F-Secure researcher and security advisor Sean Sullivan explains to Ben Grubb (@bengrubb) of JOY 94.9, a Melbourne Australia radio station, why Apple is resisting pressure to break the security of its iPhone for the FBI.
Apple has point blank refused to bypass its own security mechanisms with new software which the FBI can use to unlock and read information on the iPhone of one of the San Bernardino gunmen.
A court order issued by a California magistrate yesterday effectively asks Apple to create a new custom iOS version to install on the device – an iPhone 5C running iOS9 – which will allow the FBI to brute force the passcode.
The order noted that Apple’s “reasonable technical assistance” should accomplish three important functions:
“It will bypass or disable the auto-erase function whether or not it has been enabled; it will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, Bluetooth, Wi-Fi or other protocol available on the subject device; and it will ensure that when the FBI submits passcodes to the subject device, software running on the device will not purposefully introduce any additional delay between the passcode attempts beyond what is incurred by Apple hardware.”
The auto-erase function wipes all data after 10 incorrect passcode guesses, while the milliseconds-delay feature was introduced by Apple to neuter brute force attacks by making them take years to carry out.
Tim Cook took the opportunity to do so in a long letter decrying the government’s attempts to undermine the security of Apple devices, although he notably didn’t reveal whether it was technically possible to do so or not.
While claiming no sympathy for the terrorists and pointing out that Apple has assisted the investigators to do “everything that is both within our power and within the law to help them,” he would not sanction the creation of software with the potential to unlock anyone’s iPhone.
“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control …
For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data. Criminals and bad actors will still encrypt, using tools that are readily available to them.”