by Virgil Vaduva
For all the criticism Apple receives from users about its products, design or pricing, there is one thing that Apple should be commended for, namely the focus on security of their users’ data and implementation of encryption across all their mobile devices by default. In fact both Apple and Google now enable full device encryption by default on all devices running iOS version 8 or Android Marshmallow (version 6); this means that full disk encryption will be mandatory for all users.
This decision has broad implications from a security perspective: devices which are stolen or lost will be safe from malicious users which attempt to recover data from them via brute force attacks against a users’ password, causing the device to be “wiped out.” Malicious users will also be unable to mount the encrypted volume of a device in order to read data from it.
Of course, the government has a problem with this.
The recent case of the San Bernardino shooting spree is what brings us here. One of the shooters’ iPhone (model 5c) was encrypted and the FBI is unable to brute force the password. And when the FBI cannot get it their way, they go to a judge and ask for a piece of paper that would force someone to help them out, in this case, Apple.
In a document titled “Order compelling Apple Inc to Assist Agents in Search,” a Federal magistrate ordered Apple to take several steps to undermine the security of the suspect’s iPhone.
The steps demanded in the order including (1) bypassing the auto-erase feature, (2) allow the FBI to repeatedly submit passwords to unlock the device and (3) eliminate the delay introduced by using incorrect passwords. If you don’t think that is bad enough, the FBI is even demanding a custom-built iOS release which has the three features specified above disabled, hard-coded with the phone’s UDID that can be loaded on the phone via the native Device Firmware Upgrade method, which would allow the FBI to continue brute-force attempts against the device.
This order is unprecedented and a blatant overreach (as usual) by the FBI investigators. Without any evidence that the phone contains any data useful to their investigation, the FBI is attempting to force a corporate entity to spend time and resources to build a custom operating system to subvert most of the security controls originally implemented in the OS.
The good news is that Apple said no. Yesterday, Apple’s CEO Tim Cook wrote a public letter excoriating the FBI for their request and explaining how this is an unprecedented attack on the privacy of all mobile device users and also an attack on Apple’s ability to design and release secure software. In no uncertain terms, Cook said that Apple will oppose this order and the company will not comply with it:
While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.
The future will tell how far the FBI is willing to go to pursue their schemes. Will they arrest Apple employees if they refuse to comply? Will they fine Apple?
And what dangerous precedent will this establish? If anything good will come out of it, I am hoping that it will force both Apple and Google to build even more secure devices, which will be impervious to such out of band attacks in the future, even with orders from Federal judges.
I wholly support Apple for their stance on privacy and security, and so should you.
Virgil Vaduva is a Libertarian security professional, journalist, photographer and overall liberty freak. He spent most of his life in Communist Romania and participated in the 1989 street protests which led to the collapse of the Ceausescu regime. He can be reached at vvaduva at truthvoice.com.