Somehow only people like the Secret Service are technically capable to break into your privacy while destroying evidence of their own.
possiblylinux127@lemmy.zip
on 16 Jul 2024 05:35
collapse
This isn’t the secret service
refalo@programming.dev
on 16 Jul 2024 04:21
nextcollapse
Welp, encryption is optional boys and girls.
possiblylinux127@lemmy.zip
on 16 Jul 2024 05:35
collapse
No it isn’t as it is the default and can not be turned off (that’s good)
refalo@programming.dev
on 16 Jul 2024 05:48
collapse
Did you read the article? It doesn’t matter if you have encryption, they can break it in under a day.
possiblylinux127@lemmy.zip
on 16 Jul 2024 05:56
nextcollapse
True but that isn’t a reason to give up. We need stronger encryption
jet@hackertalks.com
on 16 Jul 2024 06:36
nextcollapse
That’s not an article. That’s sales pitch.
refalo@programming.dev
on 16 Jul 2024 06:39
collapse
Are you implying the post title is inaccurate? If so how?
jet@hackertalks.com
on 16 Jul 2024 06:40
nextcollapse
Just look at the incentives. A company trying to sell a product is going to promise everything.
This is not a third party review of the effectiveness of this product.
So I do not believe sales pitches without evidence
refalo@programming.dev
on 16 Jul 2024 06:57
collapse
This is not a third party review of the effectiveness of this product.
Since they only supply devices to law enforcement, I doubt anyone will find such a review, but I don’t think that means we should believe the product doesn’t work, at least in theory it sounds quite feasible to me. There is some information available online given by law enforcement saying that the product does work, personally I think this is enough that we should believe it does work.
refalo@programming.dev
on 17 Jul 2024 19:03
collapse
While I do agree with you, not everyone will agree on the authenticity of a particular source. I guess there is simply no way to be certain what their capabilities really are.
todd_bonzalez@lemm.ee
on 17 Jul 2024 15:21
collapse
Are you implying that all Lemmy post titles are demonstrably true?
How’s your object permanence?
todd_bonzalez@lemm.ee
on 17 Jul 2024 15:20
collapse
If encryption doesn’t matter to them, then at least one of these statements must be true of every phone they unlock:
The device wasn’t actually encrypted.
The device was already in a decrypted state and we bypassed the screen lock and not drive encryption.
We acquired the decryption keys somehow.
We have technology that can break modern encryption without learning keys from another source or brute forcing.
We have enough processing power to brute force a modern encryption algorithm.
#1 and #2 are possible because government contractors lie all the time about what they actually do. Pretending to decrypt stuff isn’t outside the realm of possibility.
#3 is the biggest concern, especially if they are able to infer what the key is by uncapping silicon or something, because that would mean that any phone that could be unlocked by this company is as good as unencrypted since the device contains the keys in a retrievable format for some reason.
#5 and #6 are pretty much impossible, and such abilities would be far more profitable if used for just about anything but unlocking phones.
jet@hackertalks.com
on 16 Jul 2024 04:41
nextcollapse
They imply they have active cracking abilities for all modern phones, that would be neat to see demonstrated.
It wouldn’t even be hard, just invite third party reporter to bring in a bunch of phones with a capture the flag text file on them. Take each phone one by one behind a screen, break it, bam you don’t have to give away any secrets but you prove that you can break the phone
refalo@programming.dev
on 16 Jul 2024 04:52
nextcollapse
And android only allows up to a 16 character password for some reason…
There is competition amongst the phone cracking companies. And there’s a limited amount of municipal money available. So they need to differentiate themselves from each other somehow.
There is good data that celibrite can break every phone out there right now, except for grapheneos… But I’ve heard no such data about this company. This means we can only speculate.
So if I was a municipality, and I wanted to decide who got my limited budget, I’d want to compare who’s giving me the best value for money. So I would need some metric, some data point, some way to differentiate them. That’s where reporting, would come in. The websites are public for a reason…
fmstrat@lemmy.nowsci.com
on 17 Jul 2024 14:39
collapse
The websites are there to get a phone call. No municipality is spending this kind of money without a 3-quote requirement and demos. (Unless there is a preexisting relationship/renewal)
todd_bonzalez@lemm.ee
on 17 Jul 2024 15:04
collapse
Okay so a company whose entire business model relys on their ability to bypass smartphone security is going to start an arms race with the security community that will lead to their own product losing viability?
There’s absolutely no incentive to do this. They have absolutely no reason to want smartphone security to improve, or to show off how they do what they do.
I agree they don’t want smartphone security to improve. But they also have to let their customers know which phones they can break.
possiblylinux127@lemmy.zip
on 16 Jul 2024 05:32
nextcollapse
Phones are really not that hard to compromise from an encryption standpoint. All they need to do is break a pin most of the time. Also the pin is very predicable and probably can be pulled from a cloud service like google.
Yeah that might be harder already considering thst, you know, most phone providers don’t give you that option
ShortN0te@lemmy.ml
on 16 Jul 2024 08:50
nextcollapse
I doubt it. That info is first party and not to be trusted since it is obviously marketing. Any third party article that backs up their claims?
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 14:06
collapse
Isn’t it an open secret that powerful entities (like spying institutions) can get into pretty much every system if they have physical access? Why is this not plausible
todd_bonzalez@lemm.ee
on 17 Jul 2024 15:01
nextcollapse
Because they would have to possess technology that doesn’t exist in order to circumvent actual encryption without a key.
If I adequately encrypt my own data, and keep the keys a secret, I could hand my hard drive off to Microsoft and they could spend billions running all their AI clusters trying to crack it, and it would be a futile endeavor.
If the government had the technology to bypass encryption or quickly and inexpensively crack it, they’d use it for a whole lot more than unlocking smartphones. They could basically control the flow of Bitcoin on a whim with such tech.
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 15:33
nextcollapse
I am aware that there are secure encryptions, but android isn’t hardware encrypted isn’t it?
Haven’t used google android for a while, but no encryption was one of the reasons I moved away from it.
No idea about apple, but longer startup times for storage encryption doesn’t seem like a very apple thing to do
Also phones are so seldom turned off, and if the system is running storage encryption becomes less of a concern as the key is somewhere in the ram
ReversalHatchery@beehaw.org
on 17 Jul 2024 16:00
collapse
For a few years now Android has been encrypting storage. Not the SD card, and maybe not even the internal storage (which on android land means your files that you can access with a file manager without root) but I’m not sure about that part. The app’s main data is surely encrypted though, when the security menu in the settings says so.
But, there’s a loophole. Or two.
The parent commenter said, actual encryption can’t be broken without keys.
First, the keys are in the black box TPM of the phone.
Second, how do you verify that the phone uses an effective and unmodified encryption algorithm, and also that keys are never leaked anywhere?
And now consider that popular brands have been bundling malware for years, some of which cannot really be uninstalled either.
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 16:44
collapse
Yeah TPM chip encryption is mostly not secure (at least not by simply existing, as an encryption with with a strong password that only exists in your head is) I’ve seen a german youtuber crack the bitlocker TPM encryption of a windows think pad, I have no doubt big companies can do this for the 3-4 most used TPM chips in android phones
And if you got the device and can damage it, even if you couldn’t crack the chip, putting the silicia under an electron microscope is always an option (lots of actual manhours of actual experts needed, but you could charge the client heavily to compensate)
No. The TPM was not cracked. The communication was sniffed, which is unencrypted. This requires a Device to be modified and then successfully unlocked to get exploited also this does not affect devices where the tpm is integrated in the SoC.
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 18:25
collapse
You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure.
You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data
in reality the data can easily be accessed, which could be considered as “cracking the device/bypassing the encryption” because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.
I don’t want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)
My point isn’t that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low
The device needs to be physically accessed and modified and then unlocked in order to exploit it.
Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.
Similar outcome.
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 21:10
collapse
The device needs to be physically accessed and modified and then unlocked in order to exploit it.
Exactly the service the company offers
Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.
This is not a hot take at all!
Sure thing, it is equally hard to confiscate/steal a device (if the user notices you just shrug) and open it no user input required
And
Stealing the device without the user noticing
Solder a keylogger, get it back to the user without them noticing and having them put in their password, then steal the device again so you can use said passwort
No. You watch too many Movies. Yes there were attempts from state sponsored actors to weaken encryption algorithms. But is encryption easy to crack? No.
