Or “Why Apple is right and the FBI is wrong”.
I’ve made a short list of the things I can see that are “wrong” with the position taken by the FBI on the question of forcing Apple to create an unlockable version of their operating system. (I’ll be calling that “The Hack” further down).
The basic problem for the FBI is that Apple has put security features into their operating system that make “guessing” the unlock code a bad strategy. BTW, this is common in other places, too. The iPhone gives you 10 “guesses” on the unlock code, then it will (can) erase all the data in the phone. Since there are many unlock codes possible ( for 4 digits, 10,000 ) it is unlikely you will ‘get it right’ and highly likely that the phone will be scrubbed and / or bricked. (Bricking meaning locked up never to be opened again).
That feature set was not in older iPhones, so all the arguments of the form “Apple helped them get into other iPhones” are broken arguments. Apple helped them get into a completely different kind of iPhone that did not require breaking these security features.
That’s the basic problem. The FBI wants a “hack” that lets them have unlimited “guesses” to unlock the phone, then they can take out the information. There is a second step to this in that the software prevents guessing at computer speeds. You can only guess at human speed and wait a few seconds to try again. The FBI wants that taken out too, so that automated search can be done on the unlock code keyspace.
Now think for just a moment about what happens if you try too many times to get into your bank account or even your online email. For many / most systems you either get increasingly long wait times (usually exponentially so) or you simply get a password lockout and must get a password reset from the vendor (for some vendors, they can’t do that and you are just locked out forever). This is the usual and customary way of doing things. The FBI wants to change the usual and customary so that THEY get unfettered access.
Once Apple has done this, all other vendors WILL be subject to this same legal precedent. It doesn’t matter at all that the FBI says they don’t care about the precedent, it will still exist.
All arguments of the form “The FBI doesn’t want to set a precedent” are void since a precedent WILL be set, want it or not.
So that’s our basic problem space.
What are the specific “issues” I see, beyond just the FBI wanting in and Apple saying “no”? Here’s my list with a few notes. I’m sure there are other issues as well, and folks are welcome to add anything they see that I’ve missed.
This DOES create a generic Hack Tool
This is NOT the same as prior phone unlocks. This creates a capability that all sorts of folks will want to grab. It is fundamentally the equivalent of an iPhone Encryption Nuclear Bomb. It, simply put, causes massive destruction of the security feature across all iPhones globally. ANYONE who gets their hands on this new weak version of the operating system can open any iPhone. That’s the whole design goal of the software the FBI is demanding: Open an iPhone against the will of the owner.
Yes, the warrant says to ‘key’ the unlock code to that one phone in some half-assed attempt to prevent a general solution; however that is simply dumb. (Sorry judge, it is). That just means any stolen copy will need to have one serial number swapped for another (or perhaps a hashed version of it). “Agencies” deal with that kind of problem all the time. Hard, but not too hard. Furthermore, before you can do that ‘key to one phone’ you must create the software that does the unlock and test it to show it works. Either you are going to create it without that ‘key to the phone’ and then add that step (thus making the ‘not keyed to one phone’ generic tool) or you are going to key it to some other phone for testing, then change the key. Thus creating the “update the number for a new phone” process and / or code. In either case, you have a general purpose unlock tool. Any argument of the form “It is just this one phone” is bogus and ignorant.
A VERY valuable Hack Tool brings new threats
This tool is now VERY valuable. The iPhone is now used for all sorts of financial transactions. It is more correctly a ‘pocket computer that makes calls’ than just a phone with features. We’re talking $Billions of dollars behind those accounts that can be exposed via an unlock feature. This changes the nature of the folks who would want that tool. No longer just a kid down the street hacking for fun and a thrill. We now bring in all sorts of State actors and Agencies and organized crime. The existence of the unlock code paints a Giant $Billion Target on the back of Apple.
Quis custodiet ipsos custodes?
Who will watch the watchers and who will guard the guards?
But not just Apple as a legal entity. It also paints a target on the programmers involved, on the data archive and I.T. department, on the managers of those areas, on their service providers (like telcos and networks) and on down the list to the janitors that have access to the building. Who is going to keep them all safe for decades? Who is going to assure not one of them succumbs to a $Million bribe? (Perhaps coming with an offer of a free mansion in China… and State protection). Who is going to assure they NEVER get a photo in their email of their family- taken through a gun sight… Who is going to assure no non-state actor ever gets access to that program or any backup / archive copies of it? Even if they present with a perfect work history, no ‘priors’ and apply for a job working in that group? Are you going to forbid Muslims from getting jobs in that group? Really? Are you going to cover the discrimination law suits if you do? Who is going to assure ISIS and / or any other such group doesn’t get someone planted? Or Russia or China or Germany or the UK or…
When I ran a secure site, we had to deal with such issues. We found out that, then, the going rate to subvert an employee was about $3000. Yeah, that cheap. Call it $30,000 today and it is still cheap. For that, you can, typically, buy physical access to a site, or get a copy of the backup tapes dropped off. We took great pains to assure that was not possible at our site, but bump that up to $100,000 and even our measures would likely have failed. Oh, and we would not have been resistant to that telescopic sight photo of family nor to State actors with “other means”… The site I ran had a large Cray and it was considered “Export of a Munition” to let “the wrong people” have accounts on it. I was subject to a prison term if I made a mistake on granting access. I’ve dealt with this world, at least from the border post to it… BTW, we specifically decided NOT to put in truck barriers around our computer room figuring we didn’t have anything valuable enough to worry about ‘explosive entry’. With The Hack code, ‘explosive entry’ would be an expected risk. Apple would need to build a bunker somewhere to properly protect it, even during development. Yes, it is THAT big a risk.
