I have been watching the case I will call Apple vs FBI carefully.  It is not quite David vs Goliath, because Apple is not some two-bit company with limited resources, but it is certainly a case of Privacy vs Security.

According to Apple’s story, creating a special version of IOS that defeats the passcode entry limit and creates a brute force attack on susceptible iPhones will open a Pandora’s Box:

“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

Looking at the FBI’s request:

  1. [Apple] will bypass or disable the auto-erase function whether or not it has been enabled;
  2. [Apple] will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE; and
  3. [Apple] will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

It sounds pretty much like they want a version of IOS that will allow unlimited, automated guessing of the password – or a brute force enabled IOS.

At Columbia University, I wear two hats (mostly at the same time), Security and Privacy.  This case has given me (and I would guess, many of the readers of this fine publication) much pause on where they stand on this issue.

One of the major tenets of our DLP (Data Loss Prevention) program is the encryption of data, especially phones.  The reason behind this is the NY State breach disclosure law that, in simplest terms, costs the University approximately $195 per SSN lost in a security breach.  Our mitigating control for storing SSNs on a device is encryption.

Why someone would have SSNs stored on their phone is beyond me, and the subject of another story, but let’s just say that stuff happens.  If there were to exist a brute force enabled IOS, as Apple contends, any lost iPhone is now a possible security breach.

As much as I like to catch bad guys, I am not sure that the risks, in this case, are worth the rewards.

Category: CISO Insights

Leave a Reply