Saturday, 20 February 2016

Breaking the iPhone's encryption

For the last few days the internetz has been in an uproar. If you haven't heard then have a look at this:
Apple ordered to help the US government. For the TL;DR folks out there:

  • some terrorist killers in the USA used an iPhone 5C
  • the FBI want to know what was on the phone
  • the phone has that lock where 10 incorrect pins wipes it
  • a judge has ordered our old mates at Apple to disable the wipe function so the FBI can break in
  • Apple have told them to go away and refused to do it
So, gentle reader, why do we care about this? A bit of backstory might be useful...

The iPhone has quite solid built in encryption. Check out the Apple Privacy policy here for all the goods (PDF download) https://www.apple.com/business/docs/iOS_Security_Guide.pdf - lots of goodies in there. From iOS 8 onwards, the basic iPhone data was heavily encrypted, and Apple have always claimed they don't access passcodes or data. Here is their privacy policy if you'd like to have a read: Apple's Privacy Policy

Bottom line: Apple have long claimed that without the passcode an iPhone is basically inaccessible and now the FBI have a judge ordered Apple to disable this protection. This is a pretty full on hack. In his open letter, Tim Cook, the Apple CEO basically said we'll have to rewrite the code, install it on this iPhone and then let the FBI in. Oh and now that's out in the open, welcome thieves, pirates and governments who want access to iPhones! Prior to iOS 8, Apple had assisted law enforcement with access to iPhones in the past, but now they're saying we can't do this anymore. Tim Cook's letter is here: Apple Letter to our Customers and all the details are here. 

My analysis of what this means for us, the consumer, is that once again law enforcement and government have requested the capabilities to break through our privacy. At the moment, Apple users are reasonably confident of the privacy of their devices. If you lose it then best of luck to anyone try to break into it. Different to an Android device with an SD card in it - where you could pinch the SD card and get whatever you want, unless it's encrypted. The iPhone does this already. I was looking the other day at the security of Apple Notes. It's encrypted on the device, in iCloud (if you use it) and in transit between the two. I'm not sure it's encrypted on your Mac though - something to check. My point is that the security is pretty good out of the box. Not being a chap involved in dodgy behaviour I've never had a real need to have heavy protection on my iPhone but I was certainly pleased to see that I had decent encryption on the device. 

I think there's a parallel here between Pandora's Box and introducing a back door into iOS. When Pandora opened the box and let evil into the world the big corporations were born (yes I have a hate for them and yes I'm aware of the inherent irony of using Blogger to write this - a part of the biggest corporation Google!), in this instance, once the iPhone's security is broken to allow law enforcement  a backdoor in, that's a genie that doesn't go back into the bottle. From there, it's relatively easy to see how the police or feds get compromised and that backdoor gets into the wild. Voila! No security any more for people's devices and anything you put on them might as well be in the public domain. Apple have said they won't comply with the order and that it's technically very difficult. I believe them. Encryption is tricky at the best of times and getting it right is hard. Breaking back into it, once you've worked so hard to establish it isn't easy. 

This story has garnered a lot of press in the last few days and there are plenty of people talking about it which is important. The right to privacy, which I think is closely linked to the core desire for security of oneself is critical. I hope that Apple fight this one hard and/or make it incredibly difficult for the hack to be repeated. I understand law enforcement need access to stuff to prosecute etc. I do understand that. But with so much warrantless invasion of privacy I'm not inclined to be a huge supporter. In a small scale this probably seems callous - those poor people murdered by the crazies and I don't want to know the truth about it all! Shame on you ryv! But in the broader scope, this affects all iPhone user's security and I'm concerned about that too. 

I'll be keeping an eye on this issue as it develops - if you're an iPhone user, you should too.

No comments:

Post a Comment