So, for anyone that’s been living under a rock, Syed Farook, the San Bernardino shooter’, had an Apple iPhone 5C. The FBI believes that there may be information on the phone relevant to their investigation of this and possibly planned attacks. Thing is though, the phone is protected with a PIN and all of the data is encrypted. Without the PIN, the data cannot be accessed and after the PIN is incorrectly entered 10 times, the data is permanently destroyed and the FBI has already entered the wrong PIN 9 times. The FBI is now trying to compel Apple, via the courts, to give them (the FBI) a way to prevent the data from being destroyed after another failed attempt to enter the PIN. There are very passionate people on both sides of the argument and logical arguments have been made by both sides.
I don’t have an iPhone, how does this affect me?
Should the FBI prevail and the courts force Apple to comply, the decision could have widespread implications for our daily lives. Apple and fellow technology companies would be forced to create permanent solutions for law enforcement to get around encryption, using what’s commonly referred to as a back door.
Currently, per Apple, no Apple product exists to give the FBI what they need (the ability to disable the data destruction after 10 failed login attempts so that they can safely brute force their way to the data). The FBI is trying to use the power of the court to compel Apple to build a product to to disable the data destruction so that they (the FBI) can access the data. Two immediate problems come to mind. First, what happens if (when?) this product is leaked? Second, what about the next time that a vendor has implemented good security into a device that law enforcement needs access to (this case will be cited as precedent to require that vendor to create a back door like Apple did).
Many argue that, if such a product is created (especially after this much publicity), it’s only a matter of time before it’s released into the wild. This argument is supported by the recent ‘breach’ of the CIA Directors email (the AOL account where he had stored forms relating to his security clearance), Democratic Presidential Candidate and former Secretary of State and First Lady Hillary Clinton’s email server (which was stored in a bathroom of a private tech support company’s office and has been found to contain extremely sensitive information) and the OPM breach. It’s not hard to imagine that something like this would have no problem finding it’s way into the hands of the bad guys.
If manufacturers (hardware and software) know that they can (and likely will) be compelled to build products to defeat any security that they bake into their products, it’s not hard to imagine that those products will be built with that in mind (a page out of a Franklin Covey book, begin with the end in mind). As someone who spends a lot of time looking for obscure holes that can allow unauthorized / elevated access to
target client networks, knowing that a company has likely built this functionality into their products is attractive.