On Apple, Encryption, and Privacy: A Word About Decryption
In February 2016, Apple announced that it would fight the FBI’s court order to break the encryption of the iPhone of one of the San Bernardino attackers. We wrote a blog post on that decision; this is a follow-up to that original piece.
The FBI has revealed that it successfully gained access to the data stored on the infamous iPhone. This was accomplished without (so the story goes) Apple’s help. Assuming this is the case, and that a purely technical third party means was used to break the PIN, we're left with a few questions.
How Was the iPhone Unlocked?
The technical details of exactly how the phone was unlocked remain a secret. Speculation, though, is rife. Was it some kind of firmware or software attack, perhaps? A boot ROM exploit? Bluetooth exploit? An IOKit exploit? Or maybe a hardware attack? Firmware or software seem the most likely vectors, but realistically it’s probably a bit of both. If it was hardware, kudos to the forensic team.
However it was accomplished, the unlock-an-iPhone-5C trick is almost certainly a repeatable process, although the cost effectiveness could vary depending on the technical details. Which devices are susceptible to the mysterious technique? We'll have to wait and see. From a risk management perspective, it's reasonable to assume that at least the iPhone 5C or maybe even anything with an A6 chip is affected. Physical access is almost certainly required.
Whatever the technique, strong passphrases stand a far better chance of remaining secure compared to 4-digit numeric passcodes. Newer devices such as the iPhone 6 that have a Secure Enclave are less likely to be affected by the technique.
Regardless, the Secure Enclave is not perfect. It's simply software on a chip. Software has bugs, and hackers are pretty good at finding bugs. It wouldn’t be surprising if someone already has 0day for the Secure Enclave.
Implications for the Future
The notion that a company can be compelled by court order to alter an operating system to facilitate government and/or law enforcement backdoors remains untested in a court of law. Because of this, we almost certainly haven't heard the last of court orders of this nature.
As encryption becomes more mainstream and pervasive, law enforcement will continue to petition for increased access to encryption circumvention technology. The FBI vs. Apple case is the tip of the iceberg and more of this type of legal action is almost inevitable.
All of which raises interesting questions, like: Will the public know of such legal actions, or will backdoors be pursued under some kind of gag order or National Security Letter?
What You Can Do
Take reasonable precautions to keep your information secure – use a strong passphrase, keep your phone's software and hardware up to date, and be mindful of the data you store on your electronic devices.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.