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 18:11
collapse
Dude what encryption are you talking about?
Hardware storage encryption is just by now getting more widely adapted, the phone I used till a year ago didn’t even support any encryption.
Sure, aes-256 with secure password only stored in your mind is quasi 100℅ safe, but that is not how most devices handle their “encryption”.
If the key for the encryption is on the device, and either stored in an unencrypted TPM or unencrypted storage, its not a matter if breaking the encryption (quite impossible) but breaking the software/hardware (quite possible for someone with good enough forensics and skilled programmers)
Also also: encryption only helps if the device is off, which is seldom the case with phones.
Isn’t it an open secret that powerful entities (like spying institutions) can get into pretty much every system if they have physical access? Why is this not plausible
You stated in your original comment: “pretty much every system”. So no, any modern phone if android or iOS is by default encrypted.
If the key for the encryption is on the device, and either stored in an unencrypted TPM or unencrypted storage, its not a matter if breaking the encryption (quite impossible) but breaking the software/hardware (quite possible for someone with good enough forensics and skilled programmers)
TPMs are by design encrypted.
Keys are not stored unencrypted at least not when you encrypt your storage with modern solutions and set it up reasonably. You use either your TPM to store the key or store it on the drive and have it encrypted by itself or use a KDF.
Also also: encryption only helps if the device is off, which is seldom the case with phones.
No this assumption is wrong. You still would need to circumvent the Login into the device which is mostly secured by a pin or password or biometrics.
Jean_le_Flambeur@discuss.tchncs.de
on 17 Jul 2024 21:18
collapse
If you think TPMs are always encrypted, a key can be encrypted “with itself” and still be any use to you and android system pin is secure you are right.
Might also believe in santa
If you think TPMs are always encrypted, a key can be encrypted “with itself” and still be any use to you and android system pin is secure you are right.
Might also believe in santa
Not sure what you are rambling about the TPM.
Then prove that the Lockscreen is insecure.
Jean_le_Flambeur@discuss.tchncs.de
on 19 Jul 2024 10:56
collapse
As i guessed. You are evading the question by again babbling nonsense and questioning my knowledge instead of actually proving anything you are saying.
You have shown that you have a bad understanding of what you are actually talking about (see the ‘cracked’ TPM discussion) and constantly shifting the discussion away from what you are saying : “Basically every device can be accessed without major problems” and what i am trying to explain to you.
You are acting in bad faith.
Bye
Jean_le_Flambeur@discuss.tchncs.de
on 19 Jul 2024 15:23
collapse
You keep referring to concepts like
“Keys encrypted with itself”
“Tpm are by design encrypted”
When you don’t really say anything from value.
Not every “encryption” is the same.
When we talk about safe encryption we talk about file system level encryption of a system with safe algorithms like aes and a long enough random password (the key). this is safe.
If you store the key unencrypted on your phone, this encryption is no longer safe.
If you don’t know the 16 random digit key it HAS to be on the phone and it CAN’T be encrypted “by itself” because you would no longer have any means to decrypt it.
It could be encrypted with a pin, but again, then its only as strong as the pin, and I don’t know how long an only numeric pin would need to be to withstand modern brute forcing, but I doubt a relevant percentage of people have that kind of pin.
You can’t explain how this would be safe, so you just come at me with russels teapot and say “well you can’t prove its not safe” (which is true because I’m no security expert, but someone with enough knowledge could certainly) and lash out at me “acting in bad faith” because I don’t jump through your hoops of passive aggressive misunderstanding.
All I can do is refer to experts, who found things like CVE-2022-20465 - a bug which allowed lockscreen bypass.
As you could have googled that yourself, but you ask this just to throw me off.
But if you want to keep using your google android and bitlocker win and feel safe, its not my problem.
umami_wasbi@lemmy.ml
on 16 Jul 2024 13:42
nextcollapse
“lawful access” lol
ReversalHatchery@beehaw.org
on 17 Jul 2024 15:53
collapse
Next will be direct “lawful access” to our thoughts when the tech becomes available
lemmyreader@lemmy.ml
on 17 Jul 2024 12:06
nextcollapse
This looks like old news to me. Years ago I’ve read that three letter agencies can access phones without getting the access code or bio-metrics from the phone owner.
Lot of cope and denial in these threads. Yes the same-day is probably a rosy estimate based off people using 6 digit codes or something easy to crack, doesn’t mean it’s false or that they can’t hypothetically target longer alpha-numeric passwords. For all we know they might not even be brute-forcing and could be conducting some sort of exploit that over time reveals the encryption keys themselves in some way.
I’m still very curious about the nature of the mechanisms of action. I assume they manage to bypass the basic lock-out against entering too many passcodes too quickly somehow which is what enables this. If throttling could be properly enforced (to say nothing of something like 10 attempts and it refuses all future attempts and erases the key type of thing) this type of attack wouldn’t be practical for anyone using anything above a 6 digit numerical passcode in any reasonable timeframe. I wonder if they exploit wireless radios including cellular, wifi, bluetooth and force some code on the phones via these usually-on chips that enables this via exploiting problems in their architecture. Perhaps something that locks up, prevents functioning or resets certain checks via flooding parts of the hardware/software from these points of access. Or if it really is purely phy/log access to the lightning/usb-c port.
threaded - newest
npr.org/…/secret-service-erased-texts-from-two-da…
Somehow only people like the Secret Service are technically capable to break into your privacy while destroying evidence of their own.
This isn’t the secret service
Welp, encryption is optional boys and girls.
No it isn’t as it is the default and can not be turned off (that’s good)
Did you read the article? It doesn’t matter if you have encryption, they can break it in under a day.
True but that isn’t a reason to give up. We need stronger encryption
That’s not an article. That’s sales pitch.
Are you implying the post title is inaccurate? If so how?
Just look at the incentives. A company trying to sell a product is going to promise everything.
This is not a third party review of the effectiveness of this product.
So I do not believe sales pitches without evidence
Since they only supply devices to law enforcement, I doubt anyone will find such a review, but I don’t think that means we should believe the product doesn’t work, at least in theory it sounds quite feasible to me. There is some information available online given by law enforcement saying that the product does work, personally I think this is enough that we should believe it does work.
imore.com/…/documents-reveal-exactly-how-much-iph…
imore.com/unredacted-graykey-nda-outlines-instruc…
Yes this one is from the manufacturer but it does have more detail in how the device helped in individual cases if you are to believe what they say: grayshift.com/…/101921_eb_Grayshift_AccessToTheTr…
Strong statements require strong evidence.
You should always evaluate opaque claims using multiple sources that have different vested interests
…grapheneos.org/…/12848-claims-made-by-forensics-…
Vs
theverge.com/…/fbi-trump-rally-shooter-phone-thom…
While I do agree with you, not everyone will agree on the authenticity of a particular source. I guess there is simply no way to be certain what their capabilities really are.
Are you implying that all Lemmy post titles are demonstrably true?
How’s your object permanence?
If encryption doesn’t matter to them, then at least one of these statements must be true of every phone they unlock:
#1 and #2 are possible because government contractors lie all the time about what they actually do. Pretending to decrypt stuff isn’t outside the realm of possibility.
#3 is the biggest concern, especially if they are able to infer what the key is by uncapping silicon or something, because that would mean that any phone that could be unlocked by this company is as good as unencrypted since the device contains the keys in a retrievable format for some reason.
#5 and #6 are pretty much impossible, and such abilities would be far more profitable if used for just about anything but unlocking phones.
They imply they have active cracking abilities for all modern phones, that would be neat to see demonstrated.
It wouldn’t even be hard, just invite third party reporter to bring in a bunch of phones with a capture the flag text file on them. Take each phone one by one behind a screen, break it, bam you don’t have to give away any secrets but you prove that you can break the phone
And android only allows up to a 16 character password for some reason…
That is mostly good enough, a password that does not get cracked if it is generated randomly.
But how are you going to remember a 16 chars mix alpha num symbol password that’s randomly generated?
Yeah the key space is vast but it’s hard for most brains to handle it.
It’s not that hard. I use such a password for my phone
most
Why would they do this when they already make millions? The general public isn’t buying their product. They’ll only do private demos.
There is competition amongst the phone cracking companies. And there’s a limited amount of municipal money available. So they need to differentiate themselves from each other somehow.
There is good data that celibrite can break every phone out there right now, except for grapheneos… But I’ve heard no such data about this company. This means we can only speculate.
So if I was a municipality, and I wanted to decide who got my limited budget, I’d want to compare who’s giving me the best value for money. So I would need some metric, some data point, some way to differentiate them. That’s where reporting, would come in. The websites are public for a reason…
The websites are there to get a phone call. No municipality is spending this kind of money without a 3-quote requirement and demos. (Unless there is a preexisting relationship/renewal)
Okay so a company whose entire business model relys on their ability to bypass smartphone security is going to start an arms race with the security community that will lead to their own product losing viability?
There’s absolutely no incentive to do this. They have absolutely no reason to want smartphone security to improve, or to show off how they do what they do.
I agree they don’t want smartphone security to improve. But they also have to let their customers know which phones they can break.
Phones are really not that hard to compromise from an encryption standpoint. All they need to do is break a pin most of the time. Also the pin is very predicable and probably can be pulled from a cloud service like google.
It is actually pretty horrifying to think about
Or, you know, don’t use pins, use passwords
And use secure open source ROMs!
Yeah that might be harder already considering thst, you know, most phone providers don’t give you that option
I doubt it. That info is first party and not to be trusted since it is obviously marketing. Any third party article that backs up their claims?
Isn’t it an open secret that powerful entities (like spying institutions) can get into pretty much every system if they have physical access? Why is this not plausible
Because they would have to possess technology that doesn’t exist in order to circumvent actual encryption without a key.
If I adequately encrypt my own data, and keep the keys a secret, I could hand my hard drive off to Microsoft and they could spend billions running all their AI clusters trying to crack it, and it would be a futile endeavor.
If the government had the technology to bypass encryption or quickly and inexpensively crack it, they’d use it for a whole lot more than unlocking smartphones. They could basically control the flow of Bitcoin on a whim with such tech.
I am aware that there are secure encryptions, but android isn’t hardware encrypted isn’t it? Haven’t used google android for a while, but no encryption was one of the reasons I moved away from it.
No idea about apple, but longer startup times for storage encryption doesn’t seem like a very apple thing to do
Also phones are so seldom turned off, and if the system is running storage encryption becomes less of a concern as the key is somewhere in the ram
For a few years now Android has been encrypting storage. Not the SD card, and maybe not even the internal storage (which on android land means your files that you can access with a file manager without root) but I’m not sure about that part. The app’s main data is surely encrypted though, when the security menu in the settings says so.
But, there’s a loophole. Or two.
The parent commenter said, actual encryption can’t be broken without keys.
First, the keys are in the black box TPM of the phone.
Second, how do you verify that the phone uses an effective and unmodified encryption algorithm, and also that keys are never leaked anywhere?
And now consider that popular brands have been bundling malware for years, some of which cannot really be uninstalled either.
Yeah TPM chip encryption is mostly not secure (at least not by simply existing, as an encryption with with a strong password that only exists in your head is) I’ve seen a german youtuber crack the bitlocker TPM encryption of a windows think pad, I have no doubt big companies can do this for the 3-4 most used TPM chips in android phones
And if you got the device and can damage it, even if you couldn’t crack the chip, putting the silicia under an electron microscope is always an option (lots of actual manhours of actual experts needed, but you could charge the client heavily to compensate)
No. The TPM was not cracked. The communication was sniffed, which is unencrypted. This requires a Device to be modified and then successfully unlocked to get exploited also this does not affect devices where the tpm is integrated in the SoC.
You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure. You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data
in reality the data can easily be accessed, which could be considered as “cracking the device/bypassing the encryption” because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.
I don’t want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)
My point isn’t that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low
The device needs to be physically accessed and modified and then unlocked in order to exploit it.
Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.
Similar outcome.
Exactly the service the company offers
This is not a hot take at all!
Sure thing, it is equally hard to confiscate/steal a device (if the user notices you just shrug) and open it no user input required And Stealing the device without the user noticing Solder a keylogger, get it back to the user without them noticing and having them put in their password, then steal the device again so you can use said passwort
I totally agree
No. You watch too many Movies. Yes there were attempts from state sponsored actors to weaken encryption algorithms. But is encryption easy to crack? No.
