Only one week ago, news media outlets nationwide were locked in coverage of the inevitable face-off between our own government and Apple Inc. On the surface, many felt that the FBI’s request seemed to be the answer; why wouldn’t we want to stop the terrorists? Why not help law enforcement gather additional evidence stored on this terrorist’s iPhone 5C in question? This is the shared belief held by a majority of Americans, concerned that Apple is in the wrong for not simply “unencrypting” the device. In short though, simple is never the answer when it comes to security.

Apple already has provided all the information it has available to the authorities, but what the FBI asked for represents something far more dangerous. In an extended interview with Tim Cook, Apple’s CEO outlined that creating a version of iOS specifically for the FBI to bypass security protocols of the iPhone (appropriately dubbed “GovtOS”) would undermine the security of all iPhones.

“What we do know is we passed all of the information that we have on the phone and to get additional information on it or at least what the FBI would like us to do now would expose hundreds of millions of people to issues.

“The only way to get information would be to write a piece of software that we view as sort of the software equivalent of cancer. (GovtOS)

When users are informed that creating this backdoor to hack iPhones meant they would be vulnerable too, respondents immediately aligned with Apple’s side in the case.Then suddenly, it all disappeared seemingly overnight.

Screen Shot 2016-03-30 at 6.44.58 PM.png

Source: NPR

In the last week, a 3rd party digital forensics group (allegedly, Cellebrite) came forward and aided the FBI in successfully hacking the iPhone, with the FBI then dropping their case against Apple altogether. While Apple may have not been forced to undermine their own OS, it is clear that there are active vulnerabilities that now allow law-enforcement officials to bypass security protocols intended to prevent such malicious activity.

This put Apple into a tricky situation; a slippery slope; Pandora’s box. One of two outcomes had to result:

  1. Accept the vulnerability and/or do nothing to resolve it, allowing the law-enforcement to utilize the backdoor as a means to enforce national security.
  2. Attempt to collaborate with the 3rd party/FBI to understand the vulnerability being exploited in iOS, and issue a patch preventing further malicious tampering.
    • Although, this option may lead to follow up Department of Justice (DOJ) cases against Apple to, once again, be legally compelled into developing GovtOS.

As it turned out, Apple is going with the second option, and is dedicating its attorneys right now to uncover a legal option that compels the FBI into provide information about how the exploit was performed. A source who is unauthorized to discuss the case told The Times the FBI was provided with the ability to incorrectly guess more than 10 passwords without permanently locking the device or rendering it inaccessible. That allowed the agency to brute force the authentication until identifying the correct 4-digit combination. It is not clear what info, if any, was seized from the phone as of yet.

It isn’t surprising that Apple is taking this route, especially given security is touted as a hallmark feature when marketing the iPhone as a high-end mobile device to customers. Over 95% of iPhones are running the latest software version on their device, which requires encryption, compared to less than 2% of Android devices:

 

 

What’s more, the fragmentation of device software on Android prevents the majority of users from accessing updated security features included with new major OS releases. But how does this factoring to real life situations? Consider iOS 7, announced in summer of 2013 for iPhones and iPads of multiple generations. The “Activation Lock” feature was announced as a major step forward to prevent theft and reselling of mobile devices, especially in metropolitan areas. A backdoor such as this completely invalidates the feature altogether, providing a method to bypass the authentication with the right tool.

The existence of this ongoing debate is, in itself, fascinating. Both entities are acting in the name of cyber defense and protection of everyday Americans, but in vastly different ways. The US government and FBI advocate for security through law-enforcement and federal oversight, allowing for effective criminal investigations into terrorist activities. Apple’s stance advocates for security through personal privacy and encryption, valuing it’s customer’s sensitive data as something not meant for the prying eye of big brother or other malicious adversaries. It all feels a bit Orwellian to consider these questions, but in a world where enemies threaten our lives and freedoms on a daily basis, what will it take for the individual to sacrifice personal privacy in the name of national defense?

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About Neil Schloth

Data Analytics - Cyber Security - Apple Enthusiast - Senior Security Engineer

Latest Posts By Neil Schloth

Category

Cyber Security News

Tags

, , , ,