New encryption bill proposed by Richard Burr (Republican, North Carolina) and Dianne Feinstein (Democrat, California) seeks to effectively require backdoors in encryption. The intent of the law is, I believe, noble. The backdoors would only be available to law enforcement and then only in the most serious circumstances like terrorist attacks, child pornography, human trafficking, etc. The reality though is that weakening crypto by planting backdoors is akin to opening Pandora’s Box and hoping that no one finds the door.
Cryptography is basically math. You have a key (secret), a cipher (math) and plaintext (the message). You apply the cipher with the key to the plaintext and end up with ciphertext. Depending on the strength of the cipher, you cannot decipher the cipertext without the key (either by having it or brute-forcing [guessing] it). Most encryption today is strong enough to make brute-forcing the algorithm unrealistic (it’s worth noting that, at one time, DES was also considered sufficient) so the options become a) gain access to the key or b) include a backdoor (weaken the cipher, include an escrow key, etc.). Let’s take a look at this, assuming that cases similar to the recent FBI -vs- Apple are the catalyst.
The conclusion to the FBI -vs- Apple fiasco was that the FBI contracted ‘professional hackers’ who were able to successfully break into the iPhone 5c by exploiting an undisclosed vulnerability. According to news reports thus far, no usable intelligence was gained as a result. We know that there is a vulnerability (that presumably exists) in every iPhone 5c that can allow an attacker to circumvent the encryption and access the data. We know that whoever has this vulnerability (and the exploit for it) is willing to sell it and can assume that they’ve sold it to someone else. We know that, because they’re making money from it, they are not likely to disclose it to Apple to get the vulnerability patched (that would deter anyone from wanting to pay for it again, since it would no longer work). How many iPhones are out there that are used by people who would be considered high-value-targets to motivated attackers (government, law enforcement, corporate competitors, etc.).
Two other angles that I find interesting are the following. The FBI has indicated that they plan on “considering the question of disclosing the details of the tool to Apple” in the coming weeks. This is a vulnerability that affects millions of iPhones (this PCMag article suggests that more than 9 million were sold as of 2013) and it’s safe to assume that a lot of them are still in use. The money that the FBI used to purchase the vulnerability was taxpayer money. This is definitely well outside of my wheelhouse but it seems reasonable to assume that the vulnerability was paid for with taxpayer dollars and presents a danger to the public (all of those iPhones are vulnerable to attack). The second is a bit of a stretch but this seems to have been a clear violation of the DMCA (circumventing access control). Again, no real discussion there but I thought it was worth noting.
Ultimately, forcing manufacturers to bake backdoors into encryption, regardless of the intent, is a bad idea. There were no backdoors ‘baked into’ the iPhone but someone found one (and then sold it to the FBI). If someone found the backdoors that weren’t supposed to be there, what’s the likelihood that they won’t find the ones that are supposed to be there? Also worth noting here is that if the decision is made to create these backdoors, who will be the keepers of the keys (who will have the magic code to breach, the escro keys, etc.)? Is this really something that we want the same government that was watching the store for the IRS breach and the OPM breach to secure? Lastly, the FBI has a vulnerability in the iPhone 5c that allows them to bypass the encryption. It wasn’t that long ago that their kindred spirits, the NSA and Cyber Command, were at DEFCON talking about the importance of the intelligence, law enforcement and hacker communities working together? What happened?
- c|Net article – US senators push forward on encryption bill. Cue warnings we’ll all be hacked
- DataBreachToday article – FBI’s Zero-Day iPhone Hack: Many Questions
- Piratica Article – Yet Another Look at the FBI -vs- Apple Encryption Fiasco…
- DEFCON 20 – General Alexander, NSA, encourages intelligence and hacker communities to work together