There is a lot of hand wringing about the announcement that the FBI, with outside help, has been able to break into Syed Farook’s iPhone. This is not at all the same situation we would have if Apple had agreed to create the FBI requested version of the operating system. The important difference is scalability.
With this announcement we now know that law enforcement can break into any iPhone (of that generation or earlier at least) given sufficient effort. That effort is the key. It appears that the phone hack requires disassembling the phone and desoldering at least one chip at a minimum. It might actually be more complicated and cumbersome.
This is absolutely not something that any government is going to do thousands of times, it can not be done quickly and would probably leave evidence of the activity. This is fine for investigations of high value cases, but is absolutely useless for mass surveillance.
Contrast that with what could happen if Apple had created the security bypass operating system. Once created it would certainly be compelled in many different cases. Governments around the world would all demand access to the tool. That tool would allow rapid software only compromise of the phones without physical modification. This kind of attack scales to large numbers much more easily. Fortunately it would still require physical access to the phone, but that could obtained in many ways both overt and covert. I suspect that the compromised OS could be delivered through a modified phone charger for example.
Doubtless many companies will be working to make their devices secure against this kind of physical attack as well as making the kind of FBI requested modification actually impossible. In the meantime, the effort required to compromise each phone ensures that only a very few phones belonging to very narrowly targeted individuals will be unlocked. I can live with that.
At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.
The point of sales (POS) breaches at Hilton, and Starwood before that, suggest that a group of hackers is specifically targeting hotels, probably because most travelers have above average income. It should also make us brace for a likely wave of further POS breaches in many other businesses during the holiday shopping season.
It really makes me wish that more merchants accepted secure payment tools like Apple Pay, or even that more than a small fraction accepted the new chip and signature cards.
There is a lot of Schadenfreude going around about the Ashley Madison website hack. People are often treating it as more of a joke than a serious incident.
For those of you who have been under a rock, Ashley Madison is a dating site for married people who want to have affairs. Their tag line is even “Life is short. Have an affair” so they are very not subtle about it.
India recently announced that all ISPs in the country will be required to block a list of over 800 websites. They claim all of these were for pornography or child pornography, but it turns out that was not the case for all of them. In the face of a massive backlash, the telecom ministry first said this was no big deal because people could use VPN services to bypass the censorship. They later down entirely. (more…)