The FBI's fight with Apple over access to a dead terrorist's locked iPhone could undermine software security for banks and their vendors and complicate business in other ways.
As most readers know by now, the government has demanded that Apple create software that the FBI could use to try to crack open the iPhone of Syed Rizwan Farook, one of the San Bernardino shooters. Apple is resisting the order, arguing that it's tantamount to giving the FBI a master key that it could use to open other iPhones.
Regulators and other government agencies have long required companies to provide access to information for investigations, often secretly. The Apple-FBI case is unique, though, in that the FBI is asking for more than access to information. It's demanding that Apple create new code that could be used to bypass access controls built into the phone's operating system.
"They're not just asking Apple to give them something they have. They're compelling them to create something they don't already have," said David Weiss, senior analyst at Aite Group who focuses on banking and capital markets. "That doesn't happen in our world too much. They're compelling them to create a back door that could be reverse engineered" and used again in other contexts.
Among the many problems with this, the fallout from the case could hamper banks' ability to use secure software for communications and other tasks.
"The technology community is afraid that the precedent will limit what sorts of security features it can offer customers," wrote security expert Bruce Schneier in a recent blog post. "The FBI sees this as a privacy vs. security debate, while the tech community sees it as a security vs. surveillance debate."
A reusable back door like the one the FBI has asked Apple for could not only be used covertly by governments, but exploited by criminals, noted Stephen Cobb, senior security researcher at ESET, a provider of antivirus and security software. "Perhaps the best thing about this case right now is that it has engaged the public in a much-needed debate to a greater extent than anything since Snowden," he said.
The case could also affect banks' ability to do business internationally if it causes European leaders to nix a proposed deal that would let U.S businesses import customer data from across the Atlantic. "If the FBI gets what it wants, it will further bifurcate the U.S. from Europe and presumably from Asia," Weiss said.
And it could affect banks' ability to buy cloud services. "You'll have stronger domicile rules," Weiss said, referring to foreign countries' privacy and security regulations, "and that will chill what you do on Amazon Web Services. Where's your AWS server?"
Background on Back Doors
The tug of war between the government officials who want easy access to information to go after terrorists, money launderers and other criminals and the technology providers that want to sell secure, privacy-protected products has intensified as vendors have tried to strengthen the security of their offerings — sometimes, ironically, at the urging of bank regulators — in response to the ever-growing problem of cybercrime. One of American Banker's security predictions for 2016 was that these crypto wars would heat up in 2016.
There are a lot of back doors out there. Verizon and AT&T, for instance, provide the government with access to phone calls on their networks on an ongoing basis. They have to, under the Communications Assistance for Law Enforcement Act.
Congress passed CALEA in 1994 to require telephone companies to make their phones and systems wiretap-ready to execute court orders. It provided an exception for Internet protocol communications.
"That exception helped the Internet grow tremendously, because software and hardware for the Internet doesn't have to go through an FBI approval process," said Peter Swire, professor and privacy expert at Georgia Tech's Scheller College of Business. "But now the FBI encounters difficulty sometimes. The iPhone case is an example."
Banks, too, are of course compelled to give regulators access to customer and employee records when asked. A purist might not call this a back door, but it produces the same result.
"If bank regulators or law enforcement want to gain access, they can go to the IT department and respond to court orders when they receive them," Swire said.
"Regulators worry about insider trading, and fully encrypted messages are a fabulous way to trade inside information," he said. "There are many special reasons to have financial records open to regulators because of the different ways fraud or other crimes have occurred."
Most banks use mobile device management programs for corporate phones; these programs can be used to unlock a phone's passcode restriction. (San Bernardino County, which employed Farook and issued his phone, reportedly bought but never installed an MDM program.)
"The big conflicts come when government wants access to an individual phone that doesn't have a corporate IT manager," Swire said.
In a case similar to Apple vs. FBI, last year a bank-backed startup called Symphony tried to bring to market encrypted messaging software for which only its bank customers would hold the decryption keys (similar to Apple customers being the only ones to know their passwords). After a tussle with the New York State Department of Financial Services, Symphony agreed to retain a copy of all e-communications sent through its platforms for seven years and the banks, including Goldman Sachs, Deutsche Bank, Credit Suisse and Bank of New York Mellon, agreed to store duplicate copies of their decryption keys with independent custodians.
Regardless of whether there's useful information on Farook's phone, once the FBI had the proposed firmware in its possession, it could use it to open other iPhones of a similar vintage (Farook's was an iPhone 5c running iOS 9).
"In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone's physical possession," Apple CEO Tim Cook said in an open letter to customers.
Specifically, the FBI is asking Apple to write software to override an operating system feature that automatically deletes phone data after 10 failed logins and a feature that shuts down the phone if passwords are typed in too quickly in succession. Both elements are designed to block brute-force attacks, in which software automatically punches in PIN after PIN until it stumbles on the correct one. (For a four-digit password, there are 10,000 possibilities, which software could run through in short order.)
The FBI claims it only wants to use the firmware for one phone, Farook's. "We don't want to break anyone's encryption or set a master key loose on the land," FBI Director James Comey wrote in an open letter published on the Lawfare blog this week.
It's not a given that once the FBI has the special software, it will be accessible to criminal hackers. But over the past couple of years, the federal government has repeatedly demonstrated its incompetence at protecting personally identifiable information with breaches at the IRS, the U.S. Postal Service and the Office of Personnel Management.
The root of the problem here is that, between the Edward Snowden revelations about NSA surveillance and multiple massive data breaches, the government has severely diminished the trust that people once had in it. Giving the FBI a reusable back door to iPhones is a dangerous idea.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.