As we all know, Apple refused to assist the FBI in cracking the iPhone 5c of the San Bernardino “terrorist” killers. The FBI took Apple to court. Then the FBI dropped the case after successfully hacking the phone. Then they successfully hacked another phone in a different case in New York. Information appeared linking Israeli mobile security firm Cellebrite to the successful breach of the iPhones.
Apple of course wants to know how the hack works, so they can fix this security hole. The FBI, not surprisingly, told Apple to pound sand. This hack will make it insanely easy for the FBI to break into the iPhones of the defendants in several current trials. They don’t want to lose this ability.
This has been great theater, and as amusing as it appears from the outside, there is a fundamental problem here, as pointed out by Bruce Schneier in a recent article in the Washington post. The typical process when security vulnerabilities are discovered by a cybersecurity researcher is to inform the company whose products are affected by the vulnerability, wait for them to fix it or patch it, and then report it so the vulnerability can be patched on systems deployed around the world. The FBI is not participating in this process, and it puts every iPhone user on the planet at risk for the same hack, whether from the FBI or some other party who gets their hands on this exploit. And trust me, this will get out, either directly from the FBI, or through the result of parallel research by other white hat and black hat hackers.
At a recent presentation by John Carney at the (ISC)2 Twin Cities chapter meeting, he briefly discussed this issue, and the question was asked whether this made Android phones more secure than iPhones, and he said the only slight advantage that Android users had was that every manufacturer and every cell phone provider used a slightly different version of Android, and the multiplicity of versions would require a different hack for different phones and carriers. Not terribly comforting.
So what to do? At this point awareness is the main issue, but hopefully a new fully secured version of the iPhone will replace the current models. If you are doing things that might attract the attention of the FBI or other law enforcement, know that your iPhone will reveal all.
Back when the unfortunately mis-named “Patriot Act” was passed, I asked whether an individual in the United States was more likely to run into one of a handful of Islamic extremist terrorists, or one of the 35,000 FBI agents. I was sure I knew the answer then, and this incident proves it. It would sure be sweet if the government would give us back our Constitution.
- Bruce Schneier in the Washington Post
- Recode about NAND Mirroring
- Recode about Cellebrite
- John Carney – You Can Run But You Can’t Hide (video here at minute 36)
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com