ITsecurity
twitter facebook rss

Apple stands to defend customer’s Privacy

Posted by on February 18, 2016.

Apple is defending the customer’s right to Privacy against the FBI’s Security arguments. On Tuesday, a judge in California ordered Apple to help the FBI break into the phone of San Bernardino shooter Syed Farook. The FBI claims, based on the All Writs Judiciary Act of 1789,  to have the right to force Apple to write a software which would allow a ‘brute force’ attack on Apple’s encryption security on smartphones. The FBI has required the assistance of the Californian judge who issued the order to give ‘reasonable assistance’. The case of the San Bernardino terrorist attack has been carefully chosen to make the judge’s order to Apple decision more appealing to the public opinion.

It should additionally be pointed out that the terrorists physically destroyed their two mobile hand sets, likely to contain the sensitive information. The chances of finding anything on this remaining iPhone are extremely low. San Bernadino Police Chief Jarrod Burguan, confirmed to NPR, “I’ll be honest with you, I think that there is a reasonably good chance that there is nothing of any value on the phone.” he then adds:

In this particular case, Apple is challenging the FBI’s request, so to speak, to overcome that encryption. But the larger issue here is do we want companies to have the right to create something that would be that much of a potential danger?

Here is what we should know in order to understand Apple’s resistance to comply with the order :

1- The simple fact that Apple publicised this request is an act of defiance. In a terrorist case to publicise a law enforcement request is against US laws. Apple would have normally been discretely served with a subpoena to hand over the data. This time, Apple is asked, by a judge, to re-rewrite its operating system.

2-The security expert, Askan Soltani, points out that the phone, an Apple iPhone 5c, had been cloud backed up until October 19, thus much data has already been accessed by the FBI and nothing found. They now need the more recent data, password protected, on the iPhone; Since Edward Snowden’s revelations, Apple has strengthened its encryption, so that the operation is more technically challenging. Apple is working on creating a totally unbreakable new encryption.

Screen Shot 2016-02-18 at 10.41.49

3- Could FBI itself extract the data? The answer is yes in principle. However, only Apple has the developper key. Could other companies do this? Difficult. But it might be possible from a conversation between Ashkan Soltani and PrivacyMatters on Twitter:

Screen Shot 2016-02-18 at 11.54.47

The Security expert Bruce SCHNEIER writes : “There’s nothing preventing the FBI from writing that hacked software itself, aside from budget and manpower issues. There’s every reason to believe, in fact, that such hacked software has been written by intelligence organizations around the world. Have the Chinese, for instance, written a hacked Apple operating system that records conversations and automatically forwards them to police? They would need to have stolen Apple’s code-signing key so that the phone would recognize the hacked software as valid, but governments have done that in the past with other keys and other companies. We simply have no idea who already has this capability.”

 

– As Wendy Grossman reports: “At Techcrunch, Matthew Panzarino explains the difference between the iPhone running iOS7 in the New York case and the iPhone5C that belonged to Farook. In iOS7 Apple can extract the phone’s contents without knowing the user’s password; it is resisting the New York order to do so. From iOS8 onwards, it can’t. The iPhone5C runs iOS9. Hence the FBI’s request.”

– The Electronic Frontier Foundation in support of Apple says: “One feature can even erase the iPhone’s contents after 10 failed attempts to unlock it. Prosecutors say they are worried that this feature could be on the phone Farook used. And unless Apple devises a way to unlock it, they could lose all its data. The company now has five days to make its formal response in court.

– What seems crucial here is the question of the iPhone’s ID or Passcode reset [that would be lost by the FBI as ACLU’s principal technologist, Chris Soghoian wrote on Twitter (it seems he has deleted his tweet since)].This point is starting to be clarified. We know from the above that backups up to the 19 October, when the function was disabled, had been accessed by the FBI. The phone passcode could have otherwise been reset (how to unlock Apple iPhone) if the FBI could find the computer with which the phone has been backed up with or as Apple had initially offered, by connecting it to the Web from a network that the device had already accessed. Initially it was wrongfully said that : “the owner [San Bernardino County Department of Public Health], in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.“. It has since been corrected. We now know thatSan Bernardino County tweets it reset terrorist’s iCloud password with FBI“. The password-protected device is programmed by default to erase itself after too many incorrect attempts (10) rendering its contents permanently inaccessible.

  • Facts confirmed by Buzzed that reports : “FBI Admits It Urged Change Of Apple ID Password For Terrorist’s iPhone”. The Apple ID password linked to the iPhone belonging to one of the San Bernardino terrorists was changed soon after the government took possession of the device, Apple, San Bernardino County, and federal officials have acknowledged over the past 48 hours. If that password change hadn’t happened, Apple senior executives said on Friday afternoon, a backup of the information the government was seeking may have been accessible.

