February 17, 2016

What the FBI Really Wants from Apple -- and Why Apple Has Said No

By now you may have heard that Apple is fighting a new court order that demands they provide a means for the FBI to continue attacking the encryption of an iPhone used by one of the attackers in the recent and horrendous San Bernardino mass shootings.

The FBI is taking a very interesting approach in this demand. Rather than order Apple to defeat the phone's encryption per se, they want Apple to disable the mechanisms in the phone's security system that are designed to erase the phone's data after multiple incorrect password entry attempts.

Apple's CEO Tim Cook has responded, accurately calling such an order unprecedented and the desired changes "too dangerous to create."

But what's the FBI really after? Let's think about this a bit.

Because I suspect that the FBI is actually setting a form of "trap" for Apple, Google, and other firms who are deploying strong, non-backdoored encryption in their products.

We can stipulate that in this case it's reasonable to assume that the FBI has essentially laudable motives, and that they think (or more likely simply hope) that the phone contains something useful other than old grocery lists and porn.

Contact lists would also be of interest to the Bureau, but by now any entries on such lists that had actually been recently used for calls or text messages would have almost certainly already been acquired via mobile carrier records.

What's so intriguing about this situation is that the FBI appears to be asking for Apple to provide a way for the Bureau to conduct a long-term "brute force" password attack on the phone. That is, trying vast numbers of passwords until they (if ever) happen to hit the correct one (given the time delay built into the system between password attempts, that could be quite a lengthy undertaking -- hell, even if the delay were disabled the possible passwords are still vast in number).

Does the FBI really believe that they can hit the correct password that way, given the opportunity to keep plugging away hour after hour, day after day, month after month?

Perhaps. More likely, they would initially try a circumscribed set of attempts that they hope will include the actual password, based on the typically crummy password selection methods that most users still employ, and that black hat hackers exploit every day, often with minimal effort.

But there's another possibility that seems even more dangerous.

The FBI may be trying to push Apple into demonstrating if the iPhone encryption ecosystem can be altered and modified without destroying the stored data, in this case to permit exhaustive password searches.

If any such change were shown to be practical on the iPhone, it would provide the basis for further government demands to more directly order Apple to participate intimately in efforts to decrypt the actual data itself.

In other words, what we're seeing play out right now may be the federal government's first real attempt to get "the camel's nose under the tent" of strong phone encryption systems, to try demonstrate any feasibility of full-blown backdoor attacks against these systems.

It's a damned clever approach. And it's clear that Tim Cook fully understands the associated potential for unraveling the entire foundation of strong encryption.

This makes it even clearer than ever why such attacks on these encryption systems are so dangerous to ordinary, law abiding citizens who increasingly depend upon them for so many aspects of their daily lives.

For if the government can gain access to these systems in such manners, it is axiomatic and unquestionable that evildoers of all stripes will find ways to do so as well, in a black hat hacking dream come true.

Health data. Financial data. Personal photos. Personal communications. And so much more.

Crack into these crypto systems -- even with the best of motives and promises galore of tight controls -- and they are forever suspect, effectively ruined, worse than useless since they can no longer be trusted by you, me, or our loved ones.

This is what's actually at stake in this case.

And that's why I support Apple's strong stance in this matter -- and why I hope you will as well.

I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at February 17, 2016 08:58 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein