Chinese Hack of US ISPs Show Why Apple Is Right About Backdoors (9to5mac.com)
- Reference: 0175223755
- News link: https://apple.slashdot.org/story/24/10/10/025236/chinese-hack-of-us-isps-show-why-apple-is-right-about-backdoors
- Source link: https://9to5mac.com/2024/10/08/chinese-hack-of-us-isps-shows-why-apple-is-right-about-backdoors-for-law-enforcement/
> It was [2]revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What's notable about the attack is that it [3]compromised security backdoors deliberately created to allow for wiretaps by US law enforcement . [...] Apple [4]famously refused the FBI's request to create a backdoor into iPhones to help access devices used by shooters in San Bernardino and Pensacola. The FBI was [5]subsequently successful in accessing all the iPhones concerned without the assistance it sought.
>
> Our [6]arguments against such backdoors predate both cases, when Apple spoke out on the issue in the wake of terrorist attacks in Paris more than a decade ago: "Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they're not -- and if they're not then it's a question of when, rather than if, others are able to exploit the vulnerability."
>
> This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them. Exactly the same would be true if Apple created backdoors into iPhones.
[1] https://slashdot.org/~Alypius
[2] https://slashdot.org/story/24/10/05/2118247/us-wiretap-systems-targeted-in-china-linked-hack
[3] https://9to5mac.com/2024/10/08/chinese-hack-of-us-isps-shows-why-apple-is-right-about-backdoors-for-law-enforcement/
[4] https://yro.slashdot.org/story/16/02/17/0123238/judge-tells-apple-to-help-fbi-access-san-bernardino-shooters-iphone
[5] https://news.slashdot.org/story/16/03/28/2237207/fbi-unlocks-iphone-without-apples-help-in-san-bernadino-case
[6] https://9to5mac.com/2015/11/17/opinion-apple-encryption/
That's rich... (Score:2, Insightful)
They're part of PRISM.
Re: (Score:2)
hah yeah American company subject to American laws. Me thinks they doth protest too much and pose a little too hard :)
nerd harder (Score:5, Insightful)
apple can be right all it wants but that won’t change the fact that politicians are know-nothings that don’t give a rat’s ass about weakening security when there is an opportunity for grandstanding and appearing to “do something.”
Re:nerd harder (Score:5, Insightful)
> apple can be right all it wants but that won’t change the fact that politicians are know-nothings that don’t give a rat’s ass about weakening security when there is an opportunity for grandstanding and appearing to “do something.”
Remember: it's for the children !!
Seriously, there is no reason at all to provide the government with backdoor access to anything. If the government suspects someone of a crime, they can get a warrant, and compromise one of the endpoints, install hidden surveillance, or whatever. Backdoors led to spying in this case, but how many times has weakened security led to hacking and compromised data? Europe is fighting this battle right now with "chat control".
Re: (Score:1)
"Remember: it's for the children !!"
Wait until you have kids then you may change your priorities. If a load of privacy being lost means some kids don't suffer or even people avoid being killed then thats fine by me.
No doubt I'll be modded down for having an opinion that goes against the tech nerd groupthink.
Re: (Score:2)
> If a load of privacy being lost means some kids don't suffer or even people avoid being killed then thats fine by me.
Then you are dumb. Given enough privacy lost and government authoritarianism your kids lives will be a V for Vendetta nightmare and they'll be wondering why you stood by quivering, begging to give your rights to Big Brother for a little temporary protection.
> No doubt I'll be modded down for having an opinion that goes against the tech nerd groupthink.
I could have, but prefer to reply and tell you what a short sighed chickenshit you are. I'll get modded down for trolling your frightened conformist groupthink.
Re: (Score:2)
Governments have always been able to access private info. Only recently has it become harder or impossible for them so I don't see what the big deal is. Encryption hasn't prevented authoritarian governments coming to power so your logic is flawed.
As for the insults, grow up man-child.
Good guys don't outlaw/backdoor encryption (Score:1)
Hint: the good guys don't censor or outlaw & backdoor encryption. Grow a spine.
