Apple vs The FBI: Is Strong Encryption A Good Thing? What about National Security?
Gary Miliefsky, CEO of SnoopWall, Inc.
by Gary S. @Miliefsky, Breach Prevention Pioneer and CEO of SnoopWall, Inc. @SnoopWallSecure
When it comes to John McAfee @OfficialMcAfee saying if he couldn’t get into the San Bernardino terrorists iPhone he would ‘eat his shoe’ – many iPhone users thought he was crazy. How could anyone break into a secure, password protected and encrypted iPhone. Well, as I’m going to show you, John would never have to eat his leather shoe and was 100% correct that it could easily be done.
Watch John McAfee on CNBC (used under the fair use provision of US Copyright law) discuss this situation.
Many think the @Apple iOS operating system is one of the most secure in the world for any smartphone or tablet. That may be true as iOS offers full disk encryption with built-in hardened encryption (device KEY, file KEY, Keychain API, Data Protection API, etc). In fact, the iOS currently boots with a low-level boot loader then verifies iBoot. Apple defends well against native code exploits using both address space layout randomization (ASLR) and XN bit (which stands for eXecute Never). The ASLR randomizes memory location of program executable, data, heap and stack every time it is launched. To block cross application memory attacks the XN bit allows the OS to mark segments of a program’s memory such as heap and stack as unexecutable. In addition, Jailbreaking does not allow you to disable the ios sandbox, only to run apps outside of it. Does all this make it impenetrable? Of course not, it makes it more fun to hack because hackers and cyber criminals love two things – 1) a challenge and 2) something well deployed. With nearly 1/2 Billion iOS devices in the market, this is a prime target for hackers.
Early exploits were even able to avoid Jailbreak Detection. Smart malware developers can create jailbreak detection bypasses that fake replies to function calls to make it look like the device is not jailbroken, when it still is. What about the Apple iTunes Review Process? Serious hackers create apps that are Bridging the webkit – so you access native iOS API’s via JavaScript. Some have done Dynamic patching – just look at InstaStock for example by Charlie Miller. What about intentionally exploitable vulnerabilities – write code with a buffer overflow that when triggered causes unseen code to execute – see Jekyll by Georgia Tech. So, yes, there are creative ways to accept the challenge and find ways around the well done system hardening of iOS. Do you remember the Handy Flashlight app? This Flashlight app secretly let users enable iPhone tethering. Handy Light wasn’t actually a flashlight app at all — it was a sneakily disguised tethering utility that let users share their iPhone’s Internet connection with their laptop.
Some have asked if Apple has a secret key or special back door that they just didn’t want to share with the @FBI because Apple is riding the ‘privacy wave’. The latest version of the iPhones and iOS, are using an Elliptical Encryption Key Exchange, augmented by the onboard Cryptography Chip. Therefore, THERE IS NO MASTER KEY. End-user PINs are resolved via the Cryptographic Chip. 10 tries and the iPhone is ‘bricked’. Any changes to this system, would require hardware and software changes, weakening the system and leaving it vulnerable to hackers. However, as Cellebrite of Israel has proven, an external keyboard/usb vulnerability is exploitable in a way that avoids this security feature, ie, infinite password tries could be done without bricking and actually, you only need a few hours of brute force attacks to get in, see: Their exploit tool is called UFED – Universal Forensic Extraction Device and runs less than $700. See https://www.youtube.com/watch?v=AUgmnYChT48– So if you have possession of the device, you can physically exploit it. I’ve met teenagers working at Radio Shack who claim to have regularly used the device to help customers get back into their iPhone and also to transfer data such as contacts, photos and other media files to another device.
Watch Gary Miliefsky on Hardline Discussing Apple vs FBI Case.
What about remote access? It’s all about having background permissions and network access. Apple manages all multi-tasking in specially managed threads. Except Keyboard, Audio Player, Alarm Clock and VPN Client, most processes are not allowed to run in the background. With these four exploit vectors, it’s easy to understand that the free Emoji keyboards and free VPNs are not so free, after all. By placing a network monitor on all egress traffic, you’ll be surprised with what you will find out of these two free apps in particular. Just pick one of the 500+ available on iTunes and you’ll start to understand the gravity of the situation. VPNs have control over all of your network traffic. This is a great exploit to access lots of data passed over the tunnel. In addition, products like Web Watcher are called iPhone Monitoring software (and there are at least a dozen vendors) – once installed, track Text messages, Photos, Call and Web-history.
Nothing like a free Keylogger disguised as your Emoji Keyboard
Alarm Clocks and Audio Players have special permission to run in background
VPN’s manage traffic flow which means they see all your network traffic
In any case, these techniques are just the tip of the iceberg as to why the FBI or any government agency for that matter, doesn’t need to weaken the iPhone encryption to get into an iPhone.
“I’ve argued for years, that weakening encryption and creating “Secret Keys and Backdoors” would be a huge mistake and dangerous to national security.”
