Forgot your password?
typodupeerror
Cellphones Crime Handhelds IOS Iphone Security Apple

Apple's War Against Jailbreaking Now Makes Perfect Sense 321

Posted by timothy
from the sacrifice-the-phone-to-save-your-world dept.
An anonymous reader writes "Apple has always been extremely anti jailbreaking, but it might now have a good reason to plug up the exploits. As Hardware 2.0 argues, Apple's new iOS 7 Activation Lock anti-theft mechanism which renders stolen handsets useless (even after wiping) unless the owner's Apple ID is entered relies on having a secure, locked-down OS. Are the days of jailbreaking iOS coming to a close?" I can see a whole new variety of phone-based ransom-ware based on this capability, too.
This discussion has been archived. No new comments can be posted.

Apple's War Against Jailbreaking Now Makes Perfect Sense

Comments Filter:
  • by Sockatume (732728) on Tuesday June 11, 2013 @07:46AM (#43971825)

    timothy, you're going to have to explain how the implimentation of this feature by Apple in any way changes a developer's ability to create ransomware with similar functionality. 'Cause the way I see it, to be able to hijack the Authentication Lock, you're probably going to have to have sufficiently low-level access to just impliment your own lock.

    • by Joce640k (829181) on Tuesday June 11, 2013 @08:03AM (#43972015) Homepage

      The phone's CPU could have a special PIN number that comes on a scratch card in the box when you buy it.

      If your phone gets stolen you call your operator and read them the PIN. They send out a "kill" signal and the phone commits suicide.

      This is impossible for hackers to fake - they can never know the PIN.

      • by Plumpaquatsch (2701653) on Tuesday June 11, 2013 @08:18AM (#43972215) Journal

        The phone's CPU could have a special PIN number that comes on a scratch card in the box when you buy it.

        If your phone gets stolen you call your operator and read them the PIN. They send out a "kill" signal and the phone commits suicide.

        This is impossible for hackers to fake - they can never know the PIN.

        Yeah, they can only send millions of kill messages with random PINs out. No harm done.

        • Re: (Score:2, Insightful)

          by Joce640k (829181)

          a) Who's "they"?

          b) If the pin is 10 digits then "they" are wasting their time.

          • 1 billion combinations is hard to brute force these days?

          • If the pin is 10 digits then "they" are wasting their time

            Assuming that they are generated by a strong random number generator. Of course, there are no recent examples of random number generators having a lot less entropy than was believed (or required for the application). Well, except for that whole chip-and-pin thing. And the Debian OpenSSL packages. And...

      • by Anonymous Coward on Tuesday June 11, 2013 @08:19AM (#43972241)

        This PIN number thingamajiggy you speak of, is it to enter into the LCD display of an ATM machine? Good thing those are engineered using CAD design, but even better they're not programmed using BASIC code and don't run on a DOS operating system anymore, and now have gobs of RAM memory!

      • This is impossible for hackers to fake - they can never know the PIN.

        You probably believe God created the heavens and the earth in six days, too.

        The pirate quote that three men can keep a secret if two of them are dead is only close to the truth. How may folks have asked if you yourself can keep a secret as they get ready to tell you one of their own? I always say I can't yet they tell me their secret anyway.

        We have a secret code, a secret algorithm, an unbreakable cipher. Like kids in a tree house with a sign saying No Grrrlz Allowed.

    • by Anonymous Coward on Tuesday June 11, 2013 @08:09AM (#43972079)

      In our business we have had several thousand 4's stolen over the last 2 years. We have 0 recourse to recover them. Apple admits they see them popping up all over the world under other names but can't recall or stop them from being used.

      Bricking them or recovering them was a request of many businesses and officers of the law. Dry up the demand and you will slow down the theft.

      • Re: (Score:3, Insightful)

        by Moryath (553296)

        Apple admits they see them popping up all over the world under other names but WON'T recall or stop them from being used.

        FTFY.

        Apple are lazy-ass sons of bitches as are the cell companies complicit in this shit. They "admit they see them popping up all over the world" but they WON'T:

        - Flag the account of the new user as using a stolen phone.
        - Deactivate that user's account / internet access until they come in to complain and then point out that the phone is stolen.

        Not "Can't." WON'T. Big fucking difference t

        • Re: (Score:3, Insightful)

          by Sockatume (732728)

          You think a rogue carrier that doesn't obey the IMEI blacklist is going to obey a request from Apple to cancel someone's service plan?

        • Not "Can't." WON'T. Big fucking difference there.

          To be fair, most auto manufacturers don't incorporate a functionality that kills the engine of a stolen car (GM has OnStar which does it, but that requires a subscription by the owner).

          • by ArsonSmith (13997)

            But they do have a VIN that, if it shows up somewhere the car is impounded and possibly returned to the proper owner or insurance carrier at some point.

      • by Belial6 (794905) on Tuesday June 11, 2013 @12:10PM (#43975533)
        Apple isn't the problem here with stolen phones. Law enforcement is. Our phones locations are tracked. We all know this. No one is denying that our phones are tracked. The police literally get a map with the bad guys location marked on it, and a constant stream of evidence to prove that the bad guy is guilty of a crime.
  • The problem is... (Score:2, Insightful)

    by Darkness404 (1287218)
    The problem is, as with most anti-theft technology like this, it won't hurt the thieves as much as it will screw-over buyers of used hardware.

    This will not cut down on theft as much as it will simply cripple the trust of the secondary market. After all, you can still steal an iPhone, stick it on Craigslist for cash, sell it to some poor sucker and get leave before he charges up the phone and figures out it was stolen and won't work.
    • by Anonymous Coward on Tuesday June 11, 2013 @07:56AM (#43971939)

      Really? You'd buy a "gray-market" iPhone without seeing that it's on, and operational? Are you that retarded, really? I can only assume that you're retarded, since I can't imagine even the most dim-witted average person forking over good money for an iPhone without verifying that the thing is functional.

      What this does is it makes it *mostly pointless* for someone to steal an iPhone, unless (until) someone finds a way to circumvent this activation lock. If it's useless, that scam works a limited number of times, and you're going to have some 'splainin to do to your customers. And you're going to have some angry customers who know who you are and can provide a description to police... "Hey I bought this iPhone advertised on Craigslist, and I have reason to believe it's stolen. I got it from this guy, here's his name and description."

      • Re: (Score:3, Interesting)

        by djrosen (265939)

        Yeah because no thief has ever put it into another iPhone box and shrink wrapped it and sold it as new before...

        • by Anonymous Coward on Tuesday June 11, 2013 @08:13AM (#43972145)

          Go to an Apple store, they take it out of the box right there and activate it. Go to an AT&T store, they take it out of the box right there and activate it.

          There's no reason to not say "open the shrinkwrap, plug it in, and let's verify that it's ready for activation, and not a brick."

          If the person you're buying from suddenly gets all nervous and says "I gotta go man, just gimme the money and take the phone, I ain't got time for that," then there's a pretty fucking good warning that you're getting scammed.

          Seriously, you people are fucking dense if you think this will do anything but reduce the number of stolen iPhones.

        • by Joce640k (829181) on Tuesday June 11, 2013 @08:17AM (#43972197) Homepage

          Yeah because no thief has ever put it into another iPhone box and shrink wrapped it and sold it as new before...

          If you're buying "new" iPhones from unknown people in gas stations then you deserve what you get IMHO.

        • Yeah because no thief has ever put it into another iPhone box and shrink wrapped it and sold it as new before...

          Why would they bother putting an old iPhone in it, when they can just sell a lump of clay?

    • by Joce640k (829181)

      I imagine people will get wise to that one real fast...

      • I imagine people will get wise to that one real fast...

        Are you sure? One born every minute...

      • Re:The problem is... (Score:5, Interesting)

        by bluefoxlucid (723572) on Tuesday June 11, 2013 @08:09AM (#43972095) Journal
        I think that was the point. People will see a pattern of phones sold second-hand not working, and will cease to buy second-hand phones. Legitimate sellers are screwed.
        • Re: (Score:3, Insightful)

          by BitZtream (692029)

          Right, its not like they could ... you know ... figure out to turn the fucking thing on and try it first ... thats not something that anyone would ever think of.

          Why are people on slashdot ... who think they are so smart and clever ... so utterly stupid to the fact that people have been ...

          turning on and trying their used iPhones before buying them for years ALREADY?

          Does your dumb ass buy a used car without trying it too?

    • Re:The problem is... (Score:5, Interesting)

      by Anonymous Coward on Tuesday June 11, 2013 @08:47AM (#43972615)

      ...it will simply cripple the trust of the secondary market...

      I think it will just change the protocol for selling on eBay or Craigslist. Sellers will probably learn to post a picture of the phone, turned on, showing the date... and also the serial number or something. If you can get into the settings, then it wouldn't be locked. But really, sending a bricked phone is no different from sending a broken phone or no phone at all, so I think this all falls into the "fraud" dept.

      FWIW, there were five things which immediately went through my head when I saw them announce Activation Lock. In order, they are:.
        - "If iOS7 can be jailbroken, Activation Lock is useless"
        - "There needs to be a simpler way to 'release' a phone from your ownership". (I once went into "Find My iPhone" and was able to see all three iPads I've ever owned and the last three iPhones I've had. It turns out that it takes some deliberate navigating, on the part of the user, to indicate that they no longer own a device. That needs to be simpler.
        - It needs to be *verifiable* by the buyer that a device isn't "owned" by anybody. Otherwise, the device could be locked at any time in the future. (or... there needs to be a way for someone with a locked phone to track down the person with locking rights on a phone so that they can say "Hey... remember that phone you sold back to BestBuy last Spring? They never released you as the owner". Almost like doing a title-search on a piece of property.
        - Apple will probably need some kind of arbitration dept. for the "This dude sold me his phone and won't release his lock rights" or "I can't find the person who has lock rights" issues.
        - If this is something which people have to turn on in the phone before it gets stolen, it's going to be useless. Almost nobody is going to take the time to enable it, which means a small fraction of stolen phones will get activation-locked, which means there will be a small deterrent to theft.

      I eagerly await the rollout of iOS7 to see how Apple deals with these issues.

    • I said this before, but i'll say it again.
      Ok. So lets say in the perfect world you disable the device that was stolen.
      What's to prevent the thief from taking it apart and selling everything piece by piece on ebay? The digitizer, lcd, battery, frame, etc is all salvageable and can fetch a few hundred dollars. It's the electronic form of a chop shop.
      I don't see how this will curb thefts at all. It's not a technological solution that can solve this issue. It sounds like a really bad idea. If someone learn

  • by Anonymous Coward on Tuesday June 11, 2013 @07:50AM (#43971869)

    How about "war against security exploits that allow malicious users to gain unrestricted access to your phone?"

    I guess Linux and Microsoft are both engaged in a 'war against jailbreaking' too, when they close fucking security exploits.

    Jesus christ - if you want root on your device, get a device that is built to allow that. Don't bitch that a company closes fucking security holes in its software.

    • Boycott Apple (Score:2, Insightful)

      by tuppe666 (904118)

      Jesus christ - if you want root on your device, get a device that is built to allow that. Don't bitch that a company closes fucking security holes in its software.

      I agree it is time to boycott apple for their anti-consumer practices than excusing their behaviour.

    • I guess Linux and Microsoft are both engaged in a 'war against jailbreaking' too, when they close fucking security exploits.

      Closing security exploits isn't a "war against jailbreaking" if there's no "jail", that is, if the operating system's publisher doesn't monopolize distribution of applications. Each GNU/Linux distribution has a central repository of applications, but PC owners are free to add more repositories or to install the compiler at no additional charge. Users are likewise free to add desktop applications whencever obtained for Windows on x86 and x86-64.

      Jesus christ - if you want root on your device, get a device that is built to allow that.

      What make and model of pocket-size tablet would you recommend fo

    • by gman003 (1693318)

      It wouldn't be nearly as much of a problem if jailbreaking wasn't the only way to install software of your choosing, not Apple's.

    • by GameboyRMH (1153867) <gameboyrmh@gmail. c o m> on Tuesday June 11, 2013 @09:22AM (#43973101) Journal

      This. When you want an open device but instead buy a jailed device and jailbreak it, you're voting with your dollars to say "YES, more locked-down toys, I LURV DEM SO GOOD!"

    • Agreed, this. I once talked to an Apple engineer who works on security; this was the whole reason to plug the holes found by jailbreakers. After all, if you can visit a website that gives you root, you could visit a website that gives Sergei in eastern Russia root too. He could steal your saved passwords, or make collect calls, or send spam, or do thousands of other things to earn some quick money once he has control of your device. The jailbreakers just provide Apple with a convenient security testing serv

  • IMEI (Score:5, Insightful)

    by ssam (2723487) on Tuesday June 11, 2013 @07:56AM (#43971927)

    Whats wrong with IMEI blacklisting.

    • Whats wrong with IMEI blacklisting.

      Only works across whatever region(s) share blacklists.

    • Re:IMEI (Score:5, Insightful)

      by Bodero (136806) on Tuesday June 11, 2013 @08:00AM (#43971981)

      Whats wrong with IMEI blacklisting.

      Carrier unlocking, and the fact that a locked out iPhone still makes a great iPod Touch.

    • Re:IMEI (Score:5, Insightful)

      by Plumpaquatsch (2701653) on Tuesday June 11, 2013 @08:07AM (#43972059) Journal

      Whats wrong with IMEI blacklisting.

      Ask the people who just last month complained that it wasn't enough. Like the NYT [nytimes.com], who of course singled out Apple.

    • by Afty0r (263037)

      Probably the fact that the IMEI number can be changed?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      1) Only enforced by a few countries in this world

      2) Can be easily bypassed even in those countries

      3) Even in the countries that enforce it, not all phones that are stolen are in fact blocked at all.. They'll lose money if they do...

      I speak from personal experience working in a telecoms company that rhymes with JIM that sold their phones through 2 phone providers in UK that rhyme with Citrus sinensis and Carbon Dioxide respectively, and after checking the devices that customers report as stolen directly to

  • time to implement (Score:5, Insightful)

    by blackraven14250 (902843) on Tuesday June 11, 2013 @07:56AM (#43971933)
    The summary implies they've had this in the works for multiple iterations of iOS and never did it. I find it highly doubtful they were ready to implement this, but didn't for what, 5 consecutive versions of iOS?
    • The summary implies they've had this in the works for multiple iterations of iOS and never did it. I find it highly doubtful they were ready to implement this, but didn't for what, 5 consecutive versions of iOS?

      Your post implies that all the other security mechanisms in iOS, that get disabled by jailbreaking, don't exist.

    • by Sockatume (732728)

      I imagine than Mayor Bloomberg's recent meeting with major phone manufacturers may have been a factor.

  • by readingaccount (2909349) on Tuesday June 11, 2013 @07:57AM (#43971945)

    But we do want, insist actually, on root access for devices we own. If you can't log in as root, you don't own the device. Just give me the option to turn on root access using my Apple ID. Closing holes that allow for unauthorized privilege elevation is a good thing. Disallowing authorized use of the full functionality of a device is a bad thing.

  • by killfixx (148785) * on Tuesday June 11, 2013 @07:57AM (#43971947) Journal

    Wow...

    Would you steal a stereo? Would you steal a purse? Well, if you jailbreak your iPhone, you may as well!

    Jailbreaking your iPhone prohibits Apple from protecting the safety of your loved ones. Think of the children.

    TERRORISTS!!

    Shenanigans!!

    Anything to convince law-makers that having control over your own devices is evil.

    Bah!

  • When you control the hardware the way Apple does, there is no problem in separating the lock-feature from the main operating system, similar to what happens with a Trusted Platform Module in a Laptop. In fact, one may argue that relying on the operating system to handle this as part of its regular codebase is hopeless, as it means any jailbroken device can also be "unlocked" again.

    If they actually wanted to make this secure they would have separated it from the main OS.

    Having said that, one can hardly argue against a company working to close known vulnerabilities and security issues within their software, so Apple really should be working hard to close these exploits regardless of the lock-feature.

    - Jesper

  • by cyber-vandal (148830) on Tuesday June 11, 2013 @07:59AM (#43971975) Homepage

    They want to prevent anyone else from starting an app store in competition with theirs.

    • by chispito (1870390) on Tuesday June 11, 2013 @08:10AM (#43972107)

      They want to prevent anyone else from starting an app store in competition with theirs.

      Except that makes it more difficult to explain in condescending terms of how Apple knows what is best for its customers.

      • by gl4ss (559668)

        They want to prevent anyone else from starting an app store in competition with theirs.

        Except that makes it more difficult to explain in condescending terms of how Apple knows what is best for its customers.

        if they wanted to protect their customers they could offer a signing and certification service(that was the old way in the mobile world).
        the new apple way is just "fuck you we take the cash cut". as sad it is, it was hailed as good thing in the mobile world because the old market routes took even a bigger cut!

  • by Rich0 (548339) on Tuesday June 11, 2013 @08:03AM (#43972019) Homepage

    There is a simple solution to theft - initialize each device with a unique key, and give a copy of that key to the owner. By all means pre-load it with trust for the vendor key as well so that it can auto-update by default, but the master key goes to the user. The key might be a $2 USB drive in a little envelope that says "keep safe and don't open unless you want to modify the OS software - Vendor may not be able to repair devices without this key."

    The average user just sticks the key in a drawer and gets the default experience. A user who wants to unlock the device just downloads their alternate firmware installer of choice and it will ask them to insert their key so that it can reflash the phone. Users could also disable the Vendor's keys if they wish. By all means let users generate their own keys and install those on the device as well (obviously this will require the previous key). In the case of business-owned phones the business would procure the phone and keep the key, and thus they can stay in control of the hardware even if they allow employees to use it.

    Now users can reflash at will, but if somebody steals the phone they will be unable to do so. It would have minimal cost, and since the defaults are all idiot-proof those who don't care about the feature can ignore it and as long as they don't remove the Vendor key the vendor can still do anything they can do today. However, it would establish that the person who paid for the phone is the one who owns it. Since the key is a tangible object, it can be transferred if the owner wishes to do so, and I'd just make it a read-only simple USB drive so that it could be copied if desired as well - just like a car key.

    • by Rich0 (548339)

      Hate to self-reply, but you could market this as a feature for the average user too. Call it a "digital key." If the user ever forgets their password or otherwise messes up their device they can always use their key to unlock it, using the Vendor's software. The average single car-buyer is probably already used to getting a second set of keys and giving it to somebody to help them out in a jam, or keeping them someplace safe just in case. It should be a familiar metaphor.

    • by Luthair (847766)
      Or you could make it easy and allow a user the ability to report a device tied to their account as lost/stolen, then Apple can simply render the device useless by refusing logins, syncs, etc.
  • I'm so sure that after someone steals an iPhone, they'll give it back to the owner once they realize that it can't be used because it's in lockdown mode. In reality, they'll destroy it and/or sell it for parts. It won't be a deterrent either. A thief can't tell the difference between the versions so if it has an Apple logo, it's getting stolen regardless.
    • I think their intended (pipe-dream) goal is...

      If they make a solidly secure iPhone + OS that makes it either impossible to root OR makes it impossible to remote-kill if it's stolen. Then A) your info about be safe and B) eventually the thieves will learn that the phones aren't worth stealing since they're remote-killed within a few hours / days. Eventually the demand would go down because who wants a phone that's going to be zapped within days / hours.

      Of course... this is all pie-in-the-sky. I really don

  • Jailbreaking is a personal choice..Apple, nor any other company should be allowed to tell me what I can do with my purchased hardware. If I want to take a chance by jailbreaking my phone it should be up to me.
    • by joh (27088)

      Jailbreaking is a personal choice..Apple, nor any other company should be allowed to tell me what I can do with my purchased hardware. If I want to take a chance by jailbreaking my phone it should be up to me.

      But how does your phone know it's you who's jailbreaking it?

      Watertight security even when you have physical access to a device has two sides: It protects your data (and may allow you to brick the phone remotely) but it also locks you out. It's very hard to have one but not the other.

      • by thaylin (555395)
        you assume that matters, it does not.. My PC does not know if it is me who is loading an OS or not but it still allows it do be done unless I lock it.
  • The reason Apple cares so much about jailbreaking has always been about preventing piracy of apps.
    • by west (39918)

      Reminds me of overhearing a salesperson trying to convince a customer to put down the iPhone she was holding and buy an Android phone (I suspect higher commission on the Android).

      "And another advantage is you don't have to pay for any applications unlike the iPhone. It's really easy and everyone does it."

      I wept for Android developers.

    • I'd personally think that the concern with jailbreaking is that "When someone can have arbitrary code execute persistently on their phone simply by receiving a text message, or visiting a website" then there is probably an issue with security. Basically, an attack vector for a virus to infect what is essentially a computer.

      However, there is no reason why someone who installs their developer tools and loads a certificate onto their device indicating that it is for development shouldn't be allowed root acce
  • They want control of your hardware, and you are going to let them have it.

    And then you'll live in Apple's comfortable little cage, and they'll give you everything you need.

    • And then you'll live in Apple's comfortable little cage, and they'll give you everything you need.

      Except its not like that. They block alternative stores, access to replacement for Apple first party tools, because they want to take your money. Its about starving you of alternatives, and making you dependant on them....Like a Feeder.

  • Apple's view towards jailbreaking can likely be summed up thus: Anyone is free to do whatever they want with their devices. Just don't expect support for unsupported things if it breaks. Found a security exploit in the OS? Thanks, we'll fix that right up.
  • by dutchwhizzman (817898) on Tuesday June 11, 2013 @09:03AM (#43972841)
    This is *not* about permanently disabling or blacklisting a phone. This is about making the phone unusable for the thief, but keeping it technically sound so the rightful owner could still use it if it has been recovered. It'd be trivial to blacklist an IMEI, just as it would be to circumvent the blacklist by reprogramming the baseband controller. It'd be trivial to implement a "self destruct" on the phone that could be triggered remotely, but then you'd have a phone that would need at least one chip replaced before it'd work again. This is about non-destructive locking and it relies on the OS not being rooted. They may find a way to do that on newer hardware, but as I understand it, all current hardware has been "owned" sufficiently for a software-only compromise to be sufficient.
  • This blogger does not get it. Big time.

    Jailbreaking did not come about for bypassing security or stealing iPhones. It came about because Apple wouldn't sell their GSM-capable phones on vendors other than AT&T, which meant that they also could not be used outside the US, which is the only place the things were being sold. So some Russian hackers came up with a jailbreak, but it wasn't so they could run arbitrary applications, it was so they could run a single application to rewrite the SIM vendor check

  • My guess is not more than 3-4 months. May also be mere weeks. Of course, this prevents the average nil-whit street thief from removing the lock, which may or may not be a good thing. In the worst case, said nil-whit will just have to sell the phones to an underground lock-removal services and consequentially will have to steal more of them to keep previous criminal income rates going. In the best case, this makes iPhone theft economically unattractive, which can still happen even if the lock is broken. If

Algol-60 surely must be regarded as the most important programming language yet developed. -- T. Cheatham

Working...