Phone Security

CS 161 Fall 2025 - Lecture 27

Computer Science 161

Outline

• Cryptography history
• Nation-state attacks
• iPhone security - filesystem
• iPhone security - backups
• Jailbreaks and software security exploits
• iMessage security
• Confidential cloud

​

• None of this will be on the final exam

​

2

Computer Science 161

Cryptography History

3

Computer Science 161

World War II

• Enigma code machine
• Germans: believed it to be practically unbreakable
• Marian Rejewski - found mathematical weaknesses
• Alan Turing - "bombe" to automate breaking the Enigma
• British - disinformation to conceal their source of information
• After the war, Britain concealed its successes, and sold the Enigma to its erstwhile allies (e.g., ex-colonies) so it could spy on them
• The Imitation Game - biopic of Alan Turing's life

4

Computer Science 161

Analog cellphones

• In the 1980's, cellphones used analog communication (with no cryptography) and were trivial to eavesdrop on

5

Computer Science 161

Digital cellphones

• In the late 1980's, telephony companies introduced digital cellphones
• To address widespread eavesdropping, telcos added cryptography
• Solved the problem with eavesdropping on analog cellphones... but there were rumors
• In 1999, the encryption algorithm leaked, was soon found to be breakable
• We later learned the national intelligence agencies vetoed use of strong cryptography, and instead provided a custom, secret encryption algorithm they had designed to be deliberately vulnerable

6

Computer Science 161

End-to-end cryptography

• In the late 1990's, rapid growth in the Internet made cryptography critical, and companies started to deploy end-to-end cryptography

7

Computer Science 161

Lawful intercept

• Encryption made it hard for intelligence agencies and law enforcement to spy on communications
• Legislators passed laws requiring "lawful intercept" in the phone network: telcos had to add a backdoor to routers/switches/infrastructure to enable law enforcement wiretaps of phone calls
• Thus, no end-to-end encryption of phone calls; they were encrypted over the cellular radio link but unencrypted in the core infrastructure

​

8

Computer Science 161

"Greek Watergate"

• 2004 - Lawful intercept features (mis)used to illegally wiretap 100 politicians in Athens, Greece (including the PrimeMinister)

​

9

Computer Science 161

Operation Aurora

• 2009 - nation state compromises 30+ major companies, including Google
• Accesses Gmail accounts of dissidents
• Spear phishing email to employee, with link that exploits zero-day use-after-free vulnerability in MSIE browser
• Exploits vulnerability in source code repository to steal company code, including Google authentication code
• Possibly: found and exploited vulnerability in Google auth code

​

10

Computer Science 161

Snowden leaks

• 2013 - NSA contractor Snowden reveals thousands of classified documents that revealed widespread surveillance
• NSA collected metadata phone records on 100+ million Verizon subscribers
• NSA had access to email, search history, etc., at Google, Facebook, ...
• NSA spying on internal data center links of Google, ....
• NSA collected metadata on email and Internet use of Americans
• NSA had programs to conduct man-in-the-middle attacks on Internet communication, with ability to exploit zero-days and implant malware
• GCHQ collected images from Yahoo webcam chats of millions of Internet users - 3%+ involved nudity
• NSA paid $10M to introduce backdoor into widely used cryptography library
• NSA whistleblower said "at least 80% of all audio calls... are recorded and stored in the US"
• Result: global loss of trust in Internet companies, pressure for them to secure their systems against nation-state attacks

11

Computer Science 161

12

Computer Science 161

2024 telecommunications hack

• Major US phone companies hacked by nation-state
• Gains access to text messages and metadata from over a million people (?), especially people in the Washington DC area, government and military personnel working undercover
• Including Trump's phone, Vance's phone, Kamala Harris staff
• Exploited zero-day vulnerabilities in ISP software (unsanitized file upload), routers; hacked into lawful intercept systems
• Not detected for a year

13

Computer Science 161

Takeaways

• Defending against nation-state attackers is very challenging
• Nation-state attackers are an "early warning" of attacks that become widespread a decade later
• Don't trust the company / service provider

14

Computer Science 161

iPhone Security

15

Computer Science 161

Some interesting aspects of iPhone security

• Encrypted filesystem
• Encrypted backups
• iMessage: end-to-end encryption
• App-oriented security
• Jailbreaks and software security exploits
• Private cloud compute

16

Computer Science 161

Encrypted filesystems

17

Computer Science 161

Why encrypt?

• If phone is lost/stolen, don't want others to gain access to data
• Can rapidly erase all data on phone, by just erasing the decryption key

18

Computer Science 161

Key management

• Encrypt all data on iPhone, but with what key?
• Key stored on device? Passcode?

19

Computer Science 161

Solution

• Secure hardware coprocessor on phone, used only for security
• Device key hardcoded into coprocessor
• Filesystem encrypted under K, where K = PBKDF2(device key, passcode)
• Coprocessor rate-limits computation of K

20

Computer Science 161

Design quiz

• How would you enable someone to authenticate via face authentication instead of passcode?

21

Computer Science 161

Encrypted backups

22

Computer Science 161

Backups are essential

• If phone is lost/stolen/dropped in a creek, need a way for the owner to buy a new phone and get their data onto the new phone

23

Computer Science 161

Design quiz

• How could you design a way to back up the phone to the cloud?
• Requirement: the owner should be able to access their backup, but not other random people

24

Computer Science 161

Design quiz #2

• Usability requirement: if phone is lost/stolen, can restore
• Usability requirement: users might forget their device passcode, still need to be able to access their data
• Security requirement: if Apple servers get hacked, hackers shouldn't be able to access users' backup data
• And if government demands access, Apple should be able to say it has no way to comply
• Apple shouldn't have access to user's backup data
• Security requirement: user passcodes are often guessable

25

Computer Science 161

Solution

• Almost impossible to satisfy all of these at once -- but not totally impossible!
• Apple's solution: Advanced Data Protection
• Opt-in (off by default), backups encrypted under a random key K;�also save encryption of K under PBKDF2(passcode), encryption of K under a random recovery code (write it down when you enable ADP), encryption of K under a random code given to a contact/family member you designate
• This way, Apple doesn't have the keys and can't decrypt, even if they wanted to (or were hacked, or required by demand from some government somewhere on the planet)
• Similar to Project 2 !

