If you care about your encrypted data, get rid of your iPhone 5c

If the FBI can hack it others can, too


If the FBI can hack the iPhone, others can, too, which means the encrypted content on countless phones is no longer secure.

Owners of these phones who care about securing their content should think about upgrading to something else. Newer iPhones, for example, might not have the same weakness and so would be less vulnerable, at least for a while.

The FBI has dropped its court action that might have forced Apple to help undermine security that blocked a brute-force attack against the passcode on the iPhone 5c used by a terrorist in San Bernardino. That’s because the FBI found someone else - reportedly Israeli mobile-forensics company Cellebrite – to do it for them.

Under other circumstances, the people who developed such an attack would tell Apple about how it was done, give the company time to fix the flaw that was exploited, release the details publicly and then give a talk about it at Black Hat.

That’s probably not going to happen in this case, although the technique will likely become known through other pending court cases. It seems if evidence is unlocked on phones in these other cases using the same means, prosecutors will have to reveal their methods in order to make the evidence admissible.

At some point Apple may discover the flaw and fix it, but for now the encryption system on the phones is vulnerable.

While the FBI is acting to prevent terrorism and punish criminals it is also working against accepted practice for white-hat hackers who discover exploitable vulnerabilities and help get them fixed. It makes sense because the exploits server the FBI’s law-enforcement purposes.

But it also lumps them in with commercial ventures such as Cellebrite, Vupen in France and Hacking Team in Italy that develop exploits for profit. For the FBI the payoff is convictions rather than money, but the principle is the same.

It also places the FBI In the same camp as the NSA, which many believe has a secret cache of undisclosed attacks against commercial digital security that it uses in its work. Some were surprised the FBI didn’t ask the NSA for help in the San Bernardino case.

Whether it’s the NSA, the FBI, Cellebrite, Vupen or even criminal hackers looking to break into bank accounts, security of digital devices will remain constantly under attack. But the case of law enforcement stands out.

Investigators seek access to everything that might be evidence to bring criminals to justice, and that includes phones. They will continue to seek it. Resolving the San Bernardino case without requiring a new interpretation of law surrounding court orders doesn’t mean an end to the core issue.

But it does mean there is some breathing room now for carefully weighing the value of access for law enforcement to convict criminals vs. the sacrifice of privacy everybody else.


Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022