mardi 29 mars 2016

Apple responds to FBI iPhone hack, but questions remain

iphone_question_mark

Yesterday, the FBI announced that it had managed to break into the San Bernardino shooter's iPhone sans help from Apple. The iPhone manufacturer will undoubtedly be pleased that the court case has come to an end without the company having to cave in and assist the agency.

In a statement, Apple said: "From the beginning, we objected to the FBI’s demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred. This case should never have been brought". But with the FBI's previous insistence that help from Apple was absolutely essential, some serious questions remain.

The secrecy surrounding the case means that, however loudly the company shouts about being opposed to helping the FBI, we'll never really know if, behind the scenes, Apple was in fact offering help. To publicly admit helping would be a PR -- and financial -- disaster, so it makes perfect sense to be vocally against the idea. It's entirely possible, of course, that the FBI achieved its aim with the assistance of Israeli security firm Cellebrite, but the point is: we'll never know.

If Apple was not involved in cracking the iPhone 5c, the company's customers will want it to press the FBI for details of the technique used to access the data. If one iPhone 5c running iOS 9 can be cracked, so can others -- it's a potential security nightmare when there's no way of containing who has access to the software or tools that were used in the successful hack. Apple and its customers will want to know what security flaw was exploited to gain access in so that it can be plugged.

Without details from the FBI and its helpers, it's impossible to know whether the technique used only worked on the San Bernardino iPhone, or whether it could be applied to others. With the technology world current focus on privacy and security it's important that this is made abundantly clear -- but who do you trust enough to believe?

Apple's full response statement clearly chalks this up as a win:

From the beginning, we objected to the FBI's demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government's dismissal, neither of these occurred. This case should never have been brought.

We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.

Apple believes deeply that people in the United States and around the world deserve data protection, security and privacy. Sacrificing one for the other only puts people and countries at greater risk.

This case raised issues which deserve a national conversation about our civil liberties, and our collective security and privacy. Apple remains committed to participating in that discussion.

It seems that the FBI has achieved its goal. What's needed now is an element of transparency. As suggested by the Electronic Frontier Foundation, concerns will almost certainly mount around the government's ability to access data on other iPhones:

[...] this new method of accessing the phone raises questions about the government’s apparent use of security vulnerabilities in iOS and whether it will inform Apple about these vulnerabilities. As a panel of experts hand-picked by the White House recognized, any decision to withhold a security vulnerability for intelligence or law enforcement purposes leaves ordinary users at risk from malicious third parties who also may use the vulnerability. Thanks to a lawsuit by EFF, the government has released its official policy for determining when to disclose security vulnerabilities, the Vulnerabilities Equities Process (VEP).

If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply, meaning that there should be a very strong bias in favor of informing Apple of the vulnerability. That would allow Apple to fix the flaw and protect the security of all its users.

A final thought: can you imagine any other technology company having its security bypassed and then calling it a win?

Photo credit: Yeamake / Shutterstock



Aucun commentaire:

Enregistrer un commentaire