The Apple Hack: A Problem Specifically Engineered To Protect Us
By Chris Peel, Vice President of Engineering, Echoworx
The news of the recent court order prompting Apple to assist the FBI in cracking the password on an iPhone that was used by a shooting suspect in the recent murders in San Bernardino, Calif., has been widespread. The Big Brother debate aside, there are some pretty compelling reasons for Apple, and companies like it, to just say no. The heart of the problem is this: The issue is not about this phone in this situation. What happens next could affect every phone (and every device) in every situation.
Companies like Apple take security seriously. They’ve had to, for many reasons. The new reality is that mobile devices such as phones, laptops and tablets are not just personal anymore. They’re our address book, our calendar, our diary, our email tool, all rolled into one. At the same time, they have also become business devices.
With the rise in bring your own device (BYOD) policies and Mobile Device Management (MDM) solutions, companies are in essence saying “it’s OK to use your own device to transmit, open and work on sometimes sensitive company documents—as long as they are secure” as mandated by legislation such as HIIPA and Sarbanes-Oxley. Companies do this because they trust the inherent security features in your device and, thanks to changes Apple made to their software after the Snowden incident, the data on their devices is only accessible to someone who has the device passcode. Apple specifically designed their security so not even they could decrypt it.
The FBI wants Apple to create a custom iOS that would in essence eliminate or override these safeguards.
On one level, it may seem reasonable, even justified, for the government to make this legal intercept request as it’s for public safety. The problem is the slippery slope it creates This case may be clear cut, but what about the next time, and the next? What if this custom code gets in the wrong hands? The even greater issue here is the fact that, once created, this passcode workaround can be compelled time and time again.
This request also creates a powerful precedent on a government’s right to encroach on their citizens’ privacy and companies’ right to create secure software. It is not difficult to foresee a time in the near future where authorities could compel technology companies like Apple to deploy software over-the-air (OTA) that would share the location, audio and video of their customers’ devices. Legislation is already rearing its head in the United States and U.K. on data privacy, and it’s causing some businesses to consider things like jurisdictional advantage as part of their core business strategies. More legislation isn’t necessarily the answer as society as a whole wants information to be more secure.
The implications are far reaching. Having a backdoor built or leaving the ‘key under the mat’ undermines businesses and the security of transactions, whether they be business related or personal. It impacts just about every type of business in every Western economy. And it also means that governments are clearly failing to see the importance of personal security, and that has significant impact for both business and society.
So, what does this case mean for the future of data and data security? If Apple or any other organization is forced to provide a backdoor then companies will be forced to re-engineer future versions of their product, making them less secure. Apple has already moved in the other direction with the introduction of Secure Enclave in A7 devices. Secure Enclave isolates security safeguards from the iOS thus making it even harder to access encrypted data or deploy brute force access attacks, yet still not impossible. Nothing being discussed in this case would have protected the journalist that talked about his own feelings of violation when his email was hacked while using free Wi-Fi on an airplane this past week.
The industry is closely watching this case because of the precedent it sets on several fronts. The general feeling is, if this can happen to Apple, it can happen to any company. It’s a fine line between protecting people’s physical security while compromising their personal security, and the ramifications of this particular case will be felt for years to come, regardless of outcome. Apple is doing this for all of us – taking a stand that our private data should remain so.