Skip to main content
banner image
venafi logo

Internet Hijacked: If Hacked by Government Access Using Apple Code-signing Certificates

Internet Hijacked: If Hacked by Government Access Using Apple Code-signing Certificates

generic_blog_banner_image
February 19, 2016 | Kevin Bocek
Key Takeaways
  • Watch Kevin Bocek discuss the issue on CNN
  • Based on a court order, the FBI has asked Apple to create a backdoor and Apple has refused
  • The backdoor would be a new Apple operating system authenticated with Apple code-signing certificates
  • This is not about decrypting one device—it’s about breaking the system of trust that certificates provide for all software
  • There’s no guarantee that ‘signed’ software requested by the FBI would not then be used again by governments or usurped by cybercriminals
  • For the Global 5000, this debate demonstrates why knowing which keys and certificates you use, which ones you trust, and protecting them is now more important than ever

The FBI wants Apple to break our system of trust

A California magistrate has ordered Apple to help the FBI gain access to an iPhone that was used by one of the terrorists in the 2015 San Bernardino shooting. To achieve this, the FBI has asked Apple to create a backdoor. Apple has refused, adamantly.  Of course Apple wants to support investigative efforts in this horrible crime. But what the FBI is asking has ramifications that extend far beyond this one case.

Venafi supports Apple’s decision to oppose the FBI’s order. Complying would break the system of trust used for over 20 years to secure the Internet. By requesting the use of Apple certificates, the government is essentially hijacking the internet, hacking users, and undermining decades of security advancements.

Not just access to one device—FBI request hijacks internet security

In a nutshell, the FBI has asked that Apple create a new version of its operating system that would bypass many security controls. The FBI wants Apple to sign the software with Apple's certificate that will then run what the FBI refers to as a “signed iPhone Software file” which would be trusted on any iPhone. This file would update the phone to the new operating system that is designed to bypass security that keeps the data on that phone confidential.

Although this has been requested to gain access to one particular device, this can’t be viewed as a mechanism to decrypt one device used by one terrorist. Once created, there is no way to ensure this software would not be used more broadly—either by the government when it decides it has other needs for this access, or by cybercriminals who will undoubtedly seek to acquire this software.

This is really about threatening the very foundation of cybersecurity on the Internet—keys and certificates. It’s about breaking the system of trust that certificates provide for all software and to the Internet! If the government gets to use Apple software authenticated with Apple code-signing certificates, it would be able to bypass the security that protects people’s personal data—contacts, financial information, health information, and so much more. Apple equates this to, “a master key, capable of opening hundreds of millions of locks.” This would let governments, and eventually cybercriminals, get control and hijack systems and data. 

It’s not just breaking encryption, it’s breaking trust

In that light, the FBI's request may set a precedent that’s not as much about breaking encryption as it is about breaking software. It's why Tim Cook responded: "The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers."

This tactic is similar to those that made the computer worm, Stuxnet, so successful. That attack used malware signed with valid certificates, which allowed the malicious software to run completely trusted.

FBI request hijacks internet security

We need to defend the foundation of cybersecurity

One of the biggest advancements that Cook refers to is the system of trust established by keys and certificates—one that is increasingly being used as an attack vector by cybercriminals. Software runs the world. And in this world, it’s the role of certificates to know what is trusted or not, friend or foe—whether using TLS or code-signing.

The breaking of the trust model of certificates is a growing threat—something cybercriminals having actively been doing since the Stuxnet blueprint. But it’s much more important than just breaking encryption on one terrorist’s smartphone. It would represent an incredible escalation in the use of certificates as weapons. Experts from Intel to industry CIOs are predicting the next big hacker marketplace to be a place where stolen certificates are sold.

I fully support the government using subpoenas and warrants to obtain access to messages, activity, and other types of data that is stored. But running blanket and broad software on a device or getting access to a key for decryption will risk everyone’s privacy and security. If Apple is forced to create this backdoor, it would continue the current trajectory of online trust violations that are getting worse by the day.  

In one hopeful turn of events, the chairman of the Senate Intelligence Committee, Richard Burr, decided against a proposal to criminalize firms that reject court orders to decrypt. However, Senator Burr is still weighing whether to propose more stringent rules around access to encrypted data—but at least this would not include criminal penalties.

Governments are hacking the internet in more ways than one

This court order is just one example of how governments are hacking the internet. Another is the Chinese CNNIC certificate authority, which was implicated in an incident in Egypt to impersonate Google—an attempt that Google and Mozilla swiftly responded to and permanently untrusted CNNIC.

However, Apple and Microsoft, with tens of billions of dollars in revenue from the Chinese market per quarter on the line, failed to take any action for months. Apple quietly decided to trust some of CNNIC certificates while Microsoft took no action.

The incident was not covered widely by the media at the FBI’s request. Unfortunately, in the case of CNNIC, unlike now, Apple was neither swift nor public in its response, leaving all the appearances of prioritizing Chinese profits over the security and privacy of all iPhone, iPad, and Mac users worldwide.

It’s a welcome change to see Apple respond so quickly to the FBI’s request and hopefully they will do the same with future threats to the security and privacy of their customers.

How this impacts enterprises

So what does this mean for Global 5000 enterprises? I'd say knowing which keys and certificates you trust, and protecting those keys and certificate becomes even more important, especially in a time when they are increasingly of interest to both governments and bad guys.

If the government gets code signed with Apple certificates on court order, it is pretty much hijacking the Internet—which is the lifeblood of your digital business. What’s next? Getting TLS keys and certificates on court order to decrypt? Internet hacked.

What do you think about the recent government actions that impact online trust? Do you agree with Apple’s refusal to comply with the court order?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CA Agility: What Should Security Leaders Do Next?

Maximizing Your CA Agility: Why This Issue Is So Important Right Now

new Venafi technology network

Venafi Technology Network Changes the Way Machine Identities Are Protected

About the author

Kevin Bocek
Kevin Bocek

Kevin Bocek writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat