homepage_name! > Editions > Number 083 > Business Thought - Apple

"The government is asking Apple to hack our own users." Tim Cook, Apple CEO

Apple of Discord

"The government is asking Apple to hack our own users and undermine decades of security advancement that has protected our customers. We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning of weakening encryption. Doing so would only hurt the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data." Tim Cook, Apple CEO

Apple vs. the FBI

The fight between Apple and the FBI has been framed as an epic battle between big tech and big government. According to the Obama Administration, Apple is siding with “its business model and public brand marketing strategy” ahead of public safety. Apple CEO Tim Cook responds that his company is “a staunch advocate for our customers’ privacy and personal safety.”

On February 16, 2016 a federal judge ordered Apple to assist law enforcement by breaking into the iPhone owned by one of the San Bernardino shooters. According to court papers, Apple has declined to voluntarily provide technical help in accessing the iPhone 5c owned by Syed Farook, who killed 14 people at a health clinic in San Bernardino, California, on December 2nd 2015 alongside his wife. That assistance doesn't involve stripping the device of its encryption or handing over the passcode, but does include helping discover the iPhone's passcode through what are called "brute force" methods of decryption. The FBI are looking for relevant data on who the attackers were communicating with and who may have also helped plan the shooting.

The judge ruled Apple had to provide technical help, which includes removing the limit on the number of passwords one can enter on the iPhone and bypassing the device's auto-erase function. The order also says the company could be asked to write custom software if it does not have the current ability to bypass those features.

It was unclear at the time, what was actually expected from Apple. Since the introduction of iOS 8, Apple has stopped storing encryption keys that potentially allow third-parties to unlock users' data, essentially tying its own hands so it cannot comply with orders like that in the San Bernardino case. 90 percent of devices running iOS 8 or higher cannot be forcibly unlocked. Even if Apple removes the password limit and auto-erase function, it would still take standard decryption software more than five years to crack the six-digit passcode. The only way for the FBI to crack the code on Farook's iPhone, which runs iOS 9, is with a supercomputer and the iPhone's hardware key, and Apple stated it does not keep a copy of the key.

Apple has formally opposed the judge’s order. In an open letter published on Apple.com, Tim Cook said the FBI was essentially asking the company to create a backdoor for iPhone's built-in encryption, something it has refused to do for many years. Cook said that complying with the order would have "implications far beyond the legal case at hand," undermining users' privacy and giving the US government "the equivalent of a master key, capable of opening hundreds of millions of locks."

Cook’s letter also provided answers to what kind of assistance would be expected from Apple. Cook wrote that the FBI has asked it to modify the operating system so that passcodes can be input electronically. This would make it easier for an iPhone to be unlocked using a "brute force" attack — using a powerful computer to input hundreds of thousands of combinations in quick succession. Cook said that although the FBI and the government have taken care to avoid describing this method of access as a backdoor, this is what the order amounts to. Apple has stated many times in the past that the creation of any sort of backdoor would set a dangerous precedent. Such software might fall into the hands of hackers, and lead to similar demands for access from other nations.

In simple terms, the FBI is asking Apple to build a new version of iOS with more easily breakable passcode protection, and push that weakened OS directly to the suspect’s phone. That "crackable" version of iOS does not currently exist but it seems likely that it could be built according to the FBI’s specifications. Crucially, that new OS will need to be signed by Apple, which is why the Department of Justice needs the company’s cooperation in all of this. But since the 5c lacks the hardware protection found in more expensive iPhones, that’s all the FBI will need.

That scheme relies on one of Apple’s biggest security features: its ability to push software directly to a user’s device. In this case, the FBI is asking for a local firmware update rather than an over-the-air patch, but the same trusted signature is behind both systems, and it’s traditionally been a crucial force for stronger security on the iPhone. While Android phones wait months or even years for a patch, Apple is able to fix iPhone bugs as soon as it finds them. The company’s ability to get software onto your device is unchallenged. At the same time, it makes a scenario like this very difficult to protect against. As long as Apple has the power to sign and push a new version of iOS — and with it, a new version of all the features built into iOS — there’s the possibility of using that power to create a backdoor.

In his open letter, Cook noted that the FBI's legal basis for their demand comes from a federal statue from 1789 known as the All Writs Act. Cook said that if the government uses this act to make iPhones easier to unlock, it could just as easily demand that Apple builds "surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge."

One key to rule them all

Obama Press Secretary, Josh Earnest stated: “I think it is important to note here… exactly what the Department of Justice is requesting. They are not asking Apple to redesign its product or to create a new backdoor to one of their products. They’re simply asking for something that would have an impact on this one device.” And FBI Director James Comey said: “The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We don't want to break anyone's encryption or set a master key loose on the land."