Re: (Score:2)
> "Remember: it's for the children !!"
> Wait until you have kids then you may change your priorities. If a load of privacy being lost means some kids don't suffer or even people avoid being killed then thats fine by me.
> No doubt I'll be modded down for having an opinion that goes against the tech nerd groupthink.
Draw me a line then. The majority of kids who have been abused are abused by a family member or a friend. Therefore we should require government cameras in every home to ensure some kids don't suffer or even die. Would you support this? If not why not, where do you draw the line?
Re: (Score:1)
Hidden cameras installed as part of a police investigation authorised by a judge? No problem at all with that.
Re: (Score:2)
I have two kids and I will not yield my privacy nor theirs to the government for some false sense of security for them. I am fully capable of protecting them myself and don't need some stupid bureaucrat stepping in to fuck them over in some way because I gave in to fear.
Re: (Score:2)
"I am fully capable of protecting them myself "
Keep telling yourself that, maybe even you'll believe it one day.
You'd change your tune if some paedo had encrypted pictures of them but it couldn't be proven unless the police broke the encryption.
Re:nerd harder (Score:5, Insightful)
It's not just the politicians, the journalists are no better. They are happy to use software like Telegram to protect their sources and avoid stories leaking. But when those same tools are used by 'bad people' it's a national scandal and the government needs to do something about it. They don't seem to understand that private communications work both ways.
As a previous poster noted, the government already has tools which can compromise the endpoints of secure communications, and legal opportunities to install them every time 'bad people' pass through a US airport. There's really no reason to install additional backdoors which can be abused by foreign governments/hackets.
Re: (Score:2)
politicians are just good at doing politics, when they draft laws they don't really need to know squat about the subject, they're just do what they're told to do.
now, the people who told them about this weren't stupid nor ignorant, they knew full well that these backdoors were a security threat for all, they just considered it as an acceptable drawback and risk if it allowed them to do the dirty little deeds they wanted.
btw the assumption that apple products don't have backdoors is pretty candid to put it v
Re:Bullshit (Score:5, Insightful)
The threat models are entirely different. Your describing a threat where Apple as a corporation distributes signed software that violated customer expectations and their previous promises, and that people can protect against by not installing the software update. If a third party manages to subvert the build process, Apple and users can just install the software version that fixes it.
That's an entirely different threat than having wiretap or search backdoors that silently give access to real-time communications (in the case of wiretap) or data stored on arbitrary devices (in the case of backdoors). Vulnerabilities in those mechanisms become hugely valuable to any threat actor, not only the company that created the backdoor.
Re: (Score:2)
Which was not what the Feds were demanding, they wanted Apple to be able to get all the data off locked phones.
Re: (Score:3)
The phones don't know whether it's Apple or Guido the Yakuza Skinhead Human Trafficker trying to get data. They only respond to whatever technical trigger is built in.
Re: (Score:2)
They would know the same way they know an update is legit, Apple would sign the request with a private key from a HSM.
Re: (Score:2)
Yes, and when -- not if -- that process gets compromised, it opens an unfixable gaping security hole in every device everywhere. That would make it an extremely appealing target for every serious threat actor in the world, including government offensive cyber agencies. It is fundamentally different from the "bad software release" risk.
Re: (Score:2)
That's too pessimistic a view of the iOS update mechanism IMO.
Re: (Score:2)
> ... the security guarantees are the same and the trusted party is the same.
It's so easy, we need to do this for porn: Just pass a law that all porn is encrypted by a key unique to each adult. That will save little Mary from grown-up truths, for sure.
Re: (Score:2)
Lets say Apple owned the private keys and would do decryption themselves only when ordered by court, then your porn would be exactly as safe against hackers as iOS updates.
The desirability of the scheme and the justification of hysterical fantasies about hackers are two seperate things.
A private key in an Apple HSM can already steal all your iPhone data in any realistic scenario (refusing updates will just saddle you with a mountain of former zero day vulnerabilities eventually, it's not realistic).
Re: Bullshit (Score:2)
How do people as dumb as you exist?
Not completely buying into Apple's claims (Score:4, Interesting)
I am not buying Apple's story that they don't have any backdoors on their devices. Why I don't buy that is because there is evidence to indicate that they have secret API which they allow some select companies to use which has only one conceivable purpose - for spying and surveillance. I am referring to this incident when Uber app on Iphone was caught recording screens even when the app wasn't even running on the iphone. Somehow this story just disappeared with next to no followups from the IT security people.
[1]https://thenextweb.com/news/re... [thenextweb.com]
Uber came up with a totally B.S explanation for why they were recording screens: "This API isn’t connected to anything in our current codebase, meaning it’s non-functional & there’s no existing feature using it. It was only ever used to render maps for an early version of our Apple Watch app, but has been dormant for quite some time. We are working with Apple to remove it completely ASAP."
What does recording screens have to do with displaying maps? and why didn't Apple contest this explanation? and how is it that Apple gave this secret entitlement to Uber?
This incident does show that, at the very least, there was some secret collusion between Apple and Uber to spy on users. And why would this happen unless there was some use case pushed by the surveillance state?
[1] https://thenextweb.com/news/report-uber-can-spy-on-iphone-users-with-ios-11s-screen-recording-feature
Re: (Score:2)
if Apple made a deal with Uber then i am sure they are making deals with other companies too,
Re: (Score:3)
Wasn't exactly secret, it had a name and was in the manifest. Not like they needed to do some obfuscated port knocking to access it.
Re: (Score:2)
You really should read that article you linked to...
> It allows developers to read and write to part of the iPhone’s memory that contains pixel and display data.
write pixel data. For a completely custom renderer it even makes sense.
Not saying you're wrong to doubt the explanation, just that your doubting doesn't match what is in the article.
Re: (Score:2)
And read pixel data, to capture what is currently on the screen, not to render anything.
What about that?
Re: (Score:2)
i am sure there are workarounds for that too
Re: (Score:2)
Yes, that is the problematic part.
My point was:
What does recording screens have to do with displaying maps?
The fact that the permissions API (wrongly) puts read and write in the same bucket.
Re: (Score:2)
If the watch didn't yet have a map widget, but did have a display image API, one could hack together a watch map interface by rendering the map on the phone, recording the screen, and transmitting the image to the watch. It's not a conspiracy, just shitty beta software that no one bothered to clean up. Or maybe Uber was doing some underhanded telemetry gathering. Wouldn't put it past them.
And Apple doesn't have "secret" APIs, they are just undocumented internal use only, reserved for iOS and first party app
Re:Not completely buying into Apple's claims (Score:5, Insightful)
> And Apple doesn't have "secret" APIs, they are just undocumented internal use only, reserved for iOS and first party apps. Every OS has these.
Like in every OS except for the most popular kernel on the planet, you mean? And all of the other FOSS options? Or do you mean like what Microsoft was forced to open up to vendors, famously enabling Clownstroke to bring the Windows world to its knees for days?
Undocumented APIs are there specifically for antitrust, like when it was discovered that Microsoft Office was using one set of functions, and everyone else was using the documented functions which were literally the same functions with delay loops added. And Microsoft's excuse was that those delays were necessary if you didn't know what you were doing, but nobody else knew what they were doing because Microsoft refused to tell them.
If you believe any different from anyone, including Apple, then you are ignoring how everything works. Operating systems do not need such things at all, not even a tiny bit. Every single interface can and should be completely documented. Anything else is hostility or failure.
Re: (Score:2)
> Like in every OS except for the most popular kernel on the planet, you mean?
The kernel is not the OS. Literally every OS has undocumented APIs, including that one running the most popular kernel on the planet.
> Or do you mean like what Microsoft was forced to open up to vendors, famously enabling Clownstroke to bring the Windows world to its knees for days?
Microsoft didn't open up all APIs either. Microsoft was forced to open up specific APIs used by some very specific apps they were using in competition with others, all the while they actually did provide other documented APIs to achieve the same thing. ClownStroke was just that, a shitty company who didn't know what they were doing, using APIs in inappropriate ways interfacing
Re: (Score:2)
> Literally every OS has undocumented APIs, including that one running the most popular kernel on the planet.
No FOSS OS has undocumented APIs.
> Undocumented APIs are there for many reasons, including internal development reasons.
Guess what? Putting internal application development above external application development is done specifically for antitrust reasons.
Grounds for brining the gouvertement to a Court? (Score:2)
Would lawyers be able to use these backdoors imposed by the government, to bring the case to a court and demand compensation for the victims, and sanctions for those responsible for this deliberate weakening of security?
Re: (Score:2)
How about taking China to task, give all corporations a 2-year notice to move their manufacturing to another country, because that is when imports from China can be blocked. How long would it take for the Chinese economy to tank if the USA stopped all imports from China? The Trump approach was just to slap a tariff on things, without giving companies a chance to relocate their manufacturing. Telling the Chinese, "you've done this crap too many times, and it's time for you to actually get punished for
Re: (Score:3)
> How long would it take for the American economy to tank if the USA stopped all imports from China?
Fixed that for you.
It is, quite frankly, impossible to decouple the US economy from China on a foreseeable timescale, and vice-versa. Certainly not in the 2-year scale you suggest, nor on the 4-year timescale of an American president.
Sure, you might be able to get some companies to move their manufacturing somewhere else. But even the truly motivated ones would find that difficult - creating a new man
Re: (Score:2)
China already has many limitations on imports, not the useless tariffs, but hard limits, so, it's the sort of thing that should be at least moved towards with the crap the Chinese government keeps doing. I agree that it wouldn't be as simple as I suggested, but on the flip side, pushing companies to move their manufacturing out of China should be done.
Racist (Score:1)
Chinese hacker stereotype. I'm not Chinese and could be a hacker, too. I'm offended.
Alternate Reality? (Score:5, Informative)
What false reality is this where Apple didn't build a backdoor into their custom-silicon GPU?
[1]https://arstechnica.com/securi... [arstechnica.com]
The whitepaper details step-by-step how the full access portal is activated and you can reproduce it on your own device if it hasn't been updated since they were caught.
The perniciousness of this is the knock is far into 64-bit address space so an exhaustive search would take decades. Only reverse-engineering an active exploit can find the addresses (or reversing the silicon).
We even know NSA deploys this against US-Citizen journalists who are at home.
The kayfabe gaslighting on this meme is astronomical. Is pretending somehow easier to live with mentally?
[1] https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/
Re: (Score:3)
I suspect most CPUs have some kind of backdoor, intentional or not. They need to be tested during the manufacturing process, which usually involves secret op-codes and interfaces that let someone with the right knowledge probe the chip's inner workings.
There's also the risk that microcode signing keys are leaked. They are obviously high value targets and likely irrevocable.
Re: (Score:2)
There's no evidence it was a backdoor, which implies it was intentional. It was more likely an unintentional vulnerability, which has since been patched.
Angels and Demons (Score:5, Interesting)
To quote [1]CGP Grey [youtube.com]: "The nature of a keyhole is to be cracked, and the nature of the Internet is to bring demons to the door. No matter how much we might wish it, there is no way to build a digital lock that only angels can open and demons cannot. Anyone saying otherwise is either ignorant of the mathematics, or less of an angel than they appear."
[1] https://www.youtube.com/watch?v=VPBH1eW28mo
Chinese Hack of US ISPs Show Why Bruce Schneier is (Score:5, Insightful)
Right About Backdoors:
“Either everyone gets to spy or nobody gets to spy,” he said. “And once you accept that, then you decide, do you want everybody or nobody?”
Re: (Score:1)
And honestly, as a citizen of the US, I'm far less concerned about being spied on by the Chinese government than I am by being spied on by my own government. I know which one can come get me in the middle of the night if they decide they don't like what I'm saying.
Statements like "The US government would never extrajudicially assassinate their own citizens" don't hold as much water as they did in, say, 2000.
Re: (Score:2)
Well said. Ask Fred Hampton, Anwar al-Awlaki, Mark Clark, Lavoy Finicum, and Randy Weaver. Oh, wait, nevermind you cannot ask them: they are dead . Uncle Sam murdered those Americans without a trial.
Re: (Score:2)
I am not defending the bad things the US government did.
That said, what makes you think the Chinese do not have police stations in the US?
Make your own research.
Backdoors lead to global thermonuclear war (Score:3)
Next thing you know your playing WOPR in a classic game of tic-tac-toe to save the world from annihilation.
Cpn O (Score:2)
Can we call a company like Apple "captain obvious"? They are supposed to be like people right?
Right Conclusion, Wrong Argument (Score:2)
I agree with the conclusion, but the argument is wrong. Remember what apple refused to do was create software that would allow it to workaround the limit on password guessing so the FBI could brute force the device password. The fact they refused implies that they *could* create that kind of software. Presumably, nation states like China could -- at least with access to the appropriate apple secret keys -- create the same kind of workaround. A system where apple used a secret key on an airgapped sealed
I hope EU will take note of this (Score:1)
Given the repulsive salami-tactic assault on privacy and data protection the EU has been pushing for a couple of years now, I sincerely hope the borderline apparatchik in Brussels takes note of this.
Especially since this happened on a nation level / APT-possible level.
NIST used to require a back door in smart phones (Score:3)
I did FIPS testing on RIM (BlackBerry) devices back in 2003/2004. One of the requirements to pass the tests was that the tester have an API to get the random number used in signature generation. RIM devices would never reveal this number because with it you could discover the secret private signing key. I message NIST, explain the security problem with having such an API and be assured that it was an accident, the test case could be skipped and that it would be removed from the requirements. And then 2 or 3 months later the testcase would appear again.
I was naive back then. The shit really hit the fan though when I was doing the FIPS testing on the original open SSL. It passed all the test cases but the random number generator wasn't the algorithm the authors claimed it was...
told you... (Score:3)
If I had a dollar for every time I got to say "told you so", I could... well, at least go on a pretty nice holiday.
The problem isn't this. It's not that it happened or that it was clear it would. The real problem is that those responsible knew that and still went ahead. And that they'll do the same thing again next time.
Because as much as the right currently rages on the left for being woke and facts being shoved aside for the benefit of feelings - the right has done the same thing with surveillance for decades. 90% of TSA has zero actual security effect and is purely there so people feel secure.
It's a problem you get every time politicans get to make decisions.
Re: (Score:1)
> the right has done the same thing with surveillance for decades.
As you point out, this isn't partisan. Both of the partisan sides want more surveillance and less individual privacy. There is little to no representation for most folks who want their individual rights protected . The constituency is there, I'd wager most folks are in favor of personal privacy, but the representation is not. This is always a sign that your political system is breaking or broken.
How dare they (Score:2)
How dare they tap our wiretaps?!!
why are balanced headlines so difficult? (Score:2)
Everyone didn't want backdoors, they were forced into them.
This headline makes it seem like Apple was some sole bastion of privacy and security, solely fighting the government against backdoors. They weren't the only ones against backdoors.
Lawful Intercept (Score:2)
Yeah, working on cell phone software I was shocked that "Lawful Intercept" was so out in the open. You location, your texts, I assume phone calls as well, all available and logged based on your IMEI that I'm sure they get from your cell phone company Same probably exists for your ISP, browsing history, browsing location, OS type, etc And iPhones "frequent locations" on maps is also pretty scary where they want to know where you work, live, and frequent
A router isn't a back door (Score:2)
Why are we calling routers back doors? The devices installed are primarily routers and possibly a small analytic blade for raw traffic. But mostly their job is to forward a small subset of all traffic. What is crazy is that by compromising these routers, China knew exactly what our government was interested in monitoring.
