Touch ID or Face ID, there’s still friction in that sequence. The Google button is one simple step. With a privacy cost.

Sign in with Apple (SiwA) has the same lack of friction as the Google button. But without the privacy sacrifice. To me, this takes a good thing and makes it a great thing. I look forward to seeing SiwA in the wild.

Geoffrey A. Fowler, Washington Post:

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address -— once every five minutes.

And:

You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, “What happens on your iPhone stays on your iPhone.” My investigation suggests otherwise.

iPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.

This is a big deal. Privacy is core to Apple’s brand and one of the main reasons I am so loyal to Apple’s ecosystem. Looking forward to Apple’s response to the Washington Post.