So
how much can someone who has your phone and / or the right tools learn about
you?
A
common question among Apple users is whether the phone manufacturer
pre-installs ‘backdoors’ or some kind of ‘hidden access’ into the handset to be
used to gather information for law enforcement.
To
answer that, we need to consider what security the iPhone has, and why it has
it. When Apple designed the phone’s built-in security (locking, securing data
etc.), they did so under the premise that the user requires his/her data
protected in the event of loss or theft. Apple would not operate under the
impression that its users would need to hide something from law enforcement, or
not have their phone used as evidence in a court of law. Regardless, Apple has
used high levels of encryption on the iPhone, improving it with each new
version of its operating system (iOS).
Various
experts in the industry (such as Charlie Miller) have often reiterated that
they do not believe Apple actually keeps your passcode on their servers. Apple
themselves states the same thing.
Whether
or not this is true, we don’t know for sure. But it appears, given the time and
effort required by law enforcement officials (even in other countries) to crack
encryption on an iPhone, that they are not working with a passcode simply
handed to them by Apple.
The
fancy tools available to extract data from iPhones rely on well-known exploits,
default configurations or other entry points into the phone. Some can try to
brute-force passwords on the phone using methods that do not trigger the
built-in protection, or that simply cater for such. Law enforcement officials
also rely on simple user mistakes or inexperience to gain access. How many
people use their birthday as their iPhone pin? Or use 1234 or 1111 because its
easy to type in?
Encryption
With
regards to data encryption on the iPhone, keep in mind that not all data is
encrypted. Due in part to the access required by certain applications, it can
be deduced that some photos, for instance, are not encrypted. Chat programs
such as WhatsApp can also implement their own encryption – in which case Apple
may have no insight into how this data is protected, nor who has the keys used
for decryption.
Could
Touch ID, a fingerprint
recognition feature devised by Apple, solve these issues? Probably not.
Touch ID adds convenience but not necessarily extra strength in cryptography.
Remember you still need to enter a PIN code to enable Touch ID, and therefore
its highly likely the iPhone is still using the PIN code as part of the key
generation for encryption – much like iPhones without Touch ID.
Apple
would not have relied solely only on a fingerprint to generate encryption keys
because if the print stops working, access to data is lost. Besides, users can
simply enter their PIN to bypass the Touch ID requirement. Keep in mind, this
is not a failure on Apple’s part since they do not sell Touch ID as an upgrade
to your phone’s encryption capabilities.
Solution
Should
we be worried then? Yes and no. Apple has put a lot of work and research into
iOS and the iPhone itself. Compared to other operating systems, iOS also
maintains a relatively good stance on security and lack of critical security
flaws.
However,
there will always be a way around something, and given enough time and
resources someone will find vulnerabilities, a flaw, or an “undocumented
feature”.
Switching
to Android, BlackberryOS or Windows will not make you any more secure against
law enforcement officials, or highly skilled malicious users.
There
are, however, some steps you can take to make it more difficult to do so:
- Set a random, and strong PIN. Avoid duplicate
digits and sequences and definitely avoid anything personal such as your postal
code, birthday etc.
- Set your iPhone to auto-lock after a
reasonably short time. If it is stolen or lands up in unwanted hands you want
it to be locked before it can be accessed.
- Activate the find-my-iPhone feature on the
device. Not only is this useful to know where it is if you lose it, but you can
also request the device to wipe itself remotely as well. Remember however, the
phone keeps a track of where you’ve been, and this info can be retrieved from
the device via the right tools.
- If your phone is lost/stolen or in the hands
of a malicious person, immediately change any e-mail, Facebook, and other
passwords on the applicable websites. That way, no further updates can make
their way to the phone.
- Finally, as a general rule, if you don’t want something to ever be used against you – don’t say it via text or e-mail. That not only applies to anything related to the law but even in general life circumstances. Remember, you can’t take back what you typed.
By Dimitri Fousekis, Security Analyst / Team Lead, Telspace Systems
No comments:
Post a Comment