On February 16th, 2016, a federal judge ordered Apple to assist in enabling the search of a subject’s Apple iPhone 5c by providing reasonable technical assistance in obtaining access to the subjects data. The order describes reasonable technical assistance as: a means to bypass or disable the auto-erase function to allow an unlimited amount of attempts at guessing the subject’s passcode and application that can be loaded and executed from the subject’s device’s Random Access Memory, which does not modify any data on the subject’s device to maintain integrity.
Apple has formally opposed the order and published an open letter on Apple’s website. The open letter asserts that the order would have "implications far beyond the legal case at hand, undermining users' privacy and giving the US government the equivalent of a master key, capable of opening hundreds of millions of locks. The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers. The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
The backdoor Apple is speaking about, is a vulnerability that weakens the information systems (iOS device) so that it could be exploited by the Federal Bureau of Investigations (threat source). The judge’s order ignores the basics of security, which is defined as the quality or state of being secure, free from danger. The idea of being secure is to be protected from the risk of loss, damage, unwanted modification, or other.
So what does the court order request really mean? If Apple loses its case and creates a tool that circumvents security mechanisms it would be introducing a vulnerability in its product that would affect millions of users that will eventually be exploited and misused.
As a Apple iPhone user, I have reasonable assurance that my data is will maintain it’s confidentiality if I lose my device because of the auto-erase, iteration count with escalating time delays, and encryption security controls implemented. If I lose my iPhone in a public place and a individual find my device then they have physical access for a brute force attack. The individual that finds my device may have malicious intent. iOS functionality protects against brute force attacks if all features were enabled by the user as described bellow:
- Passcode: the passcode provides the entropy for the encryption, thus data retrieved without authentication is unrecognizable. The standard cryptography used is Advanced Encryption Standard 256.
- Auto-erase: the data on the device is erased after 10 consecutive incorrect attempts to enter the passcode.
- Iteration count: this provides a mechanism to slow (time based) the attacker from gaining access, thus it would take more than 5 and a half years to try all combinations of six-character alphanumeric passcode with lowercase letters and numbers.
On February 20, 2016, the FBI stated that "Apple may maintain custody of the software, destroy it after its purpose under the order has been served, refuse to disseminate it outside of Apple and make clear to the world that it does not apply to other devices or users without lawful court orders," the Justice Department told Judge Sheri Pym. "No one outside Apple would have access to the software required by the order unless Apple itself chose to share it.” However, what this statement means is it allowing this vulnerability can be protected by Security Through Obscurity (STO). STO is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. However, this logic is flawed. If the security of a system is maintained by keeping the implementation of the system a secret, the entire system collapses when the first person discovers how the security mechanism works. Just search the Internet of how determined people are to discover these secrets. This is creating pandoras box that can’t be undone. This will put people, companies, and governments at risk. Unauthorized privacy data will be gained, corporate systems will be breached, and national security will be weakened because they also rely on the same protections of the devices in their operations.
References:
Decker, E. M. (2016, February 16). ED-15-0451M [Order Compelling Apple, Inc. To Assist Agents In Search]. California, Los Angeles. https://cdn2.vox-cdn.com/uploads/chorus_asset/file/6053155/in-the-matter-of-the-search.0.pdf
Cook, T. (2016, February 16). A Message to Our Customers. Retrieved March 18, 2016, from http://www.apple.com/customer-letter/
Vincent, J. (2016, February 17). Tim Cook: Apple will fight US demands to build an iPhone backdoor. Retrieved March 18, 2016, from http://www.theverge.com/2016/2/17/11031364/apple-encryption-san-bernardino-response
IOS Security. (2015, September). Retrieved March 18, 2016, from https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Dean, M., Herring, C., & Associated Press. (2016, February 20). DOJ Would Allow Apple To Keep or Destroy Software To Help FBI Hack iPhone. Retrieved March 18, 2016, from http://www.foxnews.com/us/2016/02/20/doj-would-allow-apple-to-keep-or-destroy-software-to-help-fbi-hack-iphone.html
No comments:
Post a Comment