Skip to main content

Breaking the iPhone's encryption

For the last few days the internetz has been in an uproar. If you haven't heard then have a look at this:
Apple ordered to help the US government. For the TL;DR folks out there:

  • some terrorist killers in the USA used an iPhone 5C
  • the FBI want to know what was on the phone
  • the phone has that lock where 10 incorrect pins wipes it
  • a judge has ordered our old mates at Apple to disable the wipe function so the FBI can break in
  • Apple have told them to go away and refused to do it
So, gentle reader, why do we care about this? A bit of backstory might be useful...

The iPhone has quite solid built in encryption. Check out the Apple Privacy policy here for all the goods (PDF download) https://www.apple.com/business/docs/iOS_Security_Guide.pdf - lots of goodies in there. From iOS 8 onwards, the basic iPhone data was heavily encrypted, and Apple have always claimed they don't access passcodes or data. Here is their privacy policy if you'd like to have a read: Apple's Privacy Policy

Bottom line: Apple have long claimed that without the passcode an iPhone is basically inaccessible and now the FBI have a judge ordered Apple to disable this protection. This is a pretty full on hack. In his open letter, Tim Cook, the Apple CEO basically said we'll have to rewrite the code, install it on this iPhone and then let the FBI in. Oh and now that's out in the open, welcome thieves, pirates and governments who want access to iPhones! Prior to iOS 8, Apple had assisted law enforcement with access to iPhones in the past, but now they're saying we can't do this anymore. Tim Cook's letter is here: Apple Letter to our Customers and all the details are here. 

My analysis of what this means for us, the consumer, is that once again law enforcement and government have requested the capabilities to break through our privacy. At the moment, Apple users are reasonably confident of the privacy of their devices. If you lose it then best of luck to anyone try to break into it. Different to an Android device with an SD card in it - where you could pinch the SD card and get whatever you want, unless it's encrypted. The iPhone does this already. I was looking the other day at the security of Apple Notes. It's encrypted on the device, in iCloud (if you use it) and in transit between the two. I'm not sure it's encrypted on your Mac though - something to check. My point is that the security is pretty good out of the box. Not being a chap involved in dodgy behaviour I've never had a real need to have heavy protection on my iPhone but I was certainly pleased to see that I had decent encryption on the device. 

I think there's a parallel here between Pandora's Box and introducing a back door into iOS. When Pandora opened the box and let evil into the world the big corporations were born (yes I have a hate for them and yes I'm aware of the inherent irony of using Blogger to write this - a part of the biggest corporation Google!), in this instance, once the iPhone's security is broken to allow law enforcement  a backdoor in, that's a genie that doesn't go back into the bottle. From there, it's relatively easy to see how the police or feds get compromised and that backdoor gets into the wild. Voila! No security any more for people's devices and anything you put on them might as well be in the public domain. Apple have said they won't comply with the order and that it's technically very difficult. I believe them. Encryption is tricky at the best of times and getting it right is hard. Breaking back into it, once you've worked so hard to establish it isn't easy. 

This story has garnered a lot of press in the last few days and there are plenty of people talking about it which is important. The right to privacy, which I think is closely linked to the core desire for security of oneself is critical. I hope that Apple fight this one hard and/or make it incredibly difficult for the hack to be repeated. I understand law enforcement need access to stuff to prosecute etc. I do understand that. But with so much warrantless invasion of privacy I'm not inclined to be a huge supporter. In a small scale this probably seems callous - those poor people murdered by the crazies and I don't want to know the truth about it all! Shame on you ryv! But in the broader scope, this affects all iPhone user's security and I'm concerned about that too. 

I'll be keeping an eye on this issue as it develops - if you're an iPhone user, you should too.

Comments

Popular posts from this blog

Windows 10 Enterprise Eval - gotchas

After an annoying turn of events where my Windows 10 Enterprise USB drive failed, attempts to install Win10 onto a computer failed miserably. I turned to the net and managed to get my hands on Microsoft's Windows 10 Enterprise Evaluation. I have an enterprise key so I thought - cool! Here's the opportunity to get it going and to then upgrade the license later. Full install, patched etc and all is swell. Except when I try to upgrade. I straight up tried changing the licence key only to get a variety of errors, most of which are pertaining to the activation system being unavailable. The I try this: https://winaero.com/blog/upgrade-windows-10-evaluation-to-full-version-easily/ but it doesn't work either. Next I'll try this: h ttp://www.edugeek.net/forums/windows-10/174594-upgrading-windows-10-enterprise-90-evaluation-full.html And if all else fails, in goes the bootable USB I've now created. If only I'd had this in the first instance I would not be writing t

Plone - the open source Content Management System - a review

One of my clients, a non-profit, has a lot of files on it's clients. They need a way to digitally store these files, securely and with availability for certain people. They also need these files to expire and be deleted after a given length of time - usually about 7 years. These were the parameters I was given to search for a Document Management System (DMS) or more commonly a Content Management System (CMS). There are quite a lot of them, but most are designed for front facing information delivery - that is, to write something, put it up for review, have it reviewed and then published. We do not want this data published ever - and some CMS's make that a bit tricky to manage. So at the end of the day, I looked into several CMS systems that looked like they could be useful. The first one to be reviewed was OpenKM ( www.openkm.com ). It looked OK, was open source which is preferable and seemed to have solid security and publishing options. Backing up the database and upgradin

Fixing a black screen after doing a Kali Linux update

Kali Linux is a rolling Linux distribution designed for security and penetration work. You can find details on it here: www.kali.org . We run this excellent product for a range of different security work and it's been great. I built the image in VMplayer, then shared it to the team and we've all been at it since. A recent update broke it though - black screen, no network and completely unresponsive. There are lots of posts about similar things - mostly to do with graphics adaptors, however, we found that executing the following at a root prompt fixed it. But how to get to the root prompt from a blank screen? Linux has a number of terminals available to the user - most of us use the graphical one to do our day to day, but you can access a command line prompt without much trouble. Simply hold CTRL-ALT and then F2 or F3 down at the same time and it drops you to a command line login. BOOM. Time to fix it up. For me, and for the other fellas in the team, all it too was to