On February 25th, Apple filed a motion to vacate the district court order demanding it break security protection on a phone linked to the San Bernardino attacks. The filing lays out Apple's extensive legal objections to the FBI order. "This is not a case about one isolated iPhone," the motion reads. "Rather, this case is about the Department of Justice and the FBI seeking dangerous power through the courts that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe."

It would turn out that in addition to the mentioned iPhone 5c, the US government is pursuing court orders to force Apple to help bypass the security passcodes of "about a dozen" other iPhones. The other cases don't involve terrorist charges. Apple has already helped in about 70 cases since 2008.

The FBI has argued that it only wants Apple to allow it to "guess" the passcode for the San Bernardino iPhone, but that innocuous-sounding process involves Apple performing a rewrite of the phone's iOS software, allowing the Bureau to use brute-force techniques to crack the passcode that might otherwise take years. The agency says it only wants this process performed on this one specific iPhone, but privacy advocates can see additional cases as the US government is already attempting to overreach this mandate.

Security experts are not happy about the FBI's proposal to break security on an iPhone linked to the San Bernardino attack. Seven of those experts submitted their arguments in a brief to the court considering the order, arguing the proposed software would weaken lockscreen protections for iPhone users around the world, with potentially dire consequences. The seven authors include iOS specialist Jonathan Zdziarski, famous cryptographer Bruce Schneier, and Charlie Miller, best known for revealing vulnerabilities in Chrysler automotive systems.

The brief's authors emphasize the danger the proposed "GovtOS" (OS that Apple would create to unlock iPhones following governments specifications) would pose if it fell into the wrong hands. If [GovtOS escapes Apple's control], the custom code could be used by criminals and governments to extract sensitive personal and business data from seized, lost, or stolen iPhones, or it could be reverse engineered, giving attackers a stepping stone on the path towards their goal of defeating Apple’s passcode security. As a result, the authors conclude that "in commanding Apple to create forensic software that would bypass iPhone security features, the Order endangers public safety."

What lies ahead is a long battle in and out of courtrooms. On March 1st, 2016 both Apple and the FBI made their cases before Congress.

If Apple does lose the fight, the consequences will reach far beyond the iPhone and far beyond the United States. Apple’s security setup is already the gold standard for most companies, not just for mobile technology but for all technology. By now, both Windows 10 and Chrome push down updates and patches every bit as aggressively as Apple. Android is moving toward iOS-style monthly patches as fast as the carriers will let it. The cypherpunks lost the battle over centralized software control. Apple won. But in doing so, it may have opened the door to something much worse. The same order served to Apple can now just as easily be served to Google or Microsoft. It could be served by another government — by China, Russia, or Pakistan. Apple’s loss would cascade down through the industry. Anyone who follows in their footsteps would be vulnerable.

If Apple can be compelled to turn against its users, it’s hard to imagine any level of protection that will hold up.

Apple’s defiance is being backed by Facebook, Google, Microsoft, Amazon, Twitter and Yahoo — companies who suffered disastrous blows to their reputations, and billions of dollars in lost business, after NSA whistleblower Edward Snowden revealed that they had spent years voluntarily turning over their customers’ data to the spy agency in its drive to “hoover up” every email, phone call, text message and video communication on the planet.

“The problem is, the FBI has other means… They told the courts they don’t, but they do.” NSA whistleblower Edward Snowden

"Nobody’s talking about a backdoor, so that’s not the right question. This is a specific case where the government is asking for access to information. They’re not asking for some general thing, they’re asking for a particular case… It is no different than [the question of] should anybody have ever been able to tell the phone company to get information, should anybody be able to get at bank records." Microsoft founder Bill Gates

"I don't think that requiring back doors to encryption is either going to be an effective thing to increase security or is really the right thing to do…We are pretty sympathetic to Tim [Cook] and Apple." Mark Zuckerberg

"In this specific case, I'm leaning toward the government, but I've got to tell you in general I oppose the government's effort… [FBI Director Jim Comey] would like a back door available to American law enforcement in all devices globally. And, frankly, I think on balance that actually harms American safety and security, even though it might make Jim's job a bit easier in some specific circumstances." Former NSA Director Michael Hayden

“We build secure products to keep your information safe and we give law enforcement access to data based on valid legal orders. But that’s totally different to requiring companies to enable the hacking of customer devices and data. Could set a troubling precedent.” Google CEO Sundar Pichai

"We must not allow this dangerous precedent to be set. Today our freedom and our liberty is at stake." WhatsApp CEO Jan Koum