This Social Network Lets You Hire a Follower to Follow Your Every Move for One Day
February 20, 2016
‘Project Shield’ by Google to the Rescue; One News Site at a Time
February 27, 2016
Show all

Do We Really Need to Encrypt Our Phones?

In the midst of all the Apple versus FBI commotion which witnessed many major companies such as Facebook, Google and Whatsapp standing steadfast by Apple’s side to defend the right consumers’ right to encryption, you may be wondering; how important is encryption really that it has caused such a massive encryption battle in the industry?

After the San Bernardino shootings which left the FBI desperate to break into terror suspect, Syed Farook’s iPhone 5C in hopes to access data and information relating to the case, Apple made a controversial but brave decision to refuse comply to comply with the court-ordered iPhone backdoor. Apple CEO Tim Cook has called the request “an unprecedented step which threatens the security of our customers”, but how important could encryptions be for our phones that Apple would rather take a step back from aiding the FBI and seemingly ‘refuse to unlock a murderer’s phone’?

 

How mobile device encryption works

Apple does not allow users to manipulate its encryption settings per sei, but a lot of information does get encrypted when a user enables the passcode protection. Mobile device encryption would store your phone’s data in an unreadable, scrambled format. When the phone is switched on, you’ll have to enter the encryption PIN or password, which is the same as your phone’s lock-screen PIN or password. Your phone uses your PIN or password to decrypt your data, making it understandable. If someone who does not have your encryption PIN or password, they will not be able to access your data. Mobile encryption is ideal if your phone contains particularly sensitive data. For instance, a large corporation with sensitive business data on their company mobiles would most likely need encryption to protect that data from corporate espionage.

Tech Target explains how on every Apple device (since the iPhone 3GS) has had an encrypted file system, whereby this file system is written to flash memory and contains both operating system and user data. Apple iOS devices scramble everything written to flash, and then unscramble anything later read back into main memory. The encryption keys Apple’s hardware adopts combine factory-assigned unique device and group IDs with each device’s current passcode. When the Apple device is locked, data and applications remain encrypted until the passcode is entered, after which anything you access is auto-decrypted for use or display, until the device relocks itself due to inactivity.

 

What the FBI wants from Apple

Apple’s mobile encryption however only allows for 10 incorrect tries while inