Skip to main content

Breaking the iPhone's encryption

For the last few days the internetz has been in an uproar. If you haven't heard then have a look at this:
Apple ordered to help the US government. For the TL;DR folks out there:

  • some terrorist killers in the USA used an iPhone 5C
  • the FBI want to know what was on the phone
  • the phone has that lock where 10 incorrect pins wipes it
  • a judge has ordered our old mates at Apple to disable the wipe function so the FBI can break in
  • Apple have told them to go away and refused to do it
So, gentle reader, why do we care about this? A bit of backstory might be useful...

The iPhone has quite solid built in encryption. Check out the Apple Privacy policy here for all the goods (PDF download) https://www.apple.com/business/docs/iOS_Security_Guide.pdf - lots of goodies in there. From iOS 8 onwards, the basic iPhone data was heavily encrypted, and Apple have always claimed they don't access passcodes or data. Here is their privacy policy if you'd like to have a read: Apple's Privacy Policy

Bottom line: Apple have long claimed that without the passcode an iPhone is basically inaccessible and now the FBI have a judge ordered Apple to disable this protection. This is a pretty full on hack. In his open letter, Tim Cook, the Apple CEO basically said we'll have to rewrite the code, install it on this iPhone and then let the FBI in. Oh and now that's out in the open, welcome thieves, pirates and governments who want access to iPhones! Prior to iOS 8, Apple had assisted law enforcement with access to iPhones in the past, but now they're saying we can't do this anymore. Tim Cook's letter is here: Apple Letter to our Customers and all the details are here. 

My analysis of what this means for us, the consumer, is that once again law enforcement and government have requested the capabilities to break through our privacy. At the moment, Apple users are reasonably confident of the privacy of their devices. If you lose it then best of luck to anyone try to break into it. Different to an Android device with an SD card in it - where you could pinch the SD card and get whatever you want, unless it's encrypted. The iPhone does this already. I was looking the other day at the security of Apple Notes. It's encrypted on the device, in iCloud (if you use it) and in transit between the two. I'm not sure it's encrypted on your Mac though - something to check. My point is that the security is pretty good out of the box. Not being a chap involved in dodgy behaviour I've never had a real need to have heavy protection on my iPhone but I was certainly pleased to see that I had decent encryption on the device. 

I think there's a parallel here between Pandora's Box and introducing a back door into iOS. When Pandora opened the box and let evil into the world the big corporations were born (yes I have a hate for them and yes I'm aware of the inherent irony of using Blogger to write this - a part of the biggest corporation Google!), in this instance, once the iPhone's security is broken to allow law enforcement  a backdoor in, that's a genie that doesn't go back into the bottle. From there, it's relatively easy to see how the police or feds get compromised and that backdoor gets into the wild. Voila! No security any more for people's devices and anything you put on them might as well be in the public domain. Apple have said they won't comply with the order and that it's technically very difficult. I believe them. Encryption is tricky at the best of times and getting it right is hard. Breaking back into it, once you've worked so hard to establish it isn't easy. 

This story has garnered a lot of press in the last few days and there are plenty of people talking about it which is important. The right to privacy, which I think is closely linked to the core desire for security of oneself is critical. I hope that Apple fight this one hard and/or make it incredibly difficult for the hack to be repeated. I understand law enforcement need access to stuff to prosecute etc. I do understand that. But with so much warrantless invasion of privacy I'm not inclined to be a huge supporter. In a small scale this probably seems callous - those poor people murdered by the crazies and I don't want to know the truth about it all! Shame on you ryv! But in the broader scope, this affects all iPhone user's security and I'm concerned about that too. 

I'll be keeping an eye on this issue as it develops - if you're an iPhone user, you should too.

Comments

Popular posts from this blog

Plone - the open source Content Management System - a review

One of my clients, a non-profit, has a lot of files on it's clients. They need a way to digitally store these files, securely and with availability for certain people. They also need these files to expire and be deleted after a given length of time - usually about 7 years. These were the parameters I was given to search for a Document Management System (DMS) or more commonly a Content Management System (CMS). There are quite a lot of them, but most are designed for front facing information delivery - that is, to write something, put it up for review, have it reviewed and then published. We do not want this data published ever - and some CMS's make that a bit tricky to manage. So at the end of the day, I looked into several CMS systems that looked like they could be useful. The first one to be reviewed was OpenKM ( www.openkm.com ). It looked OK, was open source which is preferable and seemed to have solid security and publishing options. Backing up the database and upgradin

Musings on System Administration

I was reading an article discussing forensic preparation for computer systems. Some of the stuff in there I knew the general theory of, but not the specifics of how to perform. As I thought about it, it occurred to me that Systems Administration is such a vast field. There is no way I can know all of this stuff. I made a list of the software and operating systems I currently manage. They include: - Windows Server 2003, Standard and Enterprise - Exchange 2003 - Windows XP - Windows Vista - Windows 2000 - Ubuntu Linux - OpenSuSE Linux - Mac OSX (10.3 and 10.4) - Solaris 8 - SQL 2005 - Various specialised software for the transport industry I have specific knowledge on some of this, broad knowledge on all of it, and always think "There's so much I *don't* know". It gets a bit down heartening sometimes. For one thing - I have no clue about SQL 2005 and I need to make it work with another bit of software. All complicated and nothing straightforward. Irritating doesn&

elementary OS 5.1 Hera - a review and a revisit

 It's been ages since I used a desktop Linux distribution - being up to my ears in the horror of implementing ISO 27001 doesn't leave you much time to play around with computers - too busy writing policies, auditing and generally trying to improve security to a formally acceptable and risk managed level. I need a quick, small OS though to do the occasional network scan, view the contents of a dodgy file on and for general, low impact activities. I remembered reviewing elementary OS ( elementary.io ) some time ago ( see  https://www.ryv.id.au/2015/01/elementary-os-review.html ) from 2015 so I thought it was worth a revisit.  I downloaded the ISO from their website, forgoing to donation for the moment while I review it. If it turns out I'm going to keep using it, I'll send them some love. The ISO is 1.38GB in size and I booted it in a VMware Player instance. From go to whoa (I won't include the install photos here) it took about 10 minutes with a dual vCPU and 4GB of