Therefore, it is clear today that the statement that “The FBI had claimed in a court filing on Friday that the password was changed by someone at the San Bernardino Health Department, writing, “[T]he owner, in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely” was not exactly correct. They did so with the assistance of the FBI and Apple is taking grief on that.

Screen Shot 2016-02-21 at 16.43.23

Late Saturday, the FBI released a statement refuting a federal official who had said the agency was unaware the password was reset until after it had occurred on the iCloud account associated to the iPhone.

The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data,

adding that the reset does not

impact Apple’s ability to assist with the the court order under the All Writs Act,

How could these backups be accessed? The forensic scientist Jonathan Ździarski wrote on Twitter:

Screen Shot 2016-02-21 at 17.42.45

Screen Shot 2016-02-21 at 17.43.01

 

 

 

 

 

This explains why Apple is asked to write a new operating system. Apple argues that the FBI request, if successful, will open the door to hundreds of similar requests from investigators across the country and the world.

– Zdziarski, Forensic scientist, gives full detail of the whole process for Apple to provide lab services and develop what will be considered an ‘instrument’ for the court. Cook said : “The FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on [the shooter’s] iPhone,” Cook added. “In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.“. This means Apple will have to have dedicated engineers to unlock security specificities they install on their own product.

He follows: “For years, the government could come to Apple with a subpoena and a phone, and have the manufacturer provide a disk image of the device. This largely worked because Apple didn’t have to hack into their phones to do this. Up until iOS 8, the encryption Apple chose to use in their design was easily reversible when you had code execution on the phone (which Apple does). So all through iOS 7, Apple only needed to insert the key into the safe and provide FBI with a copy of the data.

This service worked like a “black box”, and while Apple may have needed to explain their methods in court at some point, they were more likely considered a neutral third party lab as most forensics companies would be if you sent them a DNA sample. The level of validation and accountability here is relatively low, and methods can often be opaque; that is, Apple could simply claim that the tech involved was a trade secret, and gotten off without much more than an explanation. An engineer at Apple could hack up a quick and dirty tool to dump disk, and nobody would need to ever see it because they were providing a lab service and were considered more or less trade secrets.

This answers the questions of few who remembered that Apple had helped law enforcement agencies in the past. This time, it’s different, as Apple here is asked to weaken its own security encryption.

What about Apple accessing the data without handing its software key? Lets the tech experts dig into this further. It seems like Apple itself could force older generation iPhones like this iPhone5c but not the newer iPhone6. The argument here is that it creates a dangerous precedent where Apple fears other requests of access coming from less worthy organisations.

John McAFEE  declared : “I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product”. Could he be capable to do what the FBI could not do for two months? Not impossible.

4- As many have pointed out, the danger of such a precedent is to allow repressive regimes to make use of the technology. Just like Deep Packet Inspection weakens security in the name of Child online protection or copyright fight. Once the technology is out, it falls into the hands of everyone seriously threatening our liberties.

5- Finally, Apple’s open letter was a major marketing boost for Apple trust. Another case showing how privacy is not just a burden but on the contrary, a big asset for companies. A nice move that will help people to forget the Error 55 Apple attack against customers repairing their device outside Apple certified dealers. Since Blackberry, which had the more ‘serious’ and ‘secure’ reputation within the business users has lost its market, Apple has to prove it stands for security.

Interesting to note that a SanBernardino mother of a victim took Apple’s side.

Who else is going to support Apple’s position ? so far Google and Jan Koom, CEO of WhatsApp.

Screen Shot 2016-02-18 at 10.48.40

Screen Shot 2016-02-18 at 13.58.16

 

and many other major web giants support Apple. As Google’s chief executive Sundar Pichai, in a series of tweets on Wednesday called for “a thoughtful and open discussion on this important issue.” demanding an end to the FBI’s offensive request that could set a “troubling precedent.” or Watsapp CEO, Amazon, Microsoft, etc…

– Fortune magazine published a video interview of Michael Hayden, former director of the National Security Agency, taking side for Apple against FBI :

The issue here is end-to-end, unbreakable encryption—should American firms be allowed to create such a thing?” he told the Wall Street Journal editor John Bussey. “You’ve got [FBI director] Jim Comey on one side saying, I am really going to suffer if I can’t read Tony Soprano’s email. Or, if I’ve got to ask Tony for the PIN number before I get to read Tony’s emails. Jim Comey makes that complaint, and I get it. That is right. There is an unarguable downside to unbreakable encryption.

 

– Jonathan Zittrain, Co-founder at Berkman Center for Internet & Society and Professor of Computer Science at Harvard University, says on apple v FBI : “Here, the government isn’t just seeking information in Apple’s custody, such as customer communications or a password. It’s asking Apple to undertake software engineering. That’s what makes this, out of the box, very different from the usual requests that law enforcement makes of a private company. The demand on Apple is for its engineers to write software to defeat the very thing that they built to prevent [the phone’s security] from being cracked. If one government asks for that, so will others … The real question is what their future phones will look like and how much of a role the U.S. and other governments will seek to play in trying to limit how Apple can build them.

Apple has until February 26 to reply to the court’s decision, the hearing date is slated for March 22, according to Thom Mrozek, a spokesman for the U.S. Attorney’s Office for the Central District of California.there is a chance for the case then up at the Supreme Court.

Apple and the US Justice Department have been on a collision course since Apple said it would offer strong encryption by default on its devices in 2014, a move prompted in part by the surveillance revelations from former National Security Agency contractor Edward Snowden.

– February 26, Apple filed a motion to vacate the court order compelling them to cooperate with the FBI. [Apple Inc’s motion to vacate court order] their position is that the court order violates their First Amendment rights, and there is significant precedent to support that position. Several past court cases have considered computer programs as a form of speech and therefore subject to free speech protection under the 1st Amendment. Apple insists that “This is not a case about one isolated iPhone,” in his introduction to Apple Inc.’s Motion to Vacate Order Compelling Apple Inc. to Assist Agents in Search, and Opposition to Government’s Motion to Compel Assistance. In Fighting FBI, Apple Says Free Speech Rights Mean No Forced Coding. In addition, Apple’s defence argues the judge’s order is “unreasonably burdensome,” and would require Apple to create a new operating system, tying up six to 10 of its employees for up to a month. This goes over the limits of the All Writs Act. “The All Writs Act does not allow the government to compel a manufacturer’s assistance merely because it has placed a good into the stream of commerce,” they wrote in their appeal. “Apple is no more connected to this phone than General Motors is to a company car used by a fraudster on his daily commute.”. Finally, based on the Fifth Amendment Apple’s lawyers argue that the government is taking away US residences’ liberty as the requested order would require Apple to “do the government’s bidding” in a way that’s burdensome and violates Apple’s “core principles,”.

It is extremely likely that the case will end up at the Supreme Court. Several congressional committees are looking into the issue, and Apple’s top lawyer is scheduled to testify before a House Committee this week.

Apple’s general counsel, Bruce Sewell, will speak on behalf of the iPhone maker and CEO Tim Cook on Tuesday at a hearing before the Senate Judiciary Committee on the balance between national security and individual privacy: “The Encryption Tightrope: Balancing Americans’ Security and Privacy,” will also include testimony from FBI Director James Comey and District Attorney for New York County Cyrus Vance Jr. It will begin at 1 p.m. ET.

You can continue to read all comments and latest news here on my Pearltrees.

Screen Shot 2016-02-18 at 12.01.48


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

One thought on “Apple stands to defend customer’s Privacy

  1. MetalSamurai on said:

    If the PINs, pass codes, passwords etc are confusing:

    The phone itself is locked with a PIN (aka passcode). This used to be a 4 digit PIN or optionally a longer alphanumeric password. Newer versions of iOS prompt you to set a 6 digit PIN. Phones with TouchID also allow you to use any of 5 fingerprints to unlock the phone (not after a reset, not after 48 hours of being locked, you only get 3 attempts before you must use the PIN/passcode). The TouchID hardware forces a delay between PIN attempts to slow down brute force attacks. The phone in question a 5c doesn’t have the TouchID and Secure Enclave hardware.

    The Apple ID (is the same as an iCloud account or iTunes or App Store account) is another optional thing you are prompted to link when you set the phone up. If you enable it the phone will normally be backed up to iCloud when the phone is connected to power and in range of a known wifi network. iCloud backups are not encrypted (but they do not contain your email or wifi passwords).

    This is his work phone, not his personal phone which he destroyed. The chances of anything useful on this phone are very low. The FBI know this. They’ve already seen backups of it up until October.

    San Bernadino county are incompetent. They should never have forcibly changed the Apple ID password without checking. Even if the FBI (wrongly) told them to. They should have enrolled a phone they own with an MDM platform. This would allow them to clear the PIN/passcode and gain entry to their own phone within minutes.

    Apple have said that what the FBI are asking for would work on newer 5s/6/6s models with Secure Enclave as the software could reprogram the Secure Enclave to remove the enforced delay between PIN attempts. The software CANNOT remain secret – any forensic tools must be available for inspection to all parties in court and independently verified. Once it exists it CANNOT be controlled. Bad actors (criminals, repressive governments) WILL use it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Tara Taubman-Barissian | Tags: , , ,