Encryption Is Perfect But IPhone Security Is Not
I’m not writing this for the benefit of any criminals or would-be terrorists out there. There are many more law abiding citizens that value their 4th amendment and Bill of Rights right to privacy out there than there are spies, terrorists and criminals looking to exploit security flaws. Now that that disclaimer is out of the way, here is a quick analysis into security, encryption and your options to keep your iPhone (and any mobile device) safe from those that seek to capture your data without consent. If you want to skip directly to the need-to-know steps, skip down a few paragraphs.
Tim Cook nailed it when he said our smartphones have more personal information about us than any other device. That includes personal messages, banking information and the location of people’s children and other family members. Yes, Cook played the “think of the children” card. Up until now, Apple’s argument was mostly technical (encryption technology), a little corporate (writing an entire GOVT OS is an undue burden) and a smidge legal (All Writs Act is how old?). Now they’ve turned the FBI’s emotional arguments against the FBI by invoking the possibility of foreign and terrorist states knowing the whereabouts of our children (never mind our own government). This is all worst case scenario stuff but let’s look at a few degrees between the “boycott Apple” hysterics of a Trump and the “single iPhone” downplaying of the Feds.
Encryption is Perfect But Security is Not
Encryption is mathematically perfect but it serves the greater purpose of security which is not perfect. After all, The best security simply serves as a deterrent for thieves to move onto easier targets. But there are some patterns and facts we can sort through regarding encryption. Apple uses both software and hardware end-to-end encryption on all of their devices since iPhone 5s. This is because iPhone 5s and newer all contain a separate co-processor that Apple calls the secure enclave. In this secure enclave are not only the keys (your passcode) to that particular device but also a hash of your Touch ID biometric fingerprint identity. So the secure enclave is a separate, encrypted repository for secure data – very tough to crack. Apple holds this distinct advantage over Google who enables only software encryption in all Android devices. Google would love to enable hardware encryption in all Android devices but they cannot possibly control the hardware in every Android manufacturer because of the fragmentation that exists in that ecosystem. So is hardware necessarily better than software only? It depends who you ask?
Notable iPhone hacker, Jonathon Zdziarski and a handful of other famous hackers and professors have filed Amici Curiae as a show of support for Apple in their stance against the FBI saying, “Obtaining the “GovtOS” software will be an attractive target for authoritarian states, hackers, spies, and criminals. Users of iPhones and other mobile devices would lose trust in automatic software updates, which are a crucial means of maintaining device security. In short, the court’s order jeopardizes the security of everyone in the name of breaking into a single device.“
Hackers like Zdziarski go onto say that Apple holds the consumer smartphone industry’s highest level of security because their users upgrade devices more current and frequently than any other large portion of smartphone users. And since Apple is the only one who can sign and approve any security updates for their devices, users will begin to ignore or even avoid security updates from Apple if they believe Apple is working with the US government to give free reign over all of our data. But aren’t they already working with the government on many cases?
Apple has unlocked 70 iPhones to date and have stated they will continue to assist the US government in any way when presented with legal court orders or warrants. They will however, fight those requests that require them to re-write their own code to weaken their own security and that is what brings us to this case. But what about iCloud security? Didn’t Apple offer to hand over the alleged terrorist’s secure iCloud data?
Just Because iCloud is Encrypted Doesn’t Mean it’s Absolutely Secure
In their iOS security white paper, Apple assigns “Data Protection” and “No Protection” security classes to iCloud data depending upon the type of data. All data is encrypted but Apple does have the keys for some of this data. The reasoning for these security inconsistencies comes back to the original purpose of iCloud which is to allow for convenient backups and retrieval of data. Another feature of iCloud is the ability of Apple to retrieve account information for users who have lost or forgotten their passwords. If they did not help out these forgetful souls, you would have many angry users who have forever lost access to their first born’s birth or deceased grandmothers last photos or text messages. So it is impossible to securely encrypt an entire iPhone over iCloud when Apple holds the key to some of that data. However, Apple does encrypt things like your wifi password, keychain and health data in such a way so they could not give you that info even if they were forced to by anyone – they do not have that key. Apple does encrypt lots of other data but it is encrypted with a key that only they have to retrieve data for the user – Apple has the key to this data. Of course Apple also doesn’t bother to encrypt many files such as music and movies because those are all readily re-downloadable to their rightful owner with the correct Apple ID. So what options does that leave a privacy and security paranoid user like me and you?
Backup and Encrypt Locally
The only way to ensure that no one has access to your private iPhone data is to backup locally and encrypt using iTunes. Oh, and do not update your iPhone ever because if it’s possible for the government to compel Apple to create a backdoor, it’s feasible that regular security OS updates contain a key to unlock your encrypted data. Remember, we’re talking worse case scenario here and in that case Apple is complying with the wishes of the Feds. And since we’re talking worst case, remember that by backing up locally you remove Apple as a buffer – it’s just you against the law at that point so have a sledgehammer handy to smash that iMac hard drive beyond repair when you hear the battering ram outside your door.
Currently Apple wields an impressive list of big wig backers for their legal stance but they are all trying to keep customers and while law enforcement and politicians are all trying to make their jobs much easier and get votes respectively. The only faction that can be trusted wholly are the ones that answer to math – security experts. Of course they have their own agendas but as a discipline, security experts must all obey the same laws of mathematics and encryption. There is no interpretation or corruption of these processes, that we leave up to users, corporations, politicians, law enforcement, etc.
Apple has always been about balancing user convenience with features and in that respect, this case bears some similarities. The only problem is that it appears that a security balance was already in place and that the FBI (and many other agencies) are now looking to shift the balance so that they hold all the keys and make their jobs easier in an effort to protect us all.
It’s not hard to imagine the FBI winning this and forcing Apple and every smartphone maker to create back doors. After all, the Patriot Act was passed primarily due to fear of terrorism and it’s not hard to find opposition to that legislation these days. But it’s not fair to lay blame on past circumstances and decisions when discussing future precedents so I will let Benjamin Franklin take us out…
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”
Scott Schober
CEO | Author | Speaker | Cyber Security & Wireless Expert at Scott Schober LLCScott has lectured and presented extensively regarding cybersecurity and corporate espionage at numerous conferences around the globe. He has recently overseen the development of several cell phone detection tools used to enforce a “no cell phone policy” in correctional, law enforcement, and secured government facilities. He is regularly interviewed for leading national publications, and major network television stations including Fox, Bloomberg, Good Morning America, CNN, CCTV, CNBC, & MSNBC. He is the author of "Hacked Again" and writes, "In a modern digital world no one is safe from being hacked, not even a renown cybersecurity expert."
www.scottschober.com
CEO @ Berkeley Varitronics Systems | Cybersecurity Expert
9 年Thank you Anna. I think the weeks to come will be very interesting as more information is revealed.
CEO @ Berkeley Varitronics Systems | Cybersecurity Expert
9 年Josh - I appreciate your thoughts but ask you to read carefully the court order. The FBI is not asking for content of ONE iPhone as you state in your comment below. The court order is demanding far more information including know-how and documentation which reveals Apple's IP. The FBI director was asked before the committee if they plan to use the information to back door this phone beyond ONE phone and he said 'YES'.
Personal Assistant at UK Ministry of Defence
9 年Interesting article. Apple certainly have the edge on smart technology.
RF Engineer, semi-retired. RF/wireless system design, antenna design, implementation & test
9 年I respectfully disagree. It's common for people in the tech community to be libertarians when it's convenient for them personally, but Big Brother fascists when it comes to everyone else. Many in the tech community are so, so busy "signalling their virtue" about how they want to protect everyone's privacy--against Big Brother government; but at the same time, they work hard at their day jobs, gleaning as much personal information as posssible about all of us and our lives, so that information can be sold at a profit to, or by, Google, amazon, Apple, etc... Is it really just gleaning information, or is it stealing information? Are they REALLY so, so concerned about the privacy or all of us? Or is that just BS they use in marketing? Considering the weasel wording and intentional confusion of most "privacy agreements" we click on, I'd say, it's very deliberate, very intentional, and very much stealing. The FBI's tech people are being pretty open about how they screwed up, technically, attempting to access this one device. They're asking Apple for some help, as one citizen might ask another for help, getting a tire changed for an elderly person, or pulling someone out of a river. They're asking for help to brute-force break into ONE device, ONE time, that was involved in a mass-murder of our innocent fellow citizens. They are NOT asking for a key to a back door on every device, to be possessed by any low-level government flunky who may want to stalk his ex-girlfriend. They are NOT asking Apple to give up any secrets--Apple's, or ours. Fourteen of our fellow citizens from San Bernadino no longer have any privacy concerns, they are DEAD. MURDERED. The murderers are part of an international movement that wants to commit MORE such murders. I want to prevent such things happening again, to the extent it is possible, and still live in a free society, with [yes, yes] privacy rights. We CAN do BOTH. We MUST. So let's quit all the posturing, and the academic discussions, and the emotional outbursts, and the virtue signalling, and JUST GET IT DONE. . Time's a wasting with all this posturing and these tantrums. And in an investigation, the longer it takes to dig up the information needed to find a killer and his accomplices, the less likely the guilty are to be caught. And jailed, And prevented from killing again.
Information Specialist
9 年It's already been proven that the iPhone was hacked by a kid. Everybody forgets that computing is complex and simple at the same time. Computers no matter how complicated work off of electronic impulses and are at risk of being altered all the time.