27 Aug iPhone Too Secure For US Department Of Justice
In a world where anyone with decent tech know-how can access and steal your personal information, security has never been more important. Particularly mobile device security.
If you were asked whether there is such a thing as a mobile device that is too secure, you’d probably dismiss it as wishful thinking, something that could never happen.
However, according to MIT it has.
The security around the iPhone has certainly come a long way since the original iPhone, which was found to have deep security design flaws in June 2007. The original iPhone suffered from vulnerabilities in iPhone applications that Apple themselves had written, which ultimately provided Hackers with ways to exploit and potentially take over the phone from the inside. This design flaw was only corrected in January 2008, however, despite the delayed response from Apple, this catalysed a whole new focus for Apple’s products: security.
While currently it is still possible to take control of a phone remotely through exploiting apps, Apple has certainly made it increasingly difficult, as each app runs in its own isolated “sandbox” as opposed to the previous method which ran with root privileges.
This is fantastic for iPhone users, however, not everyone is singing Apple praises.
“I can tell you from the Department of Justice perspective, if that drive is encrypted, you’re done,” said Ovie Carroll, director at the Justice Dept.’s Computer Crime and Intellectual Property Section, during his keynote address at the DFRWS computer forensics conference in Washington, D.C.
While Apple have done right by their customers by providing devices with top notch security, they have, inadvertently, made it harder for law enforcement to provide evidence against criminals.
Technologies the company has adopted, protect Apple customers’ content so well that in many situations it’s impossible for law enforcement to perform forensic examinations of devices seized from criminals. Most significant is the increasing use of encryption, which is beginning to cause problems for law enforcement agencies when they encounter systems with encrypted drives.
Apple’s security architecture utilises the Advanced Encryption Standard algorithm (AES), which is a data-scrambling system published in 1998 and adopted as a U.S. government standard in 2001. It has been determined that the AES is unbreakable, with no computer imaginable in the foreseeable future being able to crack a truly random 256-bit AES key. The AES key in each iPad or iPhone “is unique to each device and is not recorded by Apple or any of its suppliers,” Apple said in a security- related white paper. “Burning these keys into the silicon prevents them from being tampered with or bypassed, and guarantees that they can be accessed only by the AES engine.”
So, when the iOS device is turned off, the copy of the encryption key in the computer’s accessible memory is erased. A copy is, of course, kept deeper in flash memory (otherwise there would be no way for the device to recover data when it was turned back on), however, the encryption key is itself protected by the user’s PIN lock, which has become much harder to crack, particularly with some users implementing a 10 digit PIN code, which would take 25 years to try all possible combinations through specialised software. Apple designed iOS devices so that the hardware that encrypts data is in the path the data travels when it moves from flash storage to the iPhone’s main memory. This means that data can be automatically decrypted when read from flash into memory and re-encrypted when saved from memory back to flash.
“There are a lot of issues when it comes to extracting data from iOS devices,” says Amber Schroader, CEO of Paraben, a supplier of forensic software, hardware, and services for cell phones. “We have had many civil cases we have not been able to process … because of encryption blocking us.”
Of course, this does not mean the iPhone is completely free of vulnerabilities, as shown through the recent discovery of a security flaw in iOS related to SMS. So even though the iPhone has, without a doubt, had its security tightened, users will need to continue to exercise caution when utilising their smartphones.
While both enterprises and consumers will be excited about the future of ultra secure devices, it begs the question of whether ultra effective security measurements will occur at the expense of delivering justice. The irony of almost military grade device protection for everyone, is that while it protects consumers, it also may protect the criminals who seek to do wrong by these consumers and society as a whole.
What do you think? Is the access to criminal evidence a necessary tradeoff for superior mobile device security?