Sadly, governments and their agencies can’t be trusted to use private data, or decryption methods responsibly, says Devangshu Dutta.
What happens when an irresistible force meets an immovable object? Third-party intervention can resolve the impasse. At least, that’s what happened in the face-off between America’s Federal Bureau of Investigation (FBI) and Apple. The FBI (aka almost-irresistible force) demanded that Apple (a nearly immovable object) help unlock an encrypted iPhone 5 used by Syed Rizwan Farook.
On December 2, Farook and his wife Tashfeen carried out a mass shooting at the San Bernadino Inland Regional Center. They killed 14 people and injured another 20-odd before being themselves killed by police in a shootout. The iPhone 5 was Farook’s work device and it was recovered. He had apparently disabled backup to the Apple iCloud some six weeks before the incident and he had also encrypted the phone, using standard Apple technology.
The phone can be unlocked by entering the correct four-character code. That, in itself, is not a big deal. It is simple enough to write a software program to guess this code by brute force by generating all possible passwords. But two diabolical little tricks prevent this being done.
First, each unsuccessful attempt to guess the code will lead to the phone building in a long delay before it will accept the next input attempt. After 10 wrong guesses, the phone erases all data. The FBI went to court to try and force Apple to write a program, which would disable the 10-strikes security measure and hence, enable the FBI to guess the password. Apple refused, putting up a spirited legal defence.
The case was still in court when an unnamed “third-party” helped the FBI crack this encryption. The FBI has since dropped the case against Apple. Of course, this is not the end of the story. There are multiple loose threads to the narrative and disturbing long-term implications for privacy and security.
Unconfirmed rumours say that the third-party is Cellebrite, a “mobile forensics” provider from Israel. Tech experts suggest that the method of cracking the phone involved figuring out a way to save all the data on the phone’s hard drive (a NAND flash chip) elsewhere. Then brute force was used to guess the pass-code. Every time the chip was erased (after 10 wrong guesses), the data was simply reloaded. Perhaps multiple flash chips were cloned, or some other clever method found to bypass the delays.
Apple would naturally like to know what the hole in the much-vaunted encryption was. The FBI is not revealing the third-party nor is it offering details about the crack. There is speculation that the FBI may in fact, avoid using the same decryption techniques in any criminal cases where it will be forced to reveal the crack. In effect, the FBI is now playing the role of a hacker which has discovered a security flaw and leaves it unaddressed and open for future exploits.
The privacy implications are major. Any smartphone contains huge amounts of private data, more than enough for a thief to digitally impersonate the user. Strong encryption is a must. Users like the comfort of knowing that phone data is strongly encrypted and also of knowing that a device can be wiped remotely, in case it is stolen or misplaced.
Security agencies and law enforcement authorities would like to get into such devices. Sadly, governments and their agencies can’t be trusted to use private data, or decryption methods responsibly. As Edward Snowden, WikiLeaks, Nira Radia tapes, et al, have shown, security agencies routinely flout privacy laws even in First World democracies where such things are taken seriously. Many nations (including India) don’t have privacy laws anyway.
Until the San Bernadino crack, it was considered impossible to break into top-end smartphones. It may still be impossible to do this to new iPhones or Androids. But this exploit shows that it may also be within the realm of the possible. Every agency worth its cloak and dagger, not to mention every cell phone thief, will be looking to emulate this crack. That’s another nail in the coffin for the privacy and security of common citizens.
Image: A demonstrator holds a sign during a protest against the FBI's request to extract data from iPhones, outside the Apple Store in New York, on February 23, 2016. Photograph: Shannon Stapleton/ REUTERS.
