Encryption & Key Management , Forensics , Next-Generation Technologies & Secure Development
Apple, FBI Draw Lines in Crypto Battle
Tech Giants Google, Microsoft Back Apple Fight Against BackdoorsApple is digging in for a long legal fight with the U.S. Department of Justice over the FBI's request that the technology giant backdoor the encryption on an iPhone seized as part of an investigation (see Apple Blasts Judge's iPhone Backdoor Order).
See Also: Alleviating Compliance Pain Points in the Cloud Era
U.S. Magistrate Judge Sheri Pym of the Federal District Court for the District of Central California on Feb. 16 ordered Apple to assist the FBI by updating the iPhone to disable security features deigned to wipe its memory or slow passcode entry, to block brute-force attacks. Pym issued her order using the All Writs Act of 1789, which gives a judge the ability to issue court orders for matters not covered under current law.
The Justice Department has framed its request as being limited to only a single phone: an iPhone 5C issued to Calif.-based Rizwan Farook, 29, by his employer, San Bernardino County. Farook and his wife Tashfeen Malik, 29, attacked Farook's work colleagues in a December 2015 shooting spree that left 14 people dead and 22 wounded.
In an impassioned Feb. 17 letter, Apple CEO Tim Cook said that Apple would fight the "dangerous" court order. "We have no sympathy for terrorists," he said. "But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."
The Justice Department quickly fired back. "It is unfortunate," it said in a Feb. 17 statement, "that Apple continues to refuse to assist the department in obtaining access to the phone of one of the terrorists involved in a major terror attack on U.S. soil."
The same day, White House spokesman Josh Earnest said that both the Justice Department and FBI have the Obama administration's "full support" in this matter.
But many technology sector heavyweights are siding with Apple. Google CEO Sundar Pichai took to Twitter to defend Apple's move, warning that "forcing companies to enable hacking could compromise users' privacy." Microsoft's chief legal officer, Brad Smith, has called for a vigorous debate and repeated his company's condemnation of government surveillance programs. And multiple civil rights groups - including Electronic Frontier Foundation and the Center for Democracy & Technology - say they will support Apple in court.
Devices Might Still be Vulnerable
The U.S. government has been careful to not use the word "backdoor" to describe what it's trying to legally compel Apple to do, and characterizing this as a limited legal move. But many security experts see otherwise, including forensic scientist Jonathan Ździarski, author of "iPhone Forensics," who says in a blog post that the government's request "amounts to the courts compelling Apple to design and develop a backdoor into iOS devices."
This backdoor might work on even the latest iOS devices, he warns. True, since releasing the iPhone 5C, Apple has continued to refine the encryption and security features built into newer iOS devices, for example by using a 64-bit A7 chipset that controls a TouchID fingerprint sensor and also enables "Secure Enclave." "The Secure Enclave is a separate computer inside the iPhone that brokers access to encryption keys," says Dan Guido, CEO of security research firm Trail of Bits, in a Feb. 17 blog post.
But Ździarski says that newer iOS devices might still be vulnerable to the workaround now being demanded by the FBI, provided it could obtain code that was signed by Apple, and thus "trusted" by an iOS device. "If compelled to in the future, it would be much more difficult to do this on any devices with the new A7 chip, however not impossible as there are some potential vulnerabilities in how the Secure Enclave may enforce the time delay - e.g. clock tampering, etc. - or be tampered with by a valid signer," Ździarski says.
Court Order: NSA Implications
This case is about much more than a single device, many legal and information security experts contend. "The request seems benign but the precedent catastrophic," says Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, Calif., in a blog post. That's because governments could begin mandating that technology providers update devices - even remotely and when not in the government's possession - in response to a court order, for very little cost.
"What happens in a world where 'hacking' by law enforcement is as simple as filling out some paperwork?" Weaver asks.
Here's what: "Almost immediately, the NSA is going to secretly request the same authority through the Foreign Intelligence Surveillance Court using a combination of 702 to justify targeting and the All Writs Act to mandate the necessary assistance," he says. "How many honestly believe the FISC wouldn't rule in the NSA's favor after the FBI succeeds in getting the authority?"
Not Just About One Device
That analysis is bolstered by the fact that Farook destroyed all of his other devices prior to the San Bernardino shootings, begging the question of why he would have left the iPhone untouched if it contained anything of value. The U.S. government also says in court documents that it has complete backups of Farook's iPhone - which he connected to a PC - through the end of October 2015.
Multiple security experts have also noted that the U.S. government could employ other - more costly - techniques to recover the data from Farook's iPhone. Instead, the Justice Department is using this case to give it a legal backdoor against crypto, says Christopher Soghoian, the American Civil Liberties Union's principal technologist.
if the gov hacks the iPhone themselves, they don't get the legal precedent they are so desperate to establish in this case.
” Christopher Soghoian (@csoghoian) February 17, 2016
For example, if the government wanted to spend the money - perhaps $500,000 - it could recover the data stored on the device, using other means, says security expert Ryan Lackey via Twitter.
White House Carefully Planned Legal Battle
In fact, the Guardian reports that "this carefully planned legal battle has been months in the making" - based on its interviews with senior administration officials and technology executives - before the San Bernardino shootings occurred.
And the Obama administration's strategy is garnering some political and public support. For example, Sen. Tom Cotton (R-Ark.), says in a statement: "Apple chose to protect a dead Isis terrorist's privacy over the security of the American people." Likewise, Republican presidential candidate frontrunner Donald Trump told Fox News Feb. 17, "I agree 100% with the courts ... Who do they think they are? They have to open it up" (see Rivals Avoid Taking Stand on Backdoor).
Trump added: "I think security, overall, we have to open it up and we have to use our heads. We have to use common sense."
The House Judiciary Committee plans to debate this matter March 1, and has invited Apple to testify, the Guardian reports.
Will Case Spark Wider Debate?
If the case succeeds, it will have long-term ramifications, and not necessarily for the better, warns Thomas Rid, a professor in the Department of War Studies at King's College London. That's because bypassing crypto "[risks] helping terrorists while making everybody else less secure," Rid says via Twitter.
Better policy planning and pragmatism now, however, rather than court cases that attempt to define themselves as being about a single device, would help forestall future problems, Rid argues in a recent paper he co-authored, Cryptopolitik and the Darknet," which notes that realpolitik - pragmatism in political decision-making - is too often absent when it comes to technology policy.
"Weakening encryption now will make it stronger later, because strong crypto is here to stay," according to the paper. "Antagonizing developers means cryptosystems get more secure, easier to use, more demand, more funding."
Indeed, many computer scientists are already framing the FBI's attempt to crack iPhone 5C crypto as relating to a product flaw.
"Perhaps the best way to understand the order for Apple to hack into the iPhone is as a bug report. (Apparently fixed in later versions)," says cryptography researcher Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania, via Twitter.
If nothing else, the Apple All Writs order underscores a basic security principle: design your systems so even you can't attack them.
” matt blaze (@mattblaze) February 17, 2016
Post-Snowden Politics
Arguably, of course, the Snowden revelations already drove manufacturers like Apple to try and design systems that store data securely, and which not even they can forcibly crack. This legal case, meanwhile, may provide even more incentive to design even harder-to-hack software and hardware, says iOS security expert Dino A. Dai Zovi, who's the mobile security lead at financial services firm Square, via Twitter.
"Right now, security engineers across Silicon Valley are brainstorming how to design systems that are secure against compelled manufacturers," he says.