By Eric Beasley
Earlier today, Tim Cook, the CEO of Apple, posted a public letter concerning a tiff with the Federal Bureau of Investigation. Apple has been court ordered to intentionally introduce security vulnerabilities into iOS so that the FBI can decrypt the cell phone in question.
Are you lost? Here, let me explain this in non-IT nerd-speak. From the beginning:
Every cell phone made within the last 2 years has an option to encrypt the device. Encrypting a device protects the data you hold on the device by sending it through an insanely complicated calculus equation. To the human eye, encrypted data looks like absolute gibberish. When the phone screen is locked or the device is powered off, you have to enter the correct password to translate that gibberish into readable information.
This encryption has drastically reduced the risk to individuals from identity theft. Ten years ago if someone stole your cell phone, they could easily recover passwords, accounts, pictures, and everything else stored on that phone. Because there was no encryption. So cell phone companies implemented encryption capabilities on all their devices.
About 5 years ago, many companies came under fire for the amount of personal data that they received from users. Apple responded in the ethical and moral way. They used encryption in such a manner that Apple itself cannot read the personal information you have on your phone that is synced with their data centers. You know that questionable picture you took for that one dating site that one time? Apple employees have no way to see it.
So what exactly does the FBI want Apple to do?
The FBI is attempting to force Apple to create a special version of iOS that disables specific security features. One of these security features prevents the pass code from being sent to the device electronically. Instead of manually typing the code, the FBI wants to connect the phone to a computer and digitally send the password guesses. Another is the password lockout function. This specific model (iPhone 5c) will wipe all data from the device after 10 failed password attempts. That’s what the FBI wants disabled.
WARNING: Tech Talk Ahead I've been scratching my head since this morning trying to figure out how exactly this would work. The device is locked, so changes to the operating system would not be possible... Then I remembered the illegal and unconstitutional use of the Stingray system by law enforcement. This device mimics a cell phone tower and allows for dragnet surveillance of US Citizens without a warrant. So if I were working for the FBI, I would set up a Stingray within a Faraday cage and allow the device to connect to the Stingray. From there, I would create a fake Apple server for the device to sync to and push a software update through the Stingray. This would install the update from behind the locked phone screen. However, the fake Apple server would require a legitimate certificate from Apple. So not only does the FBI require a intentionally flawed iPhone operating system, but they require the digital certificate of the Apple servers to execute this attack.
Plain English Summary: By complying with this order, Apple would be giving the FBI every single component required to bypass encryption on any iPhone in the world and decrypt the contents, on demand. With the digital certificate from Apple, the FBI would also be able to make any modification to iOS and send out that software update to any amount of phones.
I can imagine the possibilities. Hidden superuser account on the device. Government-controlled kill switch for all phone. Automatic copying of the information on the device to the NSA data center in Utah. Everything that a super-villian desires…
But how does that help them guess the password?
What the FBI wants to do is brute force the password. This is a process in which every possible password combination is sent to the device until it unlocks. The iPhone would be connected to a computer and the computer would send it the password “1111,” then “1112,” and so on. Such an attack on the iPhone pass code would be successful after less than 1 minute. Imagine the Flash sitting there pressing buttons as fast as possible.
More Tech Talk: None of this request makes any sense to me. The memory module is non-volitile, the FBI could just desolder the phone memory and attach it to a reader. From there, they could recover a full disc image of the phone. Using that data, they could run the device through an offline brute force password cracker and recover the data.
Plain English Summary: There are other methods that they can use to recover the data. Why is the FBI so insistent on this specific method? Is there something more sinister afoot?
How is the FBI justifying this request?
Well, let me tell you, they had to dig deep for some legal precedence for this order. It’s the same law that they have used in many failed attempts to court order decryption abilities. It’s a law that was passed 110 years before electricity was invented, the All Writs Act of 1789 and was last updated in 1911, shortly after the first Ford factory was built.
Why should I care?
Have you been living under a rock for the last 4 years? Did you miss the Edward Snowden leaks? By fulfilling this request, Apple would be giving the US Government the tools to not only read your cell phone metadata, text messages, e-mails, and all digital activity, but to also break into every iPhone on the planet and obtain all information contained within that iPhone. That information would go into a basement at Fort Meade, along with all of your other illegally obtained personal information, to be used however the government decides. Not just for terrorism cases, as Senator Rand Paul educated us last year:
There are rumors that intelligence warrants are being used to get regular criminals. What they do is collect information through data, metadata, analysis, they get all of this, get enough to convince — be convinced you’re a drug dealer and then arrest arrest you using a traditional warrant.
Section 213 this sneak and peek where they go in without announcing, 99.5% of the people arrested are actually people who committed a domestic crime. They’re not terrorists.
For all the grief I give Apple products, Tim Cook is making the moral and ethical decision here. Every CEO of every IT firm in the country should follow his example and do their part to stop government encroachment into our digital lives.