As someone who kept the Apple Engineering Network and Supercomputer Center safe for over 7 years, I’ve spent some of the “best years of my life” solving just this kind of problem, and that was 25 years ago when we had a much simpler problem set to defend against. With the present set of risks (including all the weaknesses in operating systems and security methods put in place by our own NSA and buggered firmware in devices from China and including weaknesses / exposures from having web enabled code run on most platforms) I’m fairly confident that kind of “never got hacked” record can not be repeated. Especially against this caliber of threat level. It is that which is meant when Tim Cook says The Hack is “too risky to create”. He KNOWS he will get that gunsight photo (and perhaps a ‘buy out offer’ from a Chinese company and…)
Frankly, protecting The Hack during development and testing scares the poo out of me. The code will exist at a minimum in a data vault / archive, on the development computers, and on backups of everything. It will be accessible as it passes through network devices (and wires) and unless care is taken to shield the building, via the air (either as WiFi network access, as WiFi snooping, or as ‘leakage’ in Spy vs Spy tools that can scrape screens and capture keystrokes). It could well end up on some USB dongles for a ‘grab and go’ exploit, too. Locking all that down would take Lockheed Blue Cube or NSA site security levels… yet how well did those work against Snowden? Hmmm? It is easy to secure something of little value, but The Hack is of very high value.
Apple must protect the The Hack code and any device it has ever been on (or destroy them quickly) for a very long time. Further, it must provide exceptional levels of protection to the PEOPLE and the PLACES where they work, potentially for years to decades. A level of protection that is presently not in evidence, even at the NSA.
Slave Labor Is Illegal
So who is going to pay for all this added labor and security? Last time I looked, slave labor was illegal. Here the FBI is NOT just asking for a device or software to be handed over, it is asking for labor to be expended, against the will of the provider, and without payment. Last I looked, that was called slavery. Is it OK to enslave companies as long as the employees are paid? To steal from the shareholders? Do we want to establish that precedent? (And it will be a precedent if it happens.)
It Breaks the iPhone, a “taking”
The Hack exists for the purpose of breaking security on the iPhone. As that is a major feature, The Hack breaks the iPhone. This has implications. Implications can not be simply ignored. This constitutes “a taking” under law. The value spent by millions of iPhone users will be destroyed for the benefit of the FBI, the US Government (and, via the precedent set) dozens of OTHER governments world wide. Who will be paying all those iPhone owner for the “taking”? Who will make good their losses when a Chinese Customs agent takes their phone to the back room “for inspection” and sucks all the information out? Who will compensate Apple for lost sales (to ANY and ALL innocent people who want a really secure phone) once this deed is done? How will the “taking” be compensated? Hmmm? And make no mistake about it, there will be others happy to provide a competitor to Apple in the “security” space, and some of them well outside the reach of US law. https://chiefio.wordpress.com/2016/02/14/some-security-bits/ at the bottom has a competitor secure phone review.
The Hack WILL eventually leak
It is just a matter of time. All encryption is a race condition. Over time, weaknesses are exposed. Even if the code is stored on an encrypted disk, briefly, and then erased once the phone is unlocked, there will be backups, or someone will have ‘snagged a copy’. Eventually even what is today unbreakable becomes breakable. Methods improve, computers get faster.
So The Hack will eventually be free ‘in the wild’. The only question is “How soon?”. Soon enough to be a problem, or only a historical artifact? Nobody knows.
My bet would be on “about 2 years”. After the first year, folks will start getting sloppy about it. There will also have been another doubling of compute power via Moore’s Law. State Actors who ‘snagged a copy’ of it even as encrypted network traffic and / or encrypted disk will likely have found a way to get the goods out. Or they will have paid someone enough money to get an Apple badge and access.
What will the world do then? Probably buy the iPhone 27 … but I snarc ;-)
This WILL set bad security precedents
It does not matter one bit what the FBI says about precedent, they will be setting them no matter what anyone wants. The precedent for slave labor. The precedent for unfettered access. The precedent for “create custom code on demand”. The precedent for “break your product for us”. The precedent for “Use YOUR secret signing key for OUR purposes”. And likely a few more.
We will need to live with those precedents for a very long time.
