A California magistrate has ordered Apple to help the FBI gain access to an iPhone that was used by one of the terrorists in the 2015 San Bernardino shooting. To achieve this, the FBI has asked Apple to create a backdoor. Apple has refused, adamantly. Of course Apple wants to support investigative efforts in this horrible crime. But what the FBI is asking has ramifications that extend far beyond this one case.
Venafi supports Apple’s decision to oppose the FBI’s order. Complying would break the system of trust used for over 20 years to secure the Internet. By requesting the use of Apple certificates, the government is essentially hijacking the internet, hacking users, and undermining decades of security advancements.
In a nutshell, the FBI has asked that Apple create a new version of its operating system that would bypass many security controls. The FBI wants Apple to sign the software with Apple's certificate that will then run what the FBI refers to as a “signed iPhone Software file” which would be trusted on any iPhone. This file would update the phone to the new operating system that is designed to bypass security that keeps the data on that phone confidential.
Although this has been requested to gain access to one particular device, this can’t be viewed as a mechanism to decrypt one device used by one terrorist. Once created, there is no way to ensure this software would not be used more broadly—either by the government when it decides it has other needs for this access, or by cybercriminals who will undoubtedly seek to acquire this software.
This is really about threatening the very foundation of cybersecurity on the Internet—keys and certificates. It’s about breaking the system of trust that certificates provide for all software and to the Internet! If the government gets to use Apple software authenticated with Apple code-signing certificates, it would be able to bypass the security that protects people’s personal data—contacts, financial information, health information, and so much more. Apple equates this to, “a master key, capable of opening hundreds of millions of locks.” This would let governments, and eventually cybercriminals, get control and hijack systems and data.
In that light, the FBI's request may set a precedent that’s not as much about breaking encryption as it is about breaking software. It's why Tim Cook responded: "The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers."
This tactic is similar to those that made the computer worm, Stuxnet, so successful. That attack used malware signed with valid certificates, which allowed the malicious software to run completely trusted.
One of the biggest advancements that Cook refers to is the system of trust established by keys and certificates—one that is increasingly being used as an attack vector by cybercriminals. Software runs the world. And in this world, it’s the role of certificates to know what is trusted or not, friend or foe—whether using TLS or code-signing.
The breaking of the trust model of certificates is a growing threat—something cybercriminals having actively been doing since the Stuxnet blueprint. But it’s much more important than just breaking encryption on one terrorist’s smartphone. It would represent an incredible escalation in the use of certificates as weapons. Experts from Intel to industry CIOs are predicting the next big hacker marketplace to be a place where stolen certificates are sold.
I fully support the government using subpoenas and warrants to obtain access to messages, activity, and other types of data that is stored. But running blanket and broad software on a device or getting access to a key for decryption will risk everyone’s privacy and security. If Apple is forced to create this backdoor, it would continue the current trajectory of online trust violations that are getting worse by the day.
In one hopeful turn of events, the chairman of the Senate Intelligence Committee, Richard Burr, decided against a proposal to criminalize firms that reject court orders to decrypt. However, Senator Burr is still weighing whether to propose more stringent rules around access to encrypted data—but at least this would not include criminal penalties.
This court order is just one example of how governments are hacking the internet. Another is the Chinese CNNIC certificate authority, which was implicated in an incident in Egypt to impersonate Google—an attempt that Google and Mozilla swiftly responded to and permanently untrusted CNNIC.
However, Apple and Microsoft, with tens of billions of dollars in revenue from the Chinese market per quarter on the line, failed to take any action for months. Apple quietly decided to trust some of CNNIC certificates while Microsoft took no action.
The incident was not covered widely by the media at the FBI’s request. Unfortunately, in the case of CNNIC, unlike now, Apple was neither swift nor public in its response, leaving all the appearances of prioritizing Chinese profits over the security and privacy of all iPhone, iPad, and Mac users worldwide.
It’s a welcome change to see Apple respond so quickly to the FBI’s request and hopefully they will do the same with future threats to the security and privacy of their customers.
So what does this mean for Global 5000 enterprises? I'd say knowing which keys and certificates you trust, and protecting those keys and certificate becomes even more important, especially in a time when they are increasingly of interest to both governments and bad guys.
If the government gets code signed with Apple certificates on court order, it is pretty much hijacking the Internet—which is the lifeblood of your digital business. What’s next? Getting TLS keys and certificates on court order to decrypt? Internet hacked.
What do you think about the recent government actions that impact online trust? Do you agree with Apple’s refusal to comply with the court order?