By Troy Wolverton / San Jose Mercury News
THE dust-up between Apple and the Federal Bureau of Investigation (FBI) over unlocking the iPhone used by the San Bernardino, California, attackers has some important lessons for everyday consumers regarding the security of the data they have on their phones.
As the dispute has made clear, even Apple’s much-touted security has its vulnerabilities.
And while the standoff has shown that getting data directly off the iPhone or other smartphones can be difficult, it’s also highlighted the fact that users’ data is often stored elsewhere via apps, browsers, e-mail servers and cloud backups, typically in a much more accessible way.
“It think this is a wake-up call to consumers,” said Avivah Litan, a security analyst with Gartner. “They should realize that 98 percent of their lives is out there anyway. There’s very little local information” that’s stored only on their phones.
The dispute over the San Bernardino phone centers around the FBI’s demand that Apple create some special software that would make it easier for the agency to crack the passcode used to lock the attacker’s device. Apple has refused that request, worried that it would create a security “backdoor” that could be exploited in other cases and for other purposes. The dispute has been portrayed as being about a conflict between national security and public safety on the one side and personal privacy on the other. But it’s also about the security and protection of individual consumers and companies.
The security measures that Apple and other companies have put in place on their devices and web sites protect consumers against all kinds of scams that can be perpetrated by gaining access to users’ data, including identity theft, financial fraud, ransom and more. They also help protect consumers from the kind of wide-scale, unwarranted snooping by government intelligence and law-enforcement agencies that Edward Snowden and others have helped to expose.
That’s why the vulnerabilities put in the spotlight by the Apple-FBI dispute are worrisome. They show the limits of the protection consumers can currently expect. One such vulnerability with the iPhone was put in the spotlight by Apple’s response to the FBI’s demands. Apple noted that it wasn’t objecting to the agency’s request, because doing so would be technically infeasible. Indeed, on a list of frequently asked questions about the dispute posted on its web site, Apple explicitly acknowledged that it could do what the FBI is requesting.
The company’s statement basically acknowledges a weakness in the iOS operating system that underlies the iPhone and the iPad. The software underlying those devices can be altered even when those devices are supposedly secure and their data is encrypted.
That might not amount to a backdoor, but it’s certainly a security vulnerability, said Nate Cardozo, a staff attorney at the Electronic Frontier Foundation. The phone in question in San Bernardino is an older model, an iPhone 5c. But even the latest iPhones have the same basic security problem.
“Apple has said that even in the current generation of devices, that this technique with some modifications would still work,” Cardozo said.
The iPhone maker is now working to close that hole, the New York Times reported recently.
“I would be surprised if they didn’t have this fully patched up and fixed by the iPhone 7 or maybe the generation beyond that,” Cardozo said.
Even if Apple does close that hole, the San Bernardino case has put the spotlight on some other ones. Many smartphones—like the iPhone in question—save backup copies of their data to servers on the Internet. Those backups are vulnerable from several different directions.
The companies whose servers store those backups—in this case, Apple—can access them. In the San Bernardino case, Apple handed over to the government a several-months-old backup of the iPhone in question. According to the Financial Times, Apple is working on a fix for this vulnerability, too; it plans to encrypt users’ backup so that even it can’t unlock them. Even so, cloud backups—and the devices themselves—are generally only as secure as the passwords and security questions used to safeguard them. That fact was put on display, literally, when a hacker was able to crack the passwords of numerous celebrities and posted the often racy pictures they’d stored on Apple’s servers on the open Internet.
And that’s not to mention that most apps that consumers use often keep track of their every move. That data, too, is typically accessible not only to the companies that make the apps and their marketing partners, but potentially also to hackers and the government. Unlike what happens in Vegas, what you do on your phone typically doesn’t stay there.
“There are plenty of digital footprints that are left all over the place,” Gartner’s Litan said.
And keeping track of those footprints can be difficult even for security experts, much less the average consumer.
John Dickson, a principal with the Denim Group, a security consulting firm, noted that he was recently surprised to see some of his web-browsing history show up on his wife’s computer. He soon realized that he had started using the Chrome browser on his iPad, and it was preset to sync its browsing history.
“The vast majority of people have no idea what the settings on their devices are and what they’re saving things off to,” Dickson said.