Two Cyber Security Secrets about the FBI v Apple Case
Speaking as a cyber security professional, there are two “secrets” about the FBI v Apple case that seem obvious but don’t appear to have much visibility in the news. (1) If you want to break into an encrypted device you hire people who do that for a living not the manufacturer, and (2) if a back-door is built into any system it will be used by those who don’t care about obeying the law.
There are many specialties in cyber security. Picking three for illustration, there are companies that unshred documents – see our upcoming post on how to use a shredder properly. There are companies that specialize in breaking into online sites. And there are companies that break into mobile devices. If you need documents rescued from the shredding bin you call a deshredding company, not the shredder manufacturer. If you want to see how vulnerable your web site is to attacks then you hire a company that does that all day every day, never hire the company that built the web site – especially if you built it yourself! And if you need to break into a mobile device, in this case an iPhone, then you hire a company that breaks into these devices all the time. You do not go to the manufacturer. (Of course, if your goals is swaying public opinion instead of breaking into the phone then perhaps you make a federal case of it.) SECRET #1: If you need to break into something you hire a specialist who does that for a living.
Knowing that a back-door exists completely changes how you try to break into something. As long as a secured container is thought to be secured, the attacks against it are typically frontal assault / brute force attacks or coercion / candy-for-your-password attacks. The moment that a back door is known to exist the known “attack surface” changes, as do the methods of attack expected to succeed. If a back door were to be built into a class of mobile devices (e.g. all iphones) then that back door would become the area of focus for getting into the phones. Instead of breaking into a single phone, one successful exploit gets an attacker into all phones (of a certain version etc.) The idea that the special back door will only be used when appropriate (e.g. with a warrant) is just silly. Once the back door has been built, the security of the system is broken, and government funded (possibly not the U.S. government) and criminally funded attackers will get the key. Yes. I said “will get” not “might get”. If it exists they will obtain it, and they don’t care about warrants or other legal issues. What started as a Law Enforcement Only back door will then be use to steal private information for use by other governments and criminals around the world. How would a foreign intelligence agency use “private” text messages and emails against a government employee having money trouble or family issues? How useful would it be for a burglar to know the precise location of every member of your family at all times? Breaking the security of the iphone – or of any ecosystem – is a serious loss for all good people. The notion that law enforcement or apple can keep the secret key a secret is immaterial. The very existence of a back door makes it a very valuable targe. SECRET #2: Once a back-door key exists the back-door becomes the attack point, and attackers will get in, no warrant required.
The very notion of asking a manufacturer to break into their own device indicates that the goal is not the data on that one device, and if the manufacturer provides that access then it opens up all devices to those who (unlike law enforcement) don’t care about the rule of law, freedom, or personal privacy.