Unbreakable Encryption is already here, and has been for a while
From “One Off Pads” to several years of use of the Enigma Device by the Nazi in W.W.II, we’ve always lived in a world with “Unbreakable” Encryption. (Though the Enigma was broken due to some spectacular skill, luck in capturing one, and stupidity on the part of the users using repeated sign on /off message headers and footers). Some encryption, like one off pads, if used properly remain unbreakable forever. The Navajo Code Talkers were Unbreakable during W.W.II and kept a national secret until just a few decades back (that same system would still work, IMHO). Even now, our online banking and dozens of other uses (including the “Software Signing Key” used by Apple and others to assure only official updates to software get installed) are all based on presently unbreakable encryption.
There is nothing new, at all, in the ‘threat’ of unbreakable encryption. Any argument of the form that this is somehow new or an existential threat is bogus. It’s a very old and very mundane threat at best.
So the FBI wants to have unbreakable encryption broken and to establish the precedent that it MUST be done “on demand”. That, then, will assure ALL those other uses are subject to the same rules. No bank, no telecom company, no software company, heck, no television maker, will stand in the way if Apple folds. Expect the Internet Of Things to be full of Government Eyes and Ears and ALL communications (including the microphone and camera in your laptop or your internet connected TV to be pwned by them. Oh, and EVERY OTHER GOVERNMENT on the planet too. (What? You think only the USA would use the power of law to force divulgence of The Hack and / or creation of new ones? A precedent is a global thing…)
But Wait, there’s More:
Al Qaeda and ISIS already have their own I.T. departments and already have created their own encryption and messaging tools. They have a hot line message system to tell folks what is secure, and what isn’t. At best, the FBI demand for The Hack will simply move all of their traffic onto those systems and off of the iPhone.
I’d speculate further that the reason the other devices were destroyed and this one was not is simply because there is nothing of interest on it. The San Bernardino shooters were not dumb. They knew which devices to break and which to ignore. They most likely were already using those non-US sourced encrypted apps to communicate, and not the Apple device. The Apple iPhone requires that you get apps from the approved vetted source. Not the kind of thing that is attractive to the Jihadi I.T. Department…
So we’re going through all these histrionics for what? All the shouting over “IF YOUR FAMILY WERE AT RISK!!!” is just political sob story machinery. They ARE at risk, but not from the iPhone. From those other devices that used the ISIS Approved Apps or the Al Qaeda Approved Apps, not the iPhone that uses Apple Approved apps and doesn’t allow the use of the unapproved ones. (Yes, with a lot of work you can jail break your phone and get unapproved apps onto it, but for a phone issued by your employer, you would have the constant risk of THEIR I.T. department noticing and blowing the whistle on you. Not a risk worth taking.)
In short, The Hack will do precisely NOTHING to uncover any plot, protect anyone in the future, or prevent terrorists from using unbreakable encryption. They already have it in a ‘roll your own’ way, and would rather use other devices where they can install the apps of their choice from their own I.T. department.
You Will Never Know The Hack Was Spread
It is very important to realize that after the FBI gets The Hack made, it will be immediately available to the NSA and others, and YOU will never be allowed to know it was taken by them for their use.
Under FISA procedures, all hearings and decisions are conducted in secret. The Department of Justice has not disclosed even the most basic information about the court’s activities despite repeated requests from Congress, the American Civil Liberties Union and other advocacy groups.
Furthermore, by skirting reports of illegal warrants and unlawful surveillance by the FISA court itself, the FISA Court of Appeals and the U.S. Supreme Court have failed to address several fundamental issues. It is critical that the Congress ensure our judicial system is lawful and proper by providing proper oversight of this secret court.
So the NSA walks up to the FISA court, says “We need a copy to combat terrorism” and they are given a positive ruling. At that point, Apple can say exactly nothing. It’s all a secret and you go to jail for spilling anything. So the next Snowden can then leak The Hack to the world from the NSA… if it hasn’t already leaked from someone else.
Violation Of Contract
This is the most minor of the issues, IMHO. The Hack is a violation of implied contract. In all sorts of materials, Apple has promoted their security. To then create The Hack is a violation of the implied contract to provide that security. Many governments and agencies around the world depended on those assurances when the bought the product. (I’ve seen one report that this feature set was put in at the request of one US Agency so that they would be able to buy the phones).
Every person who bought any iPhone subject to The Hack can now walk into small claims court and claim a loss due to breach of implied contract to provide a secure phone. Who’s going to pay for all that legal time? All those phones?
Don’t tell me it won’t happen. It is a very large world full of many different legal systems. Somewhere it will be upheld as a breach of contract. Then there’s that whole precedent thing again…
Then all the loss of marketing value and sales comes back to the “taking” aspect…
I think this makes clear some of the more murky corners of this issue. It isn’t just a simple “Apple wants to sell to criminals” vs “Apple wants to protect my privacy” vs “The FBI wants everything”.
It is also SPY vs SPY on a global scale. It opens Apple to all sorts of risks, costs, and hideous side effects. At the same time, it does NOTHING to prevent unbreakable encryption communications by bad actors, since they already have their own “app for that”. (Several, in fact). All the time opening every single one of us to attack from all corners of the globe WHEN (and it is a when) The Hack leaks out, or is bribed out, or is extorted out, or FISA gets a request…
Apple is doing the right and moral thing. It is the Government that is being excessive and grabby.