- cross-posted to:
- privacy@programming.dev
- cross-posted to:
- privacy@programming.dev
The FBI has been unable to access a Washington Post reporter’s seized iPhone because it was in Lockdown Mode, a sometimes overlooked feature that makes iPhones broadly more secure, according to recently filed court records.
The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.
“Because the iPhone was in Lockdown mode, CART could not extract that device,” the court record reads, referring to the FBI’s Computer Analysis Response Team, a unit focused on performing forensic analyses of seized devices. The document is written by the government, and is opposing the return of Natanson’s devices.
Archive: http://archive.today/gfTg9
You must log in or # to comment.
This news sparks joy. It’s a shame the FBI is wasting their time on petty political bullshit like this instead of going after real crime. What a shameful chapter for the FBI, and that’s really saying something given their illustrious history.
You act like there’s a cabal of kid rapist running the world.
If they had any decency at all they should be arresting the president.
But hell would need to freeze over first. 😡
They did that, twice. Even got a trial and 34 felonies. Repercussions? None. Honestly if you do your job and not only see nothing come of it but said felon has an impact on your job now I can sympathize a bit.
He would have been fucked if he had lost the election, and money won the election, money and the markets is the only thing Trump cares about.
Scott Galloway has the right idea
no one is gonna arrest the president for you.
you are gonna have to band together and do it yourselves.
Right!?
Like ohhh. So important to see if someone liked a post. Meanwhile tech espionage and terrorists take over the world.
How dare we ‘radicalize’ over the idea of free Healthcare.
Absolute sham of ‘protection’.
Social contract is breaking.
No need to see any legitimacy in this government or its goons.
It’s really great, isn’t it? But I’d leave you with one theoretical angle to consider…
What if the FBI actually did get into the phone? If so, then why would this information have been made public?
The only reason why, that I can think of right now, is that the FBI wants more people using Lockout. If so, the only reason I can possibly imagine for that is—there are actually some good commonly available techniques to keep them out of your devices, of which Lockout is insufficient. They’d want more people assuming that it is sufficient, and this news could accomplish that.
Purely theoretical… but the bigger point here, whether that framing is strategically true or miraculously over-thinking things, is that something does work. No matter what, you know something works.
I don’t think that’s a rational line of thinking, because there are documented filings of attempted file access into FOSS programs that the FBI are unable to influence and are completely unable to access, such as Veracrypt/LUKS encrypted PCs and GrapheneOS in BFU/Duress password entry status.
Now, Apple is indeed a proprietary ecosystem, and as such unable to have community outside assurances that their system is completely trustworthy. However, Lockdown has now joined the ranks of other systems of data security that have been proven effective against a warrant, perpetuating the cycle in which nations such as the UK (and the US during the Crypto Wars) have tried to overtly undermine the technology through public actions after failures to covertly crack them. You cannot classify mathematics, physics, or cryptography, and there is no such thing as a perfect backdoor (despite some senators’ opinions).
With all that being said, I still wouldn’t trust an iPhone, but I don’t think that proposed line of thinking meshes with the FBI.
It’s not like it was a press release, it was gleaned from a court document. I suppose they could be happy with what info they got off of it enough to let this prosecution fail if they can follow up the chain, but I’m still skeptical. Who knows, maybe they have a functional quantum computer they don’t want to advertise
You create a great story but violates K.i.S.S.
- not saying they got in means they can’t use it as evidence. Sometimes there’s still due process
- even if they can get into lockdown mode, it’s clearly harder than not lockdown. Why conspire to make it harder?
Yes, probably so. I haven’t seen the designs of lockdown mode, but I get the case for my hypothesis being far fetched. Wasn’t trying to start any conspiracies. Please, ignore my shenanigans.
Best advertisement I’ve heard for an iPhone ever. Now that Android moving to the same walled garden business model…
Graphene OS
Android phones have lockdown mode too. Hold the power button to show the shutdown menu and click lockdown.
They’re not the same. Android lockdown is a temporary lock screen state. iOS lockdown is a full OS hardening, affects the way the phone operates full-time.
Ah, my bad. I looked it up and while Android does have an analog to what iOS calls “lockdown”, Android uses different terminology for it, since “Lockdown” is, as you said, lock the lockscreen to be password/pin-only (which would still be a reasonable approach before being forced to turn over your phone to somebody since those are things that are harder to be compelled to provide).
Android’s version of iOS “Lockdown” is called “Advanced Protection Mode”.