26

Computer Science 161

End-to-end encryption for iMessage

27

Computer Science 161

Design quiz

• iMessage = Apple's text messages
• These messages are encrypted end-to-end
• How could you design such a system? How would the parties obtain or select keys to use to encrypt messages?

28

Computer Science 161

Apple's solution

• Each device has a public key
• Similar to Project 2, Apple runs a key server: you can look up a person, and get a list of the public keys of their devices
• Encrypt the message with a random symmetric key K, encrypt K with each public key for each of the recipient's devices, sign the result
• Send a notification to all of a user's devices, any time a public key is added

​

• Quiz: What are the security properties of this design? Who can eavesdrop on messages?

29

Computer Science 161

App-oriented security

30

Computer Science 161

Multi-user vs multi-app

• Desktop and server OS's are based on a 1970's-era view of computing: computers are really rare, must be shared among users, so the primary threat is another user on the same computer trying to access your data
• Every application you run gets full access to all of your data
• Today most devices are used by a single person, and the primary threat is malicious content from the Internet exploiting a vulnerability, or that a third-party application you install is vulnerable or malicious

31

Computer Science 161

App sandboxes

• On mobile OS's, each app runs in a sandbox (as a separate "user")
• By default, each app cannot access data stored by another app
• Each app has a separate set of permissions (access to sensors, data, ...)
• Makes it safer to install an app from the app store from someone you've never heard of

32

Computer Science 161

Jailbreaks and software security exploits

33

Computer Science 161

Software security

• Software security exploits can be used to hack people's phones
• They can also be used to "jailbreak" your own phone
• Modify Apple's operating system/apps, e.g., to remove restrictions
• If you find a fully working exploit on iPhone, you can earn $5M
• 2021: NSO Pegasus spyware revealed, used by governments for spying
• 50,000 phone numbers targeted: journalists, country's opposition politicians, human rights activists, ...
• Exploits zero-day vulnerabilities in Safari/iMessage/kernel: e.g., out-of-bounds write, information leak, ...

34

Computer Science 161

Types of software security vulnerabilities

90% of vulnerabilities are�memory safety vulns�(Android 2018)

35

Computer Science 161

Defenses against memory safety vulnerabilities

• ASLR + DEP
• Pointer Authentication Code (PAC): store a MAC of value of the pointer and the location where the pointer is stored, in the upper bits of the pointer value
• Extra protection against overwriting function pointers, return addresses, vtables; ROP
• Hardware-accelerated, for speed
• Memory Tagging Extension (MTE): each memory region has a tag, each pointer has a tag, reading/writing only allowed if both tags match
• Protection against reading or writing memory out of bounds and use-after-free
• Each malloc() gets a new tag for the allocated memory region
• Hardware-accelerated, for speed
• Sandboxing

36

Computer Science 161

Sandboxing

More than half of vulns are in�software for interacting with�data/comms from external world�(Android 2018)

​

⇒ Sandbox media codecs,�iMessage attachments,�HTML/CSS/JS in web browser, ...

37

Computer Science 161

Private cloud compute

38

Computer Science 161

Motivation

• Some compute tasks are too heavy to perform on the phone -- e.g., speech-to-text, AI inference
• Solution: run on Apple's cloud
• Goal: make this as secure as local computation
• Even Apple, and Apple's employees, should not be able to gain access to this data
• Even if Apple is hacked, hackers can't gain access to this data
• Even if some government somewhere demands access, Apple can't provide it

39

Computer Science 161

Design

• Trusted hardware in cloud data centers
• CPU in trusted hardware encrypts all data stored in memory
• Hardware will only load OS that is signed by a hardcoded public key pair
• OS will only load and run applications that are signed and authorized by a public key pair that is embedded in the OS
• Apple releases source code, binaries for all authorized OS versions and applications
• OS/applications written to be stateless (delete all data after finishing a computation) and won't reveal data to anyone else
• No one, not even Apple, can access the data in trusted hardware

40

Computer Science 161

Attestation

• Trusted hardware has a unique device public/private key pair
• Trusted hardware keeps track of what OS was loaded, and will send a signed statement about the OS that was loaded (signed with its private key) to the client
• OS keeps track of what applications it loaded, and will send a signed statement about what applications were loaded
• Allows client to verify that it is running proper software -- for instance, a hacker who breaks into Apple's cloud can't modify the OS or application without being detected

41

Computer Science 161

Transparency log

• Apple maintains a public transparency log of all OS's/applications that are authorized, and trusted hardware verifies that OS/application is present in the log before loading it
• Uses chaining: Sign(Sign(Sign(Sign(a1) || a2) || a3) || a4),�where a1, a2, a3, a4 are the authorized applications
• Log is append-only: can append a5, to get�Sign(Sign(Sign(Sign(Sign(a1) || a2) || a3) || a4) || a5);�trusted hardware will only accept a new chain if it has the form�Sign(old_chain || something)

42

Computer Science 161

Summary

• Phones are an interesting applied example of the latest, greatest technology in computer security

43

Computer Science 161

Wrap-up

44

Computer Science 161

Ask me anything

• What's on your mind?

45

Computer Science 161

Thank you!

• It's been a joy to explore computer security together with you

46

Computer Science 161