Encryption & Key Management , Forensics , Governance & Risk Management
Report: Apple Building iPhone It Can't Hack
After Controversial FBI Court Request, Apple Treats Itself as a ThreatApple is creating new devices and services that will be harder to hack, according to two new reports. The push to create even stronger encryption options on iPhones and iPads, as well as to strengthen the security of its related iCloud service, means that in the future, law enforcement agencies - already warning about the prospect of investigations "going dark" due to strong crypto - may face significant challenges when attempting to recover data from a device that's seized as part of an investigation, or which is being subjected to surveillance.
See Also: How Overreliance on EDR is Failing Healthcare Providers
The iOS and iCloud security moves were reported first by the The New York Times and Financial Times, both based on unnamed sources.
Apple's new approach is a direct response to the FBI obtaining a court order that compels the technology giant to help it access information stored on an iPhone 5C. The device was issued to Syed Rizwan Farook, one of the shooters behind the Dec. 2 attack in San Bernardino, Calif. The Department of Justice has accused Apple of putting marketing before the law by refusing to comply with the court order.
But many security experts say the best move for Apple - and users of its products - seems to be to try and opt out. "Apple's real concern should be that it does not want to be in the crack between the government rock and the citizen hard place," says information assurance consultant William Murray, who's an associate professor at the U.S. Naval Postgraduate School. "It wants to be uninvolved and unable, rather than unwilling but coerced."
Apple Now Classifies Itself as a Threat
Hence the government's move to force Apple to bypass the security on its device appears to have triggered a push by Apple - and likely soon other technology firms - to make the security impossible for them to bypass.
"This is the first time that Apple has been included in their own threat model," forensic scientist Jonathan Zdziarski, author of "iPhone Forensics," tells The New York Times. "I don't think Apple ever considered becoming a compelled arm of the government."
Legal experts say the only way to blunt Apple's anti-hacking move would be for Congress to pass a law compelling technology companies to backdoor their products. Currently, technology vendors such as Apple are not subject to the U.S. federal law known as CALEA - the Communications Assistance for Law Enforcement Act - which requires telecommunications providers to comply with court-ordered wiretaps. "We are in for an arms race unless and until Congress decides to clarify who has what obligations in situations like this," Benjamin Wittes, a senior fellow at the Brookings Institution, tells The New York Times.
Lawmakers Seek Crypto Commission
Several lawmakers, meanwhile, want to form a commission that would seek a way to balance people's privacy with giving law enforcement agencies access to encrypted data. While a number of different, related legislative moves are underway, House Homeland Security Committee Chairman Michael McCaul, R-Texas, and Sen. Mark Warner, D-Va., a member of the Senate Intelligence Committee, have proposed creating "a 9/11-style commission," composed of 16 members, that would explore the issue and recommend a policy solution, a technology solution, or both, within 12 months. The commission would involve law enforcement agencies, the technology sector, intelligence community, as well as civil rights and privacy advocates, the lawmakers said Feb. 24 at a forum hosted by the Bipartisan Policy Center, a think tank.
"This solution brings all the stakeholders together in one room," McCaul said.
But as with so many aspects of emerging technology, Apple's move to make iOS devices harder to hack might leave any recommendations the commission ultimately makes in the dust.
Competition Concerns
Furthermore, any attempt to weaken device security - for example by adding backdoors, thus weakening any encryption on the device - would risk putting U.S. businesses at a disadvantage against foreign competition, as former National Security Agency contractor - turned whistleblower - Edward Snowden noted via Twitter. Snowden's leaks, of course, helped expose government surveillance programs in the United States, United Kingdom and beyond, sparking a crisis of trust among many individuals and allegations of government overreach. It also lead directly to leading technology firms offering users devices and services with better information security options, including in many cases strong crypto.
Congressional intervention would weaken American companies relative to foreign competitors. The future is security. https://t.co/V1bPdnjds8
� Edward Snowden (@Snowden) February 25, 2016
Support for FBI's Move
Debate continues to rage over whether Apple should create a version of iOS - dubbed "FBiOS" by some security experts - that the bureau could use to help it unlock Farook's iPhone (see Apple vs. FBI: Readers Debate). A recent survey of 1,002 U.S. adults, conducted by Pew Research Center, found that 51 percent believe Apple should assist the FBI and 38 percent do not.
The Department of Justice appears to have prepared this crypto battle in advance, and decided that the San Bernardino case was the best way to advance its cause (see Apple, FBI Draw Lines in Crypto Battle).
Cook Likens Request to 'Cancer'
But Apple CEO Tim Cook told ABC News in a Feb. 24 interview that Apple has been providing extensive technical assistance to the FBI during its investigation, and that he only learned of the court order via the press (see Cook: Apple Wanted More Discussions with Feds). And he warned that if Apple complied, it "could expose people to incredible vulnerabilities."
Indeed, Cook likened the FBI's request to "the software equivalent of cancer: we think it's bad news to write, we would never write it, we have never written it, and that is what is at stake here."
Apple's response continues to earn plaudits from many in the technology sector, who see more security - not less - as the only way to keep people secure. Zdziarski, for one, has already launched an "open list of requested iOS security improvements," encrypting all data backed up to iCloud using a key derived from the user's own alphanumeric backup password. Likewise, Zdziarski wants Apple to give users the option to "set a password" that would be required before any desktop could be used to connect to the device, "so that a stolen/compromised desktop computer cannot be used to access the device without a password."
Meanwhile, Jessy Irwin, who works for password management software maker AgileBits, says she's "tempted to send cookies/flowers to the teams" reportedly working on building an iPhone that Apple can't hack. "Best part of the Apple v. FBI case: Apple has nation-state level financial resources, and has no problem using them," she says.
I don't know about you, but I'm pretty happy my phone vendor is all, "Come at me, nation-state adversary!" about defending device integrity
� Jessy Irwin (@jessysaurusrex) February 25, 2016