Tuesday, February 23, 2016

When World(view)s Collide

Several have asked my opinion on the matter of the FBI vs. Apple, in which a court has ordered Apple, Inc. to assist the FBI in obtaining access to a locked iPhone, belonging to the San Bernardino shooter. This is not a black & white matter: it is highly complex and pits public safety against both the privacy (and potentially safety) of individuals and the rights of stockholders. It is a matter in which all citizens should be concerned. It has quite a few implications that present serious questions that should be debated openly, rather than being addressed by litigation and/or legislation, crafted by people who do not understand the technical implications of such.

Full disclosure: I am a cyber security professional and have worked in the field since the mid 1990’s. Our focus is to protect, not to break. My first assignment in the field was rewriting portions of an operating system to make it more secure -- to prevent breakage. Prior to that, I developed software for IBM. I now support the Department of Homeland Security’s cyber security research and development (R&D) division. My DHS customer has a program focused on producing forensic analysis tools to assist law enforcement in the recovery and analysis of compute devices involved in criminal investigations. This includes iPhones and Android-based smart phones. My customer also has a program focused on protecting citizen privacy, along with numerous programs focused on preventing breakages. Given that bad guys also use compute devices to aid their criminal activities, I firmly believe we need all of the above. I do not believe that any one is more or less important than the others: we shouldn’t tie the hands of law enforcement, but at the same time, we shouldn’t compromise privacy and safety.

While many of my colleagues are pondering the Apple case, there is no consensus opinion on the matter. I have personally waited to weigh in as I wanted to let more of the facts present themselves prior to coming to any firm conclusion. There are many opinions flying around on the Internet, but these opinions are not facts, and often such are formed by considering only a small fraction of the facts and are emotionally driven. There are also a lot of conspiracy theories out there regarding the FBI’s intent.

Here’s some background so that you can understand exactly what is going on here and the purpose behind the FBI request. The new Apple iOS (device operating system) is designed to prevent successful password guessing attacks. The device data is encrypted using the user’s password/pin code. When a user unlocks his device, the data is decrypted, and he can use his data. However, if the password/pin code on these devices is entered incorrectly 5-6 times, the device locks up completely, and there was no possible way to recover the device data at that point. This is by design to protect users when their devices are lost or stolen. Prior to this design, thieves could simply keep guessing 4 digit pin codes until they unlocked the device and then gained access to all of a person’s accounts (social media, email, and potentially very sensitive things such as banking accounts.) I ran into this myself with my iPad, where I accidentally entered an old password too many times. Had I backed up my device to the Apple iCloud, I wouldn’t have had to reinstall from scratch --I could have simply wiped the device and had it restore from my iCloud account. I do not, however, trust my data in the cloud (for good reason), so that meant I had to reinstall (I have since discovered that I can backup directly to my local iTunes, which I can store on an encrypted drive). While I was really annoyed at having to reinstall, this move by Apple is definitely in the best interest of their customers. Unfortunately, there’s a downside to this security design: it not only locks out criminals, it also locks out law enforcement. Enter the FBI.

For those who care to read, here is the actual court order. The court order doesn’t just insist that Apple aid the FBI in access the data (which it was already doing): it prescribes a specific technical solution to the problem. In summary, the technical direction imposed on Apple by the court is that Apple is to provide a solution that the FBI can load on the phone under or around the iOS operating system that will enable the FBI to do a brute force password/pin attack on the phone without causing it to brick (permanently stop working).The key language is this: "The [software image file] will load and run from Random Access Memory ("RAM") and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory." 

Some key points and questions to consider:

1) What Apple is being asked to do is dangerously close to a nation-state level attack: this is something that a Chinese or Russian cyber soldier might do. It is disconcerting that the FBI is asking Apple to do this for numerous reasons, the least of which is the implication that our government does not possess such a capability. Our enemies most likely do. 

2) Who should bear the responsibility (and cost) for law enforcement’s capabilities, or lack thereof? Should companies be required to undermine their own technology? E.g., a lock company engineers a new door lock that cannot be picked. Should that lock company be required to create a means whereby law enforcement can subvert the lock and gain access to a physical building?

3) The FBI argues that since technology changes rapidly, what they are asking for will have limited life value. They claim that it is nearly a one-time-use capability. It is true that Apple will continue to develop new technology, and they may well be able to engineer a new phone that is not susceptible to the malicious firmware they are being forced to create. However, given that cellular providers have moved away from renew-every-two plans that subsidize phone costs and that the public is now seeing the full cost of these devices, it is more likely that end users will hold onto devices longer than two years. Until Apple produces a new, non-vulnerable phone and customers upgrade, people will continue to be vulnerable to password cracking attacks on these phones. Are we willing to put a large class of people at risk of attack in order to potentially gain information that will save other lives? Whose lives and property are more valuable?

4) Developing technology costs money, and someone has to pay for it. Apple invested a significant amount of money and time into designing a new, secure phone to protect its customer base. What they are being asked to do will devalue that investment, which affects both Apple and its shareholders. What incentive will companies have to make such investments in the future, if courts will simply compel them to undermine the technology resulting from such investments? This precedent could have far reaching implications for secure solutions in the long term.

5) By forcing Apple to undermine the security of this phone, every customer who bought will have to upgrade if they want to get a new phone that isn’t susceptible to the attack. Upgrading is not free. That means that every Apple customer who bought a like phone will suffer financial loss, simply because one person committed a crime using it. And, there is no guarantee that a newly engineered phone won’t subsequently be used in a crime and Apple again be required by court order to subvert the security of the new phone. Is this something we are willing to accept?

6) Sometimes when people need something, they ask for a specific means to get what they need rather than just what they need. Is the specific means requested by the FBI in the court order the ONLY way to gain access to the data? If not, what are the alternate means and which of those pose the least long term risk to iPhone users and to Apple’s shareholders? In other words, is there a different way of getting the FBI what they need without jeopardizing the safety and security of a large segment of the population?

All that said, public safety is of vital importance, and the FBI is tasked with providing just that. There may well be critical information on the subject phone that could save countless lives. Or, there may not be. We won’t know until law enforcement gains access to the phone’s data. So the question we need to ask ourselves is whether or not gaining the information is worth the cost of all the potential impacts, and if we do not proceed with forcing Apple to do what is asked and a lot of people die as a result, are we willing to accept that?

As a society, we need to decide when it is acceptable to compromise the privacy (and potentially safety) of individuals in the name of public safety. We need open debate on this topic. On the surface, this may seem like a no-brainer: we should always err on the side of public safety. But it’s not that simple in cases where the solution may in fact put the public at greater safety risk than the risk one is trying to address in the first place. And herein lies the core of the problem in the current situation.

-- a.k.a. geek girl

No comments:

Post a Comment