Synopsis: Apple is addressing an iPhone vulnerability used by Law Enforcement to unlock and unencrypt iPhones, and the producer of the device that relies on that vulnerability claims they have already found a workaround.
-- by Arthur J Musgrove
Our smartphones and tablets are indispensable tools used by some people to communicate with friends and families, as well as by criminals and terrorists to communicate with cohorts to plan, coordinate and memorialise crimes and attacks. To ensure our own personal safety and privacy, makers such as Apple and Samsung go to great lengths to secure these devices, including encryption levels that can only be described as 'military grade'.
The Catch-22 is that the same security measures that protect us as consumers also protect criminals, and anything that might help Law Enforcement bypass those measures could equally be used by criminals to bypass those same measures, putting us at risk. In short, if Law Enforcement is able to access a phone to read criminals' communications, then criminals can use the same method to access your phone giving them access to your communications, bank accounts, your child's school schedule, and anything else you have.
This article is about encryption on the device, but there is an equally difficult debate about encrypted messaging applications such as WhatsApp, Signal and Telegram. These applications use full end-to-end encryption making covert interceptions by law enforcement and intelligence agencies all but impossible. I'll discuss that at some point in the future.
2016 San Bernardino Shooting
The debate has largely been defined as one of privacy versus public safety, and Apple has placed itself squarely and unapologetically on the side of privacy. Apple's decision and its implications became very public in 2016 after the San Bernardino shooting in which 14 people lost their lives. The attacker had an iPhone. On this iPhone could have been communications with co-conspirators, maybe even information that could be used to prevent future planned or in progress attacks. The FBI demanded Apple's assistance in unlocking that iPhone. Apple refused. The FBI sued Apple. (You can read more about this in this New York Times article )
It is important to consider some of the larger events which were happening in parallel with this related to encryption. Governments in both North America and Europe were having serious debates on regulations forcing tech companies to have a back-door to decrypt customer data. As the situation stands now, many tech companies do not have an ability to decrypt customer data. There is no back-door or master-key, and public safety advocates want there to be, presumably optimistically believing the bad guys won't covertly get their hands on the master keys. This effort had such traction
The idea of having a master decryption keys is not new. It has a long history and resurfaces from time to time. A notable example of this idea was the Clipper Chip. This chip was encryption/decryption technology developed by the US NSA during the Clinton Administration that provided a way for government to always be able to decrypt. Technically this was not technically a 'master key' system because Clipper was based on the NSA storing in escrow all issued keys, but the idea was the same: for the government to have a reliable way to always access encrypted data. Clipper was announced in 1993 and was defunct by 1996.
So the FBI had in their possession an encrypted iPhone from a terrorist and was attempting to force Apple to cooperate in accessing the device. Other than their novel interpretation of the All Writs Act of 1798, that all seems normal enough, but what happened next is what is remarkable.
Enter the White Hat
The turn of events was that while this important case of the balance of public safety versus privacy was being litigated in both the courts of law and public opinion, it all suddenly became a moot point and the FBI abandoned the case. The FBI used a device from a little-known and secretive company called Grayshift. The device, called the GrayKey, can access a locked iPhone and download and decrypt all data from it. The device reportedly costs either $15,000 for a geofenced model or $30,000 for a portable model that uses an access key. They are tight-lipped about how it works, but observation suggests that it installs some software into iOS over the USB/Lightning port that partially jailbreaks it and then uses brute force to determine the passcode. The reason I'm confident that it is brute force is the amount of time to crack the code is variable and changes dramatically based on the length of the code used.
The software is installed over the USB port into the iOS device. According to Reuters Apple will shortly take a step to mitigate this attack method by locking the USB prt for interface after the phone is locked for an hour. The ink was barely even dry on that report from Reuters, when Grayshift said they already had a workaround for Apple's attack mitigation (Motherboard article). Grayshift has not said, and will obviously never say, how they worked around the new feature, and no one has verified that they truly have, but they've shown themselves to be technically skilled so it's perfectly conceivable.
The Necessary Debate
This security arms race is fun to watch. It is easy for us to see this purely through the lens of technology, but that is a mistake. This is about public policy. We have not as a society settled on any real answer to the proper balance between public safety and personal security ' privacy. This is not a new debate, it has been around for hundreds of years. The difference is modern encryption. For the first time we all have access to technology that the government simply cannot defeat or at least cannot do so practically in any routine way. And these things that protect consumers also protect bad actors, and any capability that can be provided to law enforcement to use against the bad actors can be used by those bad actors against consumer as well as, yes, law enforcement and intelligence.
All views expressed in this article are my own and do not represent the
opinions of any other entity whatsoever with which I have been, am now
or will ever be affiliated. No assurance of accuracy is given and
any use of any information provided is entirely at your own risk. The
author assumes no responsibility or liability for any errors or
omissions in the content of this article. No infomration provided is intended
to be a source of investment advise or credit analysis with respect to
any material presented or otherwise. Nothing contained in this article
is intended to defame or harm any person, business or other entity.
The author retains sole and exclusive
ownership of all material herein.