On December 2, 2015, [Syed Rizwan Farook] and [Tashfeen Malik] opened fire at a San Bernardino County Department of Public Health training event, killing 14 and injuring 22. This was the third deadliest mass shooting in the United States in recent memory, and began a large investigation by local, state, and federal agencies. One piece of evidence recovered by the FBI was an iPhone 5C belonging to one of the shooters. In the days and months after the shooting, the FBI turned to Apple to extract data from this phone.
A few days ago in an open letter to customers, [Tim Cook], CEO of Apple, stated they will not comply with FBI’s request to build a backdoor for the iPhone. While the issue at hand is extracting data from an iPhone recovered from the San Bernardino shooting, [Cook] says building a new version of iOS to extract this data would allow the FBI to unlock any iPhone. Needless to say, there are obvious security implications of this request.
Apple does not publish open letters to its customers often. Having one of the largest companies on the planet come out in support of privacy and encryption is nearly unprecedented. There is well-founded speculation this open letter to the public will be exhibit A in a supreme court case. Needless to say, the Internet has gone a little crazy after this letter was published, and rightly so: just imagine how better off we would be if AT&T said no to the NSA in 2002 – [Snowden] might just be another IT geek working for a government contractor.
There is a peculiar aspect of public discourse that doesn’t make any sense. In the absence of being able to say anything interesting, some people have just decided to add a contrary viewpoint. Being right, having a valid argument, or even having evidence to support assertions doesn’t matter; being contrary is far more interesting. Look at any comment thread on the Internet, and you’ll find the longest comment chain is the one refuting the parent article. Look up the ratings for a cable news channel. You’ll find the highest rated show is the one with the most bickering. When is the last time you saw something from the New York Times, Washington Post, or LA Times on Facebook or your favorite news aggregator? Chances are, it wasn’t news. It was an op-ed, most likely one that was espousing a view contrary to either public opinion or public policy.
As with any headline event on the Internet, the contrarians have come out of the woodwork. These contrarians are technically correct and exceedingly myopic.
The Contrarian Opinion to Apple’s letter
The netsec industry is odd. Every day, my inbox is accosted by unsolicited emails from PR agencies, asking if I’d like to do an interview with a CEO or chief scientist on the security issue du jour. From the unending reminders to upgrade to Windows 10 to the security implications of a virus designed to destroy Iranian centrifuges, I have been offered an interview with someone who is uniquely qualified to speak on the subject. As expected, the first offers for an interview turned up in my inbox ten hours after news of Apple’s refusal to cooperate with the FBI crashed around the world.
The gist of the first pitch for this interview is as follows: Apple could have easily complied with this court order. This is not a crypto war. To quote this interview pitch directly and without attribution:
Apple didn’t need to react this way – it was premature and apples and oranges. Forensically speaking and legally speaking the Judge asked for reasonable assistance on unlocking THIS SPECIFIC phone. Even if that requires them to modify the firmware with a key they have they don’t have to give that software to the FBI. They can simple do a few steps:
- Give phone to Apple
- apple runs their secret sauce and makes a backup image of the data/phone info
- they give that image backup to FBI which only contains the data not the key. This is how forensics on mobile devices are done, by a backup image.
There is no threat to mass surveillance here. it was a reasonable search warrant request no different than a warrant to the free webmail services or face books asking for data. You’re not giving them your keys to ALL your data, you’re only giving them the very specific data of the account that was requested.
While this is an interesting counter to [Tim Cook]’s argument, it lacks the technical details required of a matter that requires a passing knowledge of topics ranging from electrical engineering to 18th century case law. Fortunately, the default mode of discourse these days is contrarianism, and there’s always someone else ready to glom onto the most important thing to happen in the Internet this week.
On the Trail of Bits Blog, [Dan Guido] plainly states Apple can comply with the FBI court order without compromising security for millions of iPhones, and gives a reasonable technical breakdown of how Apple can do it.
In plain English, the court order asks Apple to create a special version of iOS that works on only one iPhone – the phone recovered from the San Bernardino shooting. This custom version of iOS would never leave the Apple campus. After all, according to the court order, the FBI only wants the data on the phone and not a method to extract data from every iPhone they come across.
This is technically possible. New firmware can be uploaded to the recovered iPhone via DFU. This new firmware would require a valid signature from Apple, and the FBI does not have the keys Apple uses to sign firmware. [Dan Guido] ends his teardown with the conclusion it is technically feasible for Apple to comply with all of the FBI’s requests. This request would not necessarily make every iPhone insecure, and to limit the risk of abuse, the tools created to assist in this request can be customized to only work with the iPhone recovered from the San Bernardino shooting.
This is a Unique Moment in History
Apple’s refusal to comply with court orders is the largest news item to hit the Internet in a very long time. The CEO of Google has weighed in on the issue, concurring with [Tim Cook]. It is now inevitable that every god of silicon valley will weigh in on the issue, most likely in agreement with Apple’s stance.
Yet the contrarians remain. The entire argument of one of these contrarians – a chief scientist at a highly regarded security firm – revolves around “secret sauce”. It’s entirely possible for Apple to get around the encryption of the iPhone 5c recovered in San Bernardino, and doing so wouldn’t really be creating a backdoor for every iPhone. Are these assertions correct? Maybe. Possibly, even.
The metaphor of not seeing the forest for the trees is too often used, and anyone can be correct while still being incredibly dumb. Apple’s response to the FBI’s request is unprecedented. Apple is standing up to a court order – defying a court order – in the pursuit of privacy and security.
Historically, large companies haven’t cared about your privacy. The best example would be NSA equipment installed in an AT&T office in 2003, hoovering up Internet backbone traffic and sending that information off to points unknown. This wasn’t the first time AT&T provided data to the NSA; that occurred in 1985, with phone and email data being collected at points around the United States and sent off to NSA repositories.
Ma’ Bell isn’t alone, and for every conspiracy theory on government surveillance spoken in hushed tones over the years, there is always news telling us, ‘yes, the government is spying on you, and here are the companies that helped.’ Instead of the usual way of doing things, Apple is saying what anyone who knows anything about security has been saying forever. If a backdoor exists, you are not secure. Apple will not provide that backdoor, and Google concurs with Apple’s view.
What we have here is one of the largest companies on the planet, a company that is sitting on over two hundred billion dollars – cash – and wants to take this issue public. If anyone has the resources to stand up to a surveillance state, it is Apple.
And yet the contrarians continue to prove there is a difference between intelligence and wisdom. Just because Apple could comply with a court order, doesn’t mean they should. Just because you have a unique viewpoint doesn’t mean you should post it on your Medium blog. This is an opportunity for a company with a deep pocketbook to go up against a surveillance state that has acted against your interests time and time again. This opportunity will not come again.