Having it and it working as well are two different things. historically Apple has been ahead in security that can slow down or stop law enforcement. And before before you jump to the same conclusions as someone else, I never have owned an iPhone, nor wanted to.
That’s incorrect. Google’s Android has several industry leading security features the iPhone doesn’t support.
That’s… not what they said.
There’s a lot of copium in this thread. Joke is I’ve been pretty hardcore Android since day one, I have never owned an iPhone. I am just capable of some level of objectivity. Shit, there’s podcasts out there from early in the Android v iOS days where I was the token Android guy defending it as the IBM compatible equivalent of its day. Telling these hard core iPhone guys that Apple would lose the market share fight worldwide because of the closed nature, the same way they lost it on the desktop. But yeah, there’s people here denouncing me as an Apple fanboy because I was capable of complimenting a strength it has.
Keep doing it. They all have strengths and suckiness at the same time.
joke on you! google’s recent requirement is that all phone vendors make the power button open an AI menu instead of the shutdown menu! on most phones it can be fixed, but it’s often hidden very deep in the settings.
I’d forgotten because the first thing I did when that rolled out was revert it so long-press on the power button was the power menu. IIRC the new default is like long-press-power-and-volume-down or some garbage like that to show the power menu.
AI will take as to the future shit 🤣 You: Hey Google (or the hell the new assistant names are), I’m beening arrested could you lock donw my phone!" The bot: Sorry, I couldn’t get that. connecting to the ChatGPT/ Gemini servers
This is more of “disable face ID” type of thing rather than “lockdown”
deleted by creator
That is a misnomer. The android’s “lockdown” is equivalent of on an iPhone pressing power button + up button to bring up the power menu which immediately disables biometrics. It only disables biometrics, doesn’t really “hardens” the phone in anyway.
And the FBI can’t get in? I doubt that. It has always been notoriously easy for law enforcement to get in to Android phones.
Obligatory XKCD.
Everyone have different thread model…
It’s usually either posix or windows… is
pthreadposix? They confuse me when i’m outta coffee.
If someone is worried about the FBI I don’t think that putting trust in a US company who’s CEO has very close ties to the current US administration is a wise idea.
I’d be seeking hardware to run an OS like GrapheneOS. Going with iOS in the US seems as wise as someone in China going with Xiaomi if they are trying to go under the radar of China’s Ministry of State Security.
I’d be seeking hardware to run an OS like GrapheneOS.
So the hardware made by the other company who’s CEO has very close ties to the current US administration.
Graphene looks promising but restricting it to Pixels kinda kills it for me.Hardware is hardware. Whether it is US, China, etc the most vital component ends up being the OS at the end. It is the OS that you are entrusting the programs and apps being run and the accounts being logged into.
If you want security and privacy, grapheneOS appears to be the best option for OS. Something can be secure but not private, and private but not secure. Example being running /e/os or lineageOS on supported hardware might be more private but might not be as secure as stock Google on a Pixel or iOS with lot of times inability to relock the bootloader.
Phones do not have the luxury of PCs with large range of supported hardware with lot of freedom to install different operating systems without issue. There isn’t a luxury of the perfect private and secure phone to purchase.
You look among what is available to find what lets you install a non corporate run OS that is as secure as possible.
deleted by creator
Haha, very true. Loyalty over competency.
Even if you turned the phone off? It should be secure on a cold boot before entering the password, as nothing is unencrypted yet.
You know, I have not kept up. Things may have improved recently. But historically there’s always been flaws in the security.
And that is the big reason why you should update. It’s a cat and mouse situation. This is the reason why GrapheneOS offer security previews and encourage you to install them.
GrapheneOS is not the ordinary Android phone.
Yes, that’s advertising allright.
The FBI just wants the public to think their phone is secure. I got news for you, it’s not secure. Look up Snowden.
Reminder that none of your data is safe on a cloud. Law enforcement can get a judge to sign off and make Google/Apple decrypt your cloud data and give it to them.
If you really want your data private you have to put it on an encrypted hard drive. Recommend Veracrypt.
Recommend Veracrypt.
Or Luks which is well integrated with Linux. Are there significant advantages with Veracrypt?
It depends on which cloud. US cloud services are inherently unsafe. Some other countries have more respect for privacy.
and even then, unless you unlock it for law enforcements upon request. you will serve lifetime in imprisonment or until you agree to unlock it and whatever if any crime is within the locker to continue imprisonment. so safeguarding data really doesn’t matter in the end anyway because any sensitive data kept anywhere will be used against you either by the law or by criminals. which often times seems to be one and the same.
unless you unlock it for law enforcements upon request. you will serve lifetime in imprisonment or until you agree to unlock it
I’m like 99% sure that isn’t how that works. Held in contempt of court, maybe, but lifetime imprisonment, doubt it.
Clearly you are not a lawyer, not educated in law, nor do you know a single thing regarding what you are talking about, yet you felt compelled to leave a comment full of complete disinformation. Is letting people on the internet know how dumb you are a family tradition, or is this something new you are trying out for yourself?
it’s amazing you think not unlocking your shit will get you out of jail.
or maybe you just come from a country where law and logic is just optional or possibly paid for.
Can you provide any statute or reporting to indicate a person can be jailed indefinitely over not unlocking a device?
for the US, check the somewhat recent Joseph Gelfgatt case.
Snowden was pre-lockdown mode but yeah.
One shortcoming of lockdown mode, as far as I can tell: you can pair your phone and watch so locking your phone will lock your watch as well, but you can’t do the reverse. It seems more likely that a hostile party would get access to your phone first while you still (temporarily) have control of your watch, so being able to lock your phone from your watch would be extremely useful. (Or for that matter, set lockdown mode to trigger automatically if your watch is removed or your watch and phone move to different locations.)
Swallow it.
“Can I cook mine?”
“No, you must eat it raw.”
Locking your phone and Lockdown Mode are drastically different things.
That seems like a very simple problem to just not need to worry about.
Just don’t buy a smartwatch.
It’s not that the watch is an added vulnerability (there’s no info accessible via the watch once the phone is locked)—it’s just a missed opportunity.
You need to re-read what he said.
Stop requiring accounts just to view content.
Fucking scumbags
This is just an advertisement. There is no phone the government cannot get into if they wanted.
Is this an advertisement? Sure, yes. The government can get into any phone? No.
Any iPhone? Almost certainly.
Big claims require big proof. But I bet all you have is a hunch.
The big claim is that they couldn’t get into the reporter’s iPhone. You are right to demand proof before believing something so obviously made up.
Unless there’s an incredible amount of people “not in” on some universal secret, maths gonna maths, and physics gonna physics. Actual encryption works well in a proven way, computational power isn’t as infinite as some people think, and decent software implementations exists.
Getting hold of anything properly encrypted with no access to the key still requires an incredible amount of computing power to brute force. Weak/bad implementations can leave enough info back to speed this up, malicious software can make use of an extra, undocumented encryption key, etc. but a decent implementation would not be easy to break in.
Now, this does not say anything about what Apple actually do. They claim to have proper encryption, but with anything closed source, you only have your belief to back you up. But it’s not an extraordinary claim to say that this can be done competently. And Apple would have a good incentive in doing so: good PR, and no real downside for them since people happily unlock their phone to keep their software running and doing whatever it wants locally.
Or, they walk in through the back door.
Math have little room for backdoors.
Big claims require big proof. But I bet all you have is a hunch.
I work alongside law enforcement. Part of my job involves helping detectives follow the instructions Apple/Google provide to them for downloading and unencrypting people’s phone data once a judge has given permission for them to request it from Apple/Google.
Now, I’m not familiar with “Lockdown Mode”. Maybe that uses separate encryption to encrypt data stored on your phone that ISN’T cloud synced data. But even then, if that Lockdown Mode is software created by the manufacturer, then they could have the decryption algorithm to decrypt it and I wouldn’t trust it. I would only trust open-source encryption software, like Veracrypt.
Bottom line is I’m here to guarantee you that if the data is synced with a cloud, which most people’s phone data is, it absolutely can be obtained by law enforcement.
Not that it’s particularly relevant, but typically when law enforcement get into the data, it’s usually because they have reasonable suspicion and it’s usually kiddie porn or chat logs proving they were trying to meet up with underage individuals. And I’m here to tell you that shit is way more prevalent than I think most people realize.
You can read more about lock down mode here: https://support.apple.com/en-gb/105120
Again, like you said, what is described in the article is a big claim, and it should require a big proof, not some trust-me-bro apple marketing.
Just because someone has an iPhone doesn’t mean the other person writing about it is advertising the product.
Here are the instructions to enable and description of how it works. Seems really complete.
Feature set seems like an improvement, honestly. In particular:
Game Center is also disabled.
Dunno what this has to do with the Ginza Apple Store. The intern just used the first stock photo they could find, I guess.
It’s sad how the internet has somehow made the quality of ostensibly professional journalism so much worse. It was supposed to make things better.
Is this/the replies sarcasm? Its just a picture of an Apple store on an article about Apple, who cares where it’s located? And how does that make this worse quality journalism?
they’ll just pay israelis (cellbrite) to crack it
I tried GrapheneOS on my Pixel, and it’s pretty cool, but unfortunately I want my phone to have full functionality. I’ll sacrifice some privacy and just practice digital minimalism, which ultimately is the best form of privacy.
What didnt work for you?
I just got tired of everything being a hack. I simply need my phone to work and I also see a bit of irony installing play services just to receive proper notifications. I know I know the whole app sandboxing bit. But still, it seems counterintuitive I don’t have to worry if my phone’s going to let me down if I’m driving a need to download some obscure parking app or if I need tap to pay to function which in the United States I do. One time I was at Costco, renewing my membership, they needed me to download the app real quick to do something on the account. But because the app wouldn’t function right, my wife had to do it.
I needed to buy some ribs the other day, but I forgot my wallet. If I had tapped to pay on my phone, that wouldn’t have been an issue.
they needed me to download the app
They wanted you to, but i get your point.
receive proper notifications. I know I know the whole app sandboxing bit
Still worth it for the sandbox
You don’t NEED tap to pay. I literally never use it, ever, unless I have a card with a bad chip (happened once).
Forgetting your wallet like a dummy doesn’t mean you NEED tap to pay, it means you need to remember to bring your wallet.
Also, there is nothing you NEED the Costco app for, an org like that can’t lock things behind an app to function because their customer base is too broad, they will inevitably have old people with T9 Nokia bricks still. It might have been the most convenient way to achieve it, but it’s not a requirement - even if that particular sales associate didn’t know how and would have to phone a friend.
All that to say I’m not trying to convince you to use gOS; I fully recognize that security is on one end of the spectrum from convenience, and we all choose where we want to be on that spectrum. But I felt the need to counter your claims… Nobody NEEDS tap to pay smh. If you care about privacy at all you wouldn’t be linking cards to apple or Google, adding yet another layer of giant data collection to some of your most intimate data.
Well, since the reporter does not really own the phone, the FBI will now turn to Apple ordering them to disable that false sentiment of security.
If you don’t hold the keys, it’s not encrypted.
If a person is using lockdown mode they more than likely also have Advanced Data Protection enabled. This removes iCloud keys on Apple’s side and is only stored on device.
In that case you hold the keys and it’s encrypted.
And if you don’t think there are backdoors then I have a bridge to sell you.
The best you can hope for in any case is increased friction. Because if you have pissed off a government org to the point they declare you an actual national security threat… you start realizing why israel et al tend to be known to have tools that can crack a few generations back.
Which is why journalists, when they talk about stuff like this, are pretty adamant that they don’t trust those devices at all. One of the more common tactics is to have completely separate devices for sensitive communication that are kept physically isolated from any of their personal devices… and preferably in a place that a trusted associate knows about. If someone gets taken away in a black van? Someone else goes for a walk with a power drill for no apparent reason at all.
Well those back doors don’t seem to be working in the actual case happening currently. What you’re saying is assumptions.
Also you’re the second commenter today to say they have a bridge to sell me. Is this old saying making a comeback or is it bots?
Bridge market must be having a boom.
…
Yes, the reason multiple people accused you of being gullible is because they are bots.
deleted by creator
Yes you do. In fact Apple warns you several times to keep copies of the key secure because there’s no way for them to help if it’s lost.
deleted by creator
not if it was lineage, calyx, graphene.
As another said, a Pixel with Graphene OS is likely the most secure device you can have, even against an Apple product. Cellebrite, the software a lot of governments use to break into these phones can’t get into a Pixel device before first unlock with Graphene OS. I believe a number of Apple products are the same thing as they can’t be accessed before first unlock or lockdown mode, but your data is more secure in the hands of an open source developer than a massive capitalist company.
Also, a notable feature of GrapheneOS is automatic reboots after no use for any arbitrary time value you want, so your phone will always be in a “before first unlock” state if some steals it like the government. They also have lockdown mode as well, not sure how that works technically on Android beyond disabling biometrics.
Android also has lockdown mode.
Also Bezos has nothing to do with Android aside from their tablets.
The original comment said Google, instead of Bezos, I have no idea why they edited their comment to this. Maybe they are thinking of Microsoft, who recently handed over encryption keys, but they don’t make phones anymore, lol.
No, donkey, no.
Do we know of instances them doing it? Assuming they can, I don’t actually know.
