FBI should learn how to hack phones themselves, cybersecurity expert says

Having tech companies develop loopholes for government agencies would put America’s security at risk.

On 1 March 2016, cybersecurity expert Susan Landau tesSusan Landautified at a Congressional  hearing on encryption. Due to the recent dispute between the FBI and Apple, she spoke about the risks involved in unlocking the phone of San Bernardino attacker, Syed Rizwan Farook, cybersecurity, and more.

We speak with Landau, the professor of cybersecurity at Worcester Polytechnic Institute.

ResearchGate: What’s your opinion on Apple’s recent stand-off with the FBI?

Susan Landau: Apple has been working carefully to secure the data on customers’ phones. Most security experts consider iOS to be the most secure platform – the last thing we should be doing is weaken it or undermine efforts in security. This will happen if the District Court decision is upheld. It will bring potentially severe adverse cybersecurity consequences. It’s hard to say how the case will play out. The issue is most likely to move to Congress and how it will act remains unclear. The fact that various members of the defense establishment are strongly in support of securing the civilian sector will be an important factor.

RG: What are the risks to building a “back door” to encrypted data?

Landau: Apple is requested to build a device-specific software update for law enforcement purposes. This won’t be the only time the company’s asked to provide this technology. The Manhattan District Attorney has 175-200 phones waiting in the wings to investigate next. Apple will need to sign each version of the code (signing assures the phone that the update comes from Apple) to assist with these frequent searches, and that’s where the problem arises. This signing process is not hard in itself, but because it is rare, it is currently highly scrutinized. If it were to become every day and routine, which appears likely, then scrutiny diminishes and rogue requests from sophisticated criminals could easily be slipped into the queue.

This could lead to another issue – lack of public trust. If it becomes easy to subvert Apple’s sign-off process and thus download malware onto customers’ devices, people will grow wary of using the phones. They may hesitate to accept automatic updates on their phones to correct flaws. Patching is one of the few success stories of cybersecurity, so the likely impact of this would be disastrous.

Finally, by cooperating with this request in the US, there is no question Apple will also receive demands from authoritarian governments in countries including from China, Russia, you name it.

“The FBI continue to remain focused on investigations rather than prevention.”

RG: Why has this happened? What important factors have given rise to this debate?

Landau: Law enforcement continues to see electronic surveillance in 20th century terms, and use 20th century investigative thinking in a 21st century world. The way we use our phones today is very different than a decade ago. Smartphones now hold a lot of highly sensitive information, including personal (photos, notes, calendars and contacts), financial and proprietary data. Also, phones do not only provide access to online accounts, they’re often used as a “second factor” for authentication into these accounts.

Over the last dozen years, the FBI has sought to extend the Communications Assistance Law Enforcement Act (CALEA) to the internet, and now to the issues of locked devices. They are trying to access the data without thinking about all these other uses phones are put to; without thinking about whether the security trumps the need of the investigation; without thinking about whether it’s time to carry about their investigations differently.  The FBI continue to remain focused on investigations rather than prevention.

RG: How would you recommend this issue be solved?

Landau: Apple has engineered excellent security for the iPhone, but workarounds do exist. The FBI can access the encrypted data without having Apple create an update that circumvents its security protections. But the FBI wants it to be easy – they want Apple to provide the technology. That’s not the right way to proceed here because such an approach creates security risks.

The best way going forward is for the FBI to develop the expertise to go after phones and conversations, instead of expecting the technologists to build their systems in a way that makes it easy. Law enforcement must develop the capability for conducting such investigations themselves. They should have teams that know how to go after certain devices and types of configurations; they should be involved in the research domain, going to conferences and being aware of what’s in the R&D pipeline. This is the way that does not put our national security at risk. It enables law enforcement investigations while encouraging industry to do all it can to develop better, more effective technologies for securing data and devices. This is a win/win, and where we should be going – where we should have been going 20 years ago already.

"The FBI wants it to be easy – they want Apple to provide the technology."

RG: Why hasn’t this happened yet?

Landau: I cited an article in my testimony by Seymour Hersh, who wrote about the NSA in the 2000s. He said the NSA were in a terrible state: they had not kept up with the explosive growth of the internet and didn’t have computer scientists at the level at which they needed. No one would make the claim today about the NSA’s ability to carry out investigations. The agency obviously figured out what they needed to do and scaled up on it. It doesn’t appear that the FBI had the same realization at that point, and now we are where we are.

RG: The Department of Justice has accused Apple’s stance as a marketing stunt. To what extent is it one, and does this matter?

Landau: I think that such an accusation is completely inappropriate given the aid that Apple has already given the FBI in this, as well as in multiple other cases. Besides that, I can’t say it better than Apple's counsel Bruce Sewell did during the verbal testimony on March 1. He said something like: “We don’t put up billboards saying ‘Buy Apple, it’s secure.’ We’re not using security as a marketing differentiator. It’s a responsibility for our customers.”

Image courtesy of iphonedigital.