Apple right about something?!?!?! (Score:1)
> Chinese Hack of US ISPs Show Why Apple Is Right About Backdoors
Apple right about something?!?!?! ... I'VE FOUND A HERETIC!!! BUURRRN HIM!!!!
Re: (Score:1)
Relax, a little more looking into this will probably show apple to be wrong yet again.
Re: (Score:1)
That entirely depends on google’s marketing budget. The most vocal fan boys and apple critics are on the pay roll.
Re: Apple right about something?!?!?! (Score:3)
Apple was talking about building a "backdoor" into an encryption system. It has absolutely nothing to do with the ISP breaches, which were due to poor security policies.
Re: Apple right about something?!?!?! (Score:3)
I reckon GP is correct. Apple was talking about backdoors in encryption, not applications or services. Why do I say that? Because they already offer such backdoors. The government has even used said backdoors:
[1]https://appleinsider.com/artic... [appleinsider.com]
In fact, apple even wanted to add one the government didn't even ask for:
[2]https://www.theverge.com/2021/... [theverge.com]
This isn't even a matter of apple being right or wrong, just some apple fanboy editorializing it in there because he can't tell the difference between cryptographic
[1] https://appleinsider.com/articles/22/09/16/us-convicted-a-chinese-spy-with-help-from-an-icloud-backup
[2] https://www.theverge.com/2021/8/10/22613225/apple-csam-scanning-messages-child-safety-features-privacy-controversy-explained
Re: (Score:2)
And you can't see any commonality having a backdoor that was breached and used and what Apple was talking about.
Curious.
Are the crowds in the room with us now?
Re: (Score:2)
Posting to undo accidental downmod of parent.
(I meant to mod it +1 Funny ... )
Re: (Score:2)
Don't have to look far.
[1]Apple made claims of an unlock tool leading to orwellian society. [slashdot.org] Never mind that with the current system they have in-place for [2]signing firmwares for installation [theapplewiki.com], [3]the use of the device's unique ids [theapplewiki.com], and a [4]nonce [theapplewiki.com], Apple has so much control over an iOS device that they can individually target a unique device and limit the firmware it is allowed to install to a specific installation attempt. Not only would this have made the San Bernardino case irrelevant, as at this point creating a
[1] https://apple.slashdot.org/story/16/02/28/1540241/apple-lawyer-ted-olson-creating-unlock-tool-would-lead-to-orwellian-society?sdsrc=rel
[2] https://theapplewiki.com/wiki/SHSH_Protocol
[3] https://theapplewiki.com/wiki/SHSH
[4] https://theapplewiki.com/wiki/Nonce
Re: Apple right about something?!?!?! (Score:5, Informative)
> Apple right about something?!?!?! ...
Only them and pretty much everyone else.
Re: (Score:3)
Not to mention, everytime you execute a program on an Apple PC/Laptop, it phomes home. Plus "Apple right ???". No, everyone who knows a tiny bit about cyper security has been saying this for decades before apple even existed. So all Apple is doing is echoing decades old comments.
Re: Apple right about something?!?!?! (Score:1)
Because backdoors only make sense when a private corporation makes them! My momma TOLD me!
Re: (Score:3)
> Apple right about something?!?!?! ... I'VE FOUND A HERETIC!!! BUURRRN HIM!!!!
Full disclosure: I do not like Apple, Sony, Microsoft, almost all game companies, telecom.
That said, Apple's stance on back doors is correct. Thus proving the adage that even greedy assholes can be correct when their imperatives are threatened. Apple doesn't want their user base to be hacked and owned.
That's Apple's job.
Re: (Score:2)
Apple still pulled off a masterclass in marketing and redirection. Somehow they prevented anyone from asking the correct question. That correct question is "WHY is it even possible for a company to compromise the users encryption?". That is because they control it and they SHOULD NOT. Encryption plugins should allow the use of any encryption that the user chooses. Not encryption enforced by the creator that has the ability for them to give up the keys to the kingdom. Which encryption, and total control of k