On Tuesday, a U.S. federal court ordered Apple to help the FBI gain access to an iPhone 5c used by an attacker in December’s San Bernardino shooting. In a technical analysis of the court’s demands at Trail of Bits Blog (via Daring Fireball), Dan Guido explains:
In plain English, the FBI wants to ensure that it can make an unlimited number of PIN guesses, that it can make them as fast as the hardware will allow, and that they won’t have to pay an intern to hunch over the phone and type PIN codes one at a time for the next 20 years — they want to guess passcodes from an external device like a laptop or other peripheral. [Source]
Apple, though, has vowed to resist the court order. CEO Tim Cook explained the decision in an open letter on the company’s website:
We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.
[…] The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
[…] The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge. [Source]
The company has attracted strong criticism, with Republican presidential frontrunner Donald Trump asking “who do they think they are?” and Senator Tom Cotton accusing it of choosing “to protect a dead ISIS terrorist’s privacy over the security of the American people.” (See more responses via The Washington Post.) But others have supported Apple. Announcing its intention to submit an amicus brief to that effect, the Electric Frontier Foundation commented that “even if you trust the U.S. government, once this master key is created, governments around the world will surely demand that Apple undermine the security of their citizens as well.” Spencer Ackerman reports at The Guardian:
Senator Ron Wyden of Oregon, a leading legislator on privacy and tech issues, warned the FBI to step back from the brink or risk setting a precedent for authoritarian countries.
“This move by the FBI could snowball around the world. Why in the world would our government want to give repressive regimes in Russia and China a blueprint for forcing American companies to create a backdoor?” Wyden told the Guardian.
[…] The impact of the mutual distrust between Washington and Beijing can be seen in China’s new cybersecurity and counter-terrorism bill, passed last December. [See background at CDT.] The far-reaching law mandates that internet firms and telecos doing business in China provide law enforcement with decryption keys in terrorism cases. Analysts and foreign firms are waiting to see how far China goes in enforcing the controversial measure, particularly in light of Apple’s standoff with the FBI.
Last March, Obama personally objected to the Chinese law as a draconian measure that would force US firms to “turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.” Obama said he had personally raised the issue with Xi Jinping, his Chinese counterpart.
[…] Analysts say that the Chinese government does take cues from the United States when it comes to encryption regulations, and that it would most likely demand that multinational companies provide accommodations similar to those in the United States.
Last year, Beijing backed off several proposals that would have mandated that foreign firms provide encryption keys for devices sold in China after heavy pressure from foreign trade groups. Nonetheless, a Chinese antiterrorism law passed in December required foreign firms to hand over technical information and to aid with decryption when the police demand it in terrorism-related cases.
While it is still not clear how the law might be carried out, it is possible a push from American law enforcement agencies to unlock iPhones would embolden Beijing to demand the same. China would also most likely push to acquire any technology that would allow it to unlock iPhones. Just after Apple introduced tougher encryption standards in 2014, Apple users in China were targeted by an attack that sought to obtain login information from iCloud users. [Source]
[Updated at 21:26 PST on Feb 18, 2016: The passage on China has now been removed from the New York Times article.]
The American Civil Liberties Union also protested that the ruling sets “a dangerous precedent. If the FBI can force Apple to hack into its customers’ devices, then so too can every repressive regime in the rest of the world. Apple deserves praise for standing up for its right to offer secure devices to all of its customers.”
Nicholas Weaver, a Berkeley-based computer security researcher involved in the unveiling of China’s “Great Cannon” cyberweapon last year, warned that the case “is not a tip-toe down a slippery slope but a direct leap into a dangerous world, one which would compromise all our security.” While he found the request to Apple itself unobjectionable, he argued at Lawfare that the precedent would be “catastrophic,” both domestically and internationally.
[… T]he problems don’t end with the economic impact on US businesses. Every other foreign law enforcement and intelligence agency would demand the same access, pointing to the same precedent. At least for other countries, Silicon Valley may succeed in restricting these updates to only targets in the country giving the order. This still means that US travelers overseas would face greatly increased risk: a US based Lawfare reader could not install an OS update if touring France or Israel, as the DGSE or Unit 8200 could invoke the same authorities and precedents to attack what they would term a “lawful foreign intelligence target” under French or Israeli domestic law.
The situation grows worse when one considers the “Athens Affair” problem with law enforcement “exceptional access” mechanisms. What happens to US government systems if an adversary manages to surreptitiously gain access to Microsoft’s [hypothetical] “All Writs Lawful Update” mechanism in the same way that unknown attackers accessed Vodafone Greece’s CALEA interface or the Chinese hacked Google for surveillance? [Source]