Mike Peterson
A group of cryptography experts have proposed a theory about how law enforcement can still break into iPhone despite continuous iOS patches and layers of safeguards — Apple's strongest encryption protects less data than it used to.
Matthew Green, an associate professor at Johns Hopkins Information Security Institute, proposed the theory in a Twitter thread on Wednesday in response to news of the ACLU suing for information about iPhone unlocking methods. The theory is based on research from two of his students, Maximilian Zinkus and Tushar M. Jois.
My students @maxzks and Tushar Jois spent most of the summer going through every piece of public documentation, forensics report, and legal document we could find to figure out how police were "breaking phone encryption". 1/ https://t.co/KqkmQ1QrEy
— Matthew Green (@matthew_d_green) December 23, 2020
Green contends that law enforcement agencies no longer need to break the strongest encryption on an iPhone because not all types of user data are protected by it.
The research was prompted by the fact that forensic companies reportedly no longer have the ability to break Apple's Secure Enclave Processor. That means it's very difficult to crack a iPhone's password. Given that law enforcement agencies continue to break into locked devices, Green and his students began researching how that could be possible.
They came up with a possible answer, which Green said would be fully detailed in a report after the holidays. Although it's conjecture, it could explain how government and police entities are still able to extract data from locked iPhones.
It boils down to the fact that an iPhone can be in one of two states: Before First Unlock (BFU) and After First Unlock (AFU). When you first power up your device and enter your passcode, it goes into the AFU state. When a user types in their code, the iPhone uses it to derive different sets of cryptographic keys that stay in memory and are used to encrypt files.
When a user locks their device again, it doesn't go into BFU, but remains in the AFU state. Green notes that only one set of cryptographic keys gets purged from memory. That set stays gone until a user unlocks their iPhone again.
The purged set of keys is the one used to decrypt a subset of an iPhone's files that fall under a specific protection class. The other key sets, which stay in memory, are used to decrypt all other files.
From here, all a law enforcement entity needs to do is use known software exploits to bypass the iOS lock screen and decrypt most of the files. Using code that runs with normal privileges, they could access data like a legitimate app. As Green points out, the important part appears to be which files are protected by the purged set of keys.
Based on Apple's documentation, it appears that the strongest protection class only applies to mail and app launch data.
Apple *sort of* vaguely offers a list of the apps whose files get this special protection even in the AFU state. But notice how vague this language is. I have to actually decode it. 14/ pic.twitter.com/OMIy297605
— Matthew Green (@matthew_d_green) December 23, 2020
Comparing that to the same text from 2012, it seems that the strongest encryption doesn't safeguard as many data types as it once did.
The data types that don't get the strong protection include Photos, Texts, Notes, and possibly certain types of location data. Those are all typically of particular interest to law enforcement agencies.
So this answers the great mystery of "how are police breaking Apple's encryption in 2020". The answer is they probably aren't. They're seizing unlocked phones and using jailbreaks to dump the filesystem, most of which can be accessed easily since keys are in memory. 20/
— Matthew Green (@matthew_d_green) December 23, 2020
Third-party apps, however, are able to opt-in to protect user data with the strongest protection class.
As far as why Apple seems to have weakened the protections, Green theorizes that the company forfeited maximum security to enable specific app or system features like location-based reminders. Similarly, some apps wouldn't be able to function properly if the strongest encryption class was used for most data.
Green notes that the situation is "similar" on Android. But, for Apple, the cryptography professor says that "phone encryption is basically a no-op against motivated attackers."
If I could tell Apple to do one thing, I would tell them to figure this problem out. Because without protection for the AFU state, phone encryption is basically a no-op against motivated attackers.
— Matthew Green (@matthew_d_green) December 23, 2020
Maybe Apple's lawyers prefer it this way, but it's courting disaster. 25/
The findings, as well as other details and possible solutions are outlined in a research paper penned by Green, Zinkus, and Jois.
Amber Neely
Andrew Orr
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
28 Comments
Fascinating... His 25-tweet thread is really interesting. It sounds like it comes down to the OS using the weaker encryption option on most of a device's relevant content in order to allow the software to do things in the background while your phone is locked -- using the decryption key stored in memory, which attackers have access to:
Most apps like to do things in the background, while your phone is locked. They read from files and generally do boring software things. When you protect files using the strongest protection class and the phone locks, the app can’t do this stuff.
I wonder if this is intentional so Apple can keep telling its users their data is encrypted, which it is, but then also able to turn a blind eye to the hacks the law enforcement uses to dump the phone's contents. That way they don't get forced to put in an explicit backdoor, because there is a workaround. Either that, or Apple has been secretly forced to allow access and these encryption workarounds give the illusion of privacy and non-compliance with law enforcement bigwigs and yet they actually are bending, with this being the best way they've got to keep the agreement secret.
I’d be interested to know that if when you manually lock the phone down with a long press on sleep/wake + volume - which locks biometrics and necessitates password Re entry, if this is considered BFU or AFU. Technically it is AFU, but from what I remember Apple execs discussing, that is supposed to lock down the phone. In which case it is still feasible to lock people out without a power down. Hmmm....