The wrong question

Update: My first analysis was based on excerpts from the judges order published in the media. I’ve now read the whole order. And it’s worse than I thought. See edits below.


In response to the federal judge’s order that Apple create code to disable the countdown timer on iPhone’s password input routine (thus, allowing the FBI to mount a brute force attack without fear of the security routine wiping everything), people have asked — in a properly sarcastic manner — “What could possibly go wrong?”

They should be asking, “What could possibly go right?”

In case you have kept up, if one enters the wrong password into an iPhone too many times, it assumes the phone is in the wrong hands and self-wipes. The FBI has a phone that belong to one of the shall-not-be-named San Bernardino terrorists, but the password is set.

Enter an idiot judge. The Honorable Dumber N. Boxofrox ordered Apple to develop new code to disable the countdown feature, and to tailor it to work only on the single terrorist’s phone by hard coding it to only work with a couple of identification strings associated with that phone, and install it there. Sounds nice, right? Limited scope.

Correction: The ordered change to disable countdown (and eliminate delays in entering password attempts) is not limited to the terrorist’s iPhone. In addition to the new “FBiOS,” Apple is required to provide a separate data recovery/backup/”Software Image File” application to copy everything in flash memory. That application is the only thing required to work only on the single instrument.

Now let me explain what would really happen. Apple would basically be writing a new variant of the operating system. They would install it (as an update) to the phone in the FBI’s custody. FBI eventually unlocks phone, images everything on the phone.

Everything.

That is inevitably going to include the operating system, which means the FBI would now be in possession of the security-bypassing OS. They could turn it over to hackers to decompile the code, then scan for the two hard-coded ID strings. At this point, they could either type in two new strings for whatever other iPhone they might have laying around in an unrelated case, or change the code to not require the IDs at all. A brand new electronic forensic tool, provided free of charge by Apple.

Correction: No need to reverse engineer anything. Plus, the FBiOS must allow the Feds to enter passwords via WiFi or Bluetooth; i.e.- remotely, just as the FBiOS would be uploaded remotely. Once they have the OS in hand, the FBI can do it to anyone without even the need to reverse engineer the FBiOS. They’re demanding a turnkey mass covert surveillance tool from Apple.

But the Feds would never steal some company’s code, would they? Or go sneaking around spying without a warrant. And it would never occur to them to use a variant of a Stingray to generally access other phones and surreptitiously upload their little bit of malware.

Hell, you know they would. Personally, I suspect that’s exactly what they want. Since the terrorists were savvy enough to kill their data trail by disappearing their computer hard drive, I doubt they left anything useful on the iPhone. At most contacts, which the FBI can already get by subpoenaing their billing records from the phone company.

So let’s assume for the sake of discussion that they do this. We’ll even give the Feebs enough credit to say they don’t get hacked by another 16yo kid who steals data from them… you know, like new OS code.

But in this hypothetical scenario, they’ve released the code into the wild. Into iPhones whose security has been crippled by definition. Don’t lose your phone or get it stolen Correction: With remote acccess, no one has to physically steal your iPhone; whoever ends up with it can get any data…just as easily as the Feds. Or install malware (keystroke loggers, audiovisual bugs, GPS tracking, etc.) on it and return the iPhone they “found.”

I suspect jealous spouses and significant others would be a ready market, as well.

And recall that Apple programmers say that what the Feds are demanding would work on newer iPhones, too; not just the older generation terrorist’s smartphone, of which there are probably millions in use anyway.

What with people jailbreaking phones anyway, it would only be a matter of time before some hacker generated his own malOS. For that matter, maybe the FBI should hire that 16yo to hack that phone for them.

Oh. Wait. Then they’d have to pay him. When they can force Apple to do it free.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s