Doctor Gibbs is in and I want to discuss what the press claims is a wave of anxiety in the IT community. The cause? The FBI deciding to vacate their court case that, should they have prevailed, would have compelled Apple crack the San Bernardino shooter’s iPhone. They dropped the case because they were able to crack the iPhone in question with the help of a so far unknown third party. Since that was announced I’ve seen a number of articles that ponder the question of users’ perception of iPhone security and suggest that folks are getting seriously anxious.
The central concern seems to be that now we know that an iPhone 5c can be hacked, some iPhone users and enterprises using iPhones are worried about whether their phones are really secure. I’m here to tell all of you Nervous Nigels something you should already know: Your iPhone is definitely, unquestionably, and unequivocally not guaranteed to be completely secure.
I hope this isn’t news to you but it is a fact that nothing can be kept 100% secure. Even if you keep your secrets locked up in your brain, you might talk in your sleep or get tortured and spill the beans or, in the future, an evil genius might scan your brain. This is not a philosophical issue, it’s reality. Anything you’re hiding, even if it’s completely in your brain, is potentially available to someone who cares enough to go after you and your secrets and has the right tools.
If perfect security isn’t possible then what does that imply about keeping stuff secret in the real world? In the real world we use the security tools we can afford and rely on a simple trade-off: Cost versus degree of security. And cost isn’t just about how much we spend on security tools, it’s also the cost of the time and operational overhead required to use those tools. The closer you try to get get to perfect security, the harder it becomes and the costs rise asymptotically.
Talking of practical security, you know why the majority of CPAs and lawyers and other non-IT professionals don’t use tools like PGP to secure their email and documents even though PGP is free? It’s a cost issue: Tools like PGP take too long to setup and when you use them in the real world, they interfere with workflow. We have to strike a balance so that our secrets are as safe as we can afford them to be. But I digress …
Now, when it comes to secure storage on devices, we rely on companies like Apple to do the right thing; the right thing being to make the products we buy from them as bulletproof as possible. We expect products that are physically tough enough for everyday use, fast enough to do useful things quickly, reliable enough to not fail from hardware or software issues when working, and secure enough that should someone unauthorized attempt to get access they find it really, really, really difficult.
In the case of the shooter’s iPhone, as I have said ad nauseum whenever the subject has come up, the idea that the device was uncrackable is simply naive. In fact, even when this whole fracas started, if it was the case that some government operation hadn’t already cracked the iPhone, they certainly had the capability to do so. Do you really think with the billions of dollars we’ve poured into the NSA, they haven’t been working on cracking iPhones? Given their resources, if they haven’t succeeded, they should be fired. From a cannon.
But if the iPhone could be hacked, why go through all of the theater? One aspect has to be political; if the FBI won a court order requiring Apple to cooperate then it would set a precedent requiring not only Apple but any and all tech companies offering products with encryption to do as the FBI required at any time the bureau pleased. If the FBI really hadn’t been able to crack the iPhone then the only reason that they weren’t helped out by another agency was likely to be a jurisdictional and or legal issue. But I digress. Again.
So, we agree, there’s no product that is perfectly secure. We knew that before the FBI cracked the shooter’s iPhone and it didn’t worry us then, so why should it worry us now? If you’re one of the Nervous Nigels who feel that, with the revelation that iPhones can be hacked, the end is nigh and your systems are next, drop me a note at gearhead[at]gibbs.com and I’ll deliver some therapeutic treatment.
Next patient, please.