For months Apple and the FBI engaged in a very public battle over efforts to unlock the handset belonging to Syed Rizwan Farook, the San Bernardino terrorist responsible for last December’s attack which left 14 people dead and 22 seriously injured. Apple argued that if it helped the FBI unlock the device by overriding security protocols that it could open a “Pandora’s Box” that could be exploited by hackers.

The FBI meanwhile argued that the handset might hold valuable information about the motives and planning behind the attack, and whether Farook was tied to any known terrorist cells.

To access the handset the FBI determined that it would take only 26 minutes to crack the four-digit PIN, but the challenge was that the Apple’s iPhone had a feature that wipes data stored on the device after 10 incorrect tries. A second security feature also steadily increased the time allowed between said attempts. For the FBI this meant that evidence was literally at its fingertips, but yet nearly impossible to access.

Each Side Makes the Case for Security

Over the winter the FBI called for Apple’s help, while the California-based tech giant responded that offering such help would be against the interest of its customers. As a result of the impasse, according to a report in The Washington Post,  the FBI turned to professionals who were able to use a previously unknown software flaw, along with a piece of hardware, to allow the FBI to access the iPhone.

“Breaking into an iPhone is not simple and, in this case at least, is a huge challenge even for a national government,” said Stephen Blum, principal analyst and founder of Tellus Venture Associates. “It’s a lot harder, say, than breaking into your house.”

In an ironic turn of events the Post also reported that the U.S. government will now have to consider whether it should, or will, disclose those software flaws to Apple.

is your iphone spying on you?

While the iPhone has become one of Apple’s most popular devices, and certainly revolutionized the smartphone market since it was introduced in 2007, it hasn’t been without issue. This latest undisclosed security flaw only shines the spotlight on the fact that the handset is far from the most secure platform on the market.

Last June, researchers from Indiana University, Peking University and Georgia Tech published a study that highlighted the security issues associated with the ways that apps communicate with one another on the iOS and OS X platforms, Time Magazine reported. Moreover, a report by Symantec in 2013 found that there were 387 security holes in iOS.

“From the first day it was released – nearly nine years ago now – hackers have been finding holes in the operating system, and Apple has been plugging them,” added Blum. “That’s the way software is developed. When you have millions of lines of code, there will be flaws – or, at least, what the maker considers flaws – and the hacker community will find them.”

The security flaws have not been the only privacy related issues that have plagued the iPhone. Last fall there were reports that the iPhone 6S shipped with an always-on listening mode for Siri voice commands. Apple responded that such concerns weren’t warranted as Siri was merely waiting for keywords, and not actually recording conversations, but this highlighted another privacy issue with the Apple device.

Cracking Encryption

Apple’s attempts to highlight the importance of encryption in its recent showdown with the FBI also served to cast a light on the growing concern over privacy vs. the need for law enforcement to be able to obtain evidence. While the FBI was able to call in help that doesn’t mean a master key has been created.

“A lot of the ability to crack specific devices is very, very specific to those devices,” said Jim Purtilo, professor of computer science at University of Maryland, and researcher of cyber security techniques. “If there are systemic ways to get into whole classes of phones then I’d be pretty surprised, but specific models – with all the unique software ‘upgrades’ and patches and tweaks they bring with them – also bring execution pathways that might be surprising to the developers, and thus trod by those who want alternative means in.”

Does this mean we are about to see a new “arms race” between the makers and breakers of encryption? That is a possibility.

“Encryption has always been an arms race,” added Purtilo. “One side seeks private and reliable communication, another wants it exposed or unreliable. That is the nature of it, so all that changes is the power of underlying platforms, the technology for fabrication and some algorithmic specifics.”

However, Christopher Burgess, CEO of Prevendra, a security, privacy and intelligence entity, countered that he would not actually go so far as to call it an arms race.

“It is a matter of resources willing to be expended,” said Burgess. “Government cryptologic security is rated in number of years before technology is assumed to have advanced to the point of rendering it insecure. The one-time-pad is unbreakable without access to the cipher key. There will always be an individual or entity willing to work on disabling any and all security controls or solutions in place. They wear both white and black hats.”

Hackers of all ilks will likely continually seek new ways to break into systems.

“The types of attacks often change over time,” explained Daniel Castro, vice president of the Information Technology and Innovation Foundation. “In the past attackers often went after buffer overflows, but now these types of attacks are largely prevented in the software development process. So the types of vulnerabilities are minimized over time as security researchers get better at addressing the underlying causes of vulnerabilities.”

The Master Key Concern

The FBI, along with other law enforcement agencies, called for the need for a master key that would enable investigators to unlock devices – thus bypassing the encryption. The argument was that such a key would only be used with a warrant, and would be no different from other efforts to obtain evidence.

“It is not unreasonable for law enforcement or government entities with appropriate legal needs – i.e., court orders, warrants and the like – to wish to have access to the personal information or activities of individuals, regardless of nationality,” said Burgess. “There is little concern of Apple creating a ‘master’ secret key for the government. Apple has stated their case, that doing such would undermine their trust with their customers.”

Even third-party efforts to create such a key are unlikely to be manifested.

“There are two risks with a third-party holding a key,” argued Castro. “One is that they lose it, and the second is that they abuse it.  In theory, Congress could setup a sufficient set of legal safeguards to prevent abuse. After all, we do this for other government powers, such as the authority to conduct physical searches or arrest people. But of course, getting those legal safeguards to work well is a nontrivial challenge itself.”

Market Implications

Should such a key exist it could also undermine a company’s efforts to market its product  – especially outside of the United States.

“Who in the world is going to use a USA-made or operated phone?” pondered Purtilo.”The vast majority of traffic of greatest interest to our national security is going to be driven further away from where it can be easily accessed – by us. We will be left with a big domestic surveillance industry that monitors the least pressing traffic – ordinary Americans.”

Such a device with a master key or back door likely wouldn’t find favor with our own government officials.

“Would U.S. government officials want to use a phone that has a back door?” Purtilo added. “We have already heard audio from State Department officials during negotiations in Europe, as intercepted by foreign states and then released. “How much more awkward will that be when those countries can work with manufacturers to figure out back doors into our official devices too.”

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.