{"id":1898,"date":"2016-02-17T13:39:56","date_gmt":"2016-02-17T12:39:56","guid":{"rendered":"https:\/\/www.ofcourseimright.com\/?p=1898"},"modified":"2016-02-17T14:28:44","modified_gmt":"2016-02-17T13:28:44","slug":"apple-ordered-to-help-unlock-san-bernardino-iphone","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=1898","title":{"rendered":"Court Order to Apple to Unlock San Bernardino iPhone May Unlock Hackers"},"content":{"rendered":"

\"ScalesPreviously I opined<\/a> about how a dialog should occur between policy makers and the technical community over encryption.\u00a0 The debate has moved on.\u00a0 Now, the New York Times reports<\/a> that federal magistrate judge Sheri Pym has ordered Apple to facilitate access to the iPhone of\u00a0Syed Rizwan Farook<\/a>, one of the San Bernardino bombers.\u00a0 The Electronic Frontier Foundation<\/a> is joining Apple in fight against the order.<\/p>\n

The San Bernardino fight raises both technical and policy questions.<\/p>\n

Can Apple retrieve data off the phone?<\/h6>\n

Apparently not.\u00a0 According to the order<\/a>, Apple is required to install an operating system that would allow FBI technicians to make as many password attempts as they can without the device delaying them or otherwise deleting any information.\u00a0 iPhones have the capability of deleting all personal information after a certain number of authentication failures.<\/p>\n

You may ask: why doesn’t the judge just order Apple to create an operating system that doesn’t require a password?\u00a0 According to Apple<\/a>,\u00a0 the password used to access the device is itself a key encrypting key (KEK) that is used to gain access to decrypt the key that itself then decrypts stored information.\u00a0 Thus, bypassing the password check doesn’t get you any of the data.\u00a0 Thus, the FBI needs the password.<\/p>\n

What Apple can<\/strong> do is install a new operating system without the permission of the owner.\u00a0 There are good reasons for them to have this ability.\u00a0 For one, it is possible that a previous installation failed or that the copy of the operating system stored on a phone has been corrupted in some way.\u00a0 If technicians couldn\u2019t install a new version, then the phone itself would become useless.\u00a0 This actually happened to me, personally, as it happens.<\/p>\n

The FBI can’t build such a version of the operating system on their own.\u00a0 As is best practice, iPhones validate that all operating systems are properly digitally signed by Apple.\u00a0 Only Apple has the keys necessary to sign imagines.<\/p>\n

With a new version of software on the iPhone 5c, FBI technicians would be able to effect a brute force attack, trying all passwords, until they found the right one.\u00a0 This won’t be effective on later model iPhones because their hardware<\/strong> slows down queries, as detailed in this blog<\/a>.<\/p>\n

Would such a capability amount to malware?<\/h6>\n

Kevin S. Bankston, director of New Americas Open Technology Institute<\/a> has claimed that the court is asking Apple to create malware for\u00a0 the FBI to use on Mr. Farook\u2019s device.\u00a0 There’s no single clean definition of malware, but a good test as to whether the O\/S the FBI is asking for is in fact malware is this: if this special copy of the O\/S leaked from the FBI, could \u201cbad guys\u201d (for some value of \u201cbad guys\u201d) also use the software against the \u201cgood guys\u201d (for some value of \u201cgood guys\u201d)?\u00a0 Apple has the ability to write into the O\/S a check to determine the serial number of the device.\u00a0 It would not be possible for bad guys to modify that number without invalidating the signature the phone would check before loading.\u00a0 Thus, by this definition, the software would not amount to malware.\u00a0 But I wouldn\u2019t call it goodware, either.<\/p>\n

Is a back door capability desirable?<\/h6>\n

Unfortunately, here there are no easy answers, but trade-offs.\u00a0 On the one hand, one must agree that the FBI\u2019s investigation is impeded by the lack of access to Mr. Farook\u2019s iPhone, and as other articles show, this case is neither the first, nor will it be the last, of its kind.\u00a0 As a result, agents may not be able to trace leads to other possible co-conspirators.\u00a0 A\u00a0 Berkman Center study claims that law enforcement has sufficient access to metadata to determine those links, and there\u2019s some reason to believe that.\u00a0 When someone sends an email, email servers between the sender and recipient keep a log that a message was sent from one person to another.\u00a0 A record of phone calls is kept by the phone company.\u00a0 But does Apple keep a record of FaceTime calls?\u00a0 Why would they if it meant a constant administrative burden, not to mention additional liability and embarrassment, when (not if) they suffer a breach?\u00a0 More to the point, having access to the content on the phone provides investigators clues as to what metadata to look for, based on what applications were installed and used on the phone.<\/p>\n

If Apple had the capability to access Mr. Farook\u2019s iPhone, the question would then turn to how it would be overseen.\u00a0 The rules about how companies\u00a0 handle customer data vary from one jurisdiction to another.\u00a0 In Europe, the Data Privacy Directive<\/a> is quite explicit, for instance.\u00a0 The rules are looser in the United States.\u00a0 Many are worried that if U.S. authorities have access to data, so will other countries, such as China or Russia.\u00a0 Those worries are not unfounded: a technical capability knows nothing of politics.\u00a0 Businesses fear that if they accede to U.S. demands, they must also accede to others if they wish to sell products and services in those countries.\u00a0 This means that there’s billions of dollars at stake.\u00a0 Worse, other countries may demand more intrusive mechanisms.\u00a0 As bad as that is, and it’s very bad, there is worse.<\/p>\n

The Scary Part<\/h6>\n

If governments start ordering Apple to insert or create malware, what other technology will also come under these rules?\u00a0 It is plain as day that any rules that apply to Apple iPhones would also apply to Android-based cell phones.\u00a0 But what about other devices, such as\u00a0 televisions?\u00a0 How about\u00a0 Refrigerators?\u00a0 Cars?\u00a0 Home security systems?\u00a0 Baby monitoring devices?\u00a0 Children’s Toys?\u00a0 And this is where it gets really scary<\/strong>.\u00a0 Apple has one of the most competent security organizations in the world.\u00a0 They probably understand device protection better than most government clandestine agencies.\u00a0 The same cannot be said for other device manufacturers.\u00a0 If governments require these other manufacturers to provide back door access to them, it would be tantamount to handing the keys to all our home to criminals.<\/p>\n

To limit this sort of damage, there needs to be a broad consensus as to what sorts of devices governments should be able to access, under what circumstances that access should happen, and how that access will be overseen to avert abuse.\u00a0 This is not an easy conversation.\u00a0 That’s the conversation Apple CEO Tim Cook is seeking<\/a>.\u00a0 I agree.<\/p>\n","protected":false},"excerpt":{"rendered":"

A judge’s order that Apple cooperate with federal authorities in the San Bernardino bombing investigation may have serious unintended consequences. There are no easy answers. Once more, a broad dialog is required.<\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[87,4,9],"tags":[57,433,37,496],"class_list":["post-1898","post","type-post","status-publish","format-standard","hentry","category-internet","category-politics","category-security","tag-apple","tag-justice","tag-privacy","tag-security"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1898"}],"version-history":[{"count":4,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1898\/revisions"}],"predecessor-version":[{"id":1908,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/1898\/revisions\/1908"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}