Dude what encryption are you talking about? Hardware storage encryption is just by now getting more widely adapted, the phone I used till a year ago didn’t even support any encryption.
Sure, aes-256 with secure password only stored in your mind is quasi 100℅ safe, but that is not how most devices handle their “encryption”.
If the key for the encryption is on the device, and either stored in an unencrypted TPM or unencrypted storage, its not a matter if breaking the encryption (quite impossible) but breaking the software/hardware (quite possible for someone with good enough forensics and skilled programmers)
Also also: encryption only helps if the device is off, which is seldom the case with phones.
You stated in your original comment: “pretty much every system”. So no, any modern phone if android or iOS is by default encrypted.
TPMs are by design encrypted.
Keys are not stored unencrypted at least not when you encrypt your storage with modern solutions and set it up reasonably. You use either your TPM to store the key or store it on the drive and have it encrypted by itself or use a KDF.
No this assumption is wrong. You still would need to circumvent the Login into the device which is mostly secured by a pin or password or biometrics.
If you think TPMs are always encrypted, a key can be encrypted “with itself” and still be any use to you and android system pin is secure you are right. Might also believe in santa
Not sure what you are rambling about the TPM.
Then prove that the Lockscreen is insecure.
How do you think encryption works?
What do you think does a lockscreen?
As i guessed. You are evading the question by again babbling nonsense and questioning my knowledge instead of actually proving anything you are saying.
You have shown that you have a bad understanding of what you are actually talking about (see the ‘cracked’ TPM discussion) and constantly shifting the discussion away from what you are saying : “Basically every device can be accessed without major problems” and what i am trying to explain to you.
You are acting in bad faith.
Bye
You keep referring to concepts like “Keys encrypted with itself” “Tpm are by design encrypted”
When you don’t really say anything from value.
Not every “encryption” is the same.
When we talk about safe encryption we talk about file system level encryption of a system with safe algorithms like aes and a long enough random password (the key). this is safe.
If you store the key unencrypted on your phone, this encryption is no longer safe.
If you don’t know the 16 random digit key it HAS to be on the phone and it CAN’T be encrypted “by itself” because you would no longer have any means to decrypt it.
It could be encrypted with a pin, but again, then its only as strong as the pin, and I don’t know how long an only numeric pin would need to be to withstand modern brute forcing, but I doubt a relevant percentage of people have that kind of pin.
You can’t explain how this would be safe, so you just come at me with russels teapot and say “well you can’t prove its not safe” (which is true because I’m no security expert, but someone with enough knowledge could certainly) and lash out at me “acting in bad faith” because I don’t jump through your hoops of passive aggressive misunderstanding.
All I can do is refer to experts, who found things like CVE-2022-20465 - a bug which allowed lockscreen bypass.
As you could have googled that yourself, but you ask this just to throw me off.
But if you want to keep using your google android and bitlocker win and feel safe, its not my problem.
“lawful access” lol
Next will be direct “lawful access” to our thoughts when the tech becomes available
This looks like old news to me. Years ago I’ve read that three letter agencies can access phones without getting the access code or bio-metrics from the phone owner.
Lot of cope and denial in these threads. Yes the same-day is probably a rosy estimate based off people using 6 digit codes or something easy to crack, doesn’t mean it’s false or that they can’t hypothetically target longer alpha-numeric passwords. For all we know they might not even be brute-forcing and could be conducting some sort of exploit that over time reveals the encryption keys themselves in some way.
I’m still very curious about the nature of the mechanisms of action. I assume they manage to bypass the basic lock-out against entering too many passcodes too quickly somehow which is what enables this. If throttling could be properly enforced (to say nothing of something like 10 attempts and it refuses all future attempts and erases the key type of thing) this type of attack wouldn’t be practical for anyone using anything above a 6 digit numerical passcode in any reasonable timeframe. I wonder if they exploit wireless radios including cellular, wifi, bluetooth and force some code on the phones via these usually-on chips that enables this via exploiting problems in their architecture. Perhaps something that locks up, prevents functioning or resets certain checks via flooding parts of the hardware/software from these points of access. Or if it really is purely phy/log access to the lightning/usb-c port.