The Aftermath of Apple vs. The FBI

applelogoAs we all know, Apple refused to assist the FBI in cracking the iPhone 5c of the San Bernardino “terrorist” killers. The FBI took Apple to court.  Then the FBI dropped the case after successfully hacking the phone.  Then they successfully hacked another phone in a different case in New York.  Information appeared linking Israeli mobile security firm Cellebrite to the successful breach of the iPhones.

Apple of course wants to know how the hack works, so they can fix this security hole.  The FBI, not surprisingly, told Apple to pound sand.  This hack will make it insanely easy for the FBI to break into the iPhones of the defendants in several current trials.  They don’t want to lose this ability.

This has been great theater, and as amusing as it appears from the outside, there is a fundamental problem here, as pointed out by Bruce Schneier in a recent article in the Washington post.  The typical process when security vulnerabilities are discovered by a cybersecurity researcher is to inform the company whose products are affected by the vulnerability, wait for them to fix it or patch it, and then report it so the vulnerability can be patched on systems deployed around the world.  The FBI is not participating in this process, and it puts every iPhone user on the planet at risk for the same hack, whether from the FBI or some other party who gets their hands on this exploit.  And trust me, this will get out, either directly from the FBI, or through the result of parallel research by other white hat and black hat hackers.

At a recent presentation by John Carney at the (ISC)2 Twin Cities chapter meeting, he briefly discussed this issue, and the question was asked whether this made Android phones more secure than iPhones, and he said the only slight advantage that Android users had was that every manufacturer and every cell phone provider used a slightly different version of Android, and the multiplicity of versions would require a different hack for different phones and carriers.  Not terribly comforting.

So what to do?  At this point awareness is the main issue, but hopefully a new fully secured version of the iPhone will replace the current models.  If you are doing things that might attract the attention of the FBI or other law enforcement, know that your iPhone will reveal all.

Back when the unfortunately mis-named “Patriot Act” was passed, I asked whether an individual in the United States was more likely to run into one of a handful of Islamic extremist terrorists, or one of the 35,000 FBI agents.  I was sure I knew the answer then, and this incident proves it.  It would sure be sweet if the government would give us back our Constitution.

More Information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment