[Cryptography] Yes, Apple is correct

Jerry Leichter leichter at lrw.com
Mon Feb 22 06:47:08 EST 2016 

> In particular it seems that it is not possible to write software tied
> to a particular UID, since nobody knows the UID.  The IMEI is likely
> outside the security boundary (still a guess, no mention of the IMEI
> in that document).
The IMEI is *public information*.  Historically it was printed on the outside of the boxes phones came in and behind the battery, in phones that had batteries.  It's broadcast, in the clear, by the phone.  As I noted earlier, it's also constructed in a way that draws possible values for a particular phone from a fairly small set.  Also, may iOS devices are *not* phones, have no cellular hardware, and likely don't have an IMEI assigned at all.

I don't know how we got on this IMEI sideline to begin with.  The IMEI has nothing to do with cryptography unless Apple is much less competent than it appears to be.

*If* Apple were to be forced to build this software, and *if* they wanted to ensure it was tied to a specific phone, they could do so.  The phone has a number of other unique characteristics that software could use.  There's a serial number, a perhaps-related, perhaps not, UUID (advertisers used to use this for tracking; Apple forbade that, adding an "advertiser ID" that's regularly reset to a new value, preventing long-term tracking); the iCloud id the phone has been registered to (we know it was backed up in the past and it's unlikely this was changed).  And those are just elements *specifically designed for identification*, none of which are easy, if even possible, to change on a locked, or perhaps any, phone.

Beyond that, there are any number of secondary characteristics that would likely identify the phone, which again would be impractical to change on a locked phone.

The issue is not, and has never been, that the software might leak and then get applied to other phones *by modifying those phones to look like the one that it was targeted at*.  It's how many angels can dance on the head of a pin.  No, wait, that's one of the few *less* relevant issues out there....

                                                        -- Jerry

More information about the cryptography mailing list