Let me name a few breaches and see if you can guess what they all have in common:
• OPM.gov Breach = 22 Million Records Stolen by the Chinese government’s cyber army putting in field agents lives in jeopardy
•Sony Pictures Entertainment = 4 movies leaked, employee records lost, over a terabyte of data stolen by the DPRK’s cyber army
•Anthem.com breach = 80,000,000 records now in the hands of the Chinese Government (along with the OPM records which can be cross correlated)
•Whitehouse.gov Breach? State.gov Breach? And many more in the news and found at http://www.privacyrights.org
Name any other recent breach over the past 3-5 years. What do these all have in common? There was NO ENCRYPTION setup to protect the data. With STRONG ENCRYPTION, none of these breaches would have happened. Lives are now in jeopardy over the OPM.gov breach so without encryption, yes, lives can be lost. Who has cyber armies drooling over our critical infrastructure, network equipment, iot, airplane, car, computer and smartphone vulnerabilities? China, Russia, North Korea, Iran and many cyber criminals!
Cyber-crime, cyber-espionage and cyber-terrorism all exploit: VULNERABILITIES and WEAK (or no) ENCRYPTION!
What would the legal ramifications be for Apple to be forced to weaken their iPhone encryption and not fix all the vulnerabilities I’ve listed above? Writing (STRONG) Computer Code is a form of FREE SPEECH. 1st Amendment guaranteed right. Apple or any other company coders in the USA have the right to unfettered or manipulated speech.
See: https://www.wired.com/2016/02/apple-may-use-first-amendment-defense-fbi-case-just-might-work/
So, forcing programmers to create a backdoor is a 5th Amendment violation because they have the right to NOT SPEAK which could easily be construed as ‘self-incrimination’ (weakening code) or forced ‘decryption’.
In addition, almost by chance, the US Government passed a very intelligent law called the Cyber Security Information Sharing Act of 2015 (aka CISA 2015). So, if any Federal Agency (FBI or other) finds a VULNERABILITY in any kind of computer or internet equipment (iPhone, for example), they must disclose this hole to the manufacturer (Apple, in this case) so that they may close the hole and HARDEN they SYSTEM against FUTURE EXPLOITATION.
See “The Protecting Cyber Networks Act” of 2015:
http://intelligence.house.gov/ProtectingCyberNetworksAct
What this says is less VULNERABILITIES and strong ENCRYPTION will make America strong. Encryption is a good thing, it powers the e-tail/retail economy and online banking. Backdooring encryption is a bad thing, it empowers not just ‘trusted’ agencies like NSA and FBI but also any cybercriminal who can find the back door, and they look for them daily. Once criminals know of back doors, they move on to other platforms like silent circle, or video game chat networks or tor – they will always find a way to have a covert conversation. Root cause analysis says find the bad guys at the source, not when it’s too late, so finding them after the fact and hacking their phones is reactive not proactive. Let’s all stand together for VULNERABILITY sharing like the National Vulnerability Database http://nvd.nist.gov which rides off the Common Vulnerabilities and Exposures program (see: http://cve.mitre.org) where we all agree that less vulnerabilities is a good thing. Let’s also stand up for strong encryption, see: http://www.savecrypto.org
We could look beyond the iPhone into the vulnerabilities of cars, as exploited for Wired magazine, causing a Jeep to go off the road, or the new Boeing 777 that was launched with vulnerabilities that allow someone in a passenger seat to exploit the avionics. What’s missing in both cases? strong ENCRYPTION. National Security is truly at risk without strong ENCRYPTION. If you are old enough to remember the 1976 Ford Pinto story, you get my point. What ever happened to Made in America with Pride?
One of the less discussed but deeper reasons I believe that Apple is standing up for strong encryption in their devices, is that they are betting on the future of mobile commerce via ApplePay. If they can guarantee to the banks that transactions are safer coming from their devices than our wallets and purses, it will open up an entire ecosphere that thrives off Apple. This could be worth billions in the long haul. One weak security key to ApplePay and cyber criminals will make it painful for retail, which has now made the transition to e-tail, to continue on it’s path to m-tail or ‘mobile commerce’. This is a big bet and a backdoor for the FBI would ruin Apple’s future in this green field.
In the bigger picture, even beyond Apple, less vulnerable products with strong encryption will result in higher taxable GDP in America because we’ll have more quality products to sell internationally, we’ll lose less to cyber theft, leaving more money in our bank accounts to grow our businesses. There will be more international revenues and exports as other countries and international companies will once again trust that Made in America means made well and strong. This will create more jobs in America and there will be less successful Cybercrime against the US. It will dramatically reduce the chance of cyber-terrorism in America and oh by the way to my friend John McAfee and all fellow privacy advocates, as a side effect of being smart about hardened products and strong encryption, yes, the Citizens get the reclaim their privacy, a sovereign right in our great Nation.
To those who will only get this message through visuals, I’ve put these four videos up for your enjoyment: http://tinyurl.com/woes4star
I’m placing my bets on hardened systems, strong encryption and the value of privacy here at SnoopWall as is John McAfee in his new public company, (NYSEMKT: MGT) folding in an array of privacy products and services. Please watch us to see how it pays out.
About the Author
Gary is the CEO of SnoopWall, Inc. and a co-inventor of the company’s innovative breach prevention technologies. He is a cyber-security expert and a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cybercrime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. In his earlier career, he sold and licensed technology that he invented to Hexis Cyber, a division of KeyW, Intel/McAfee, IBM, Computer Associates, and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP®. Email him at ceo@snoopwall.com and visit him online at http://www.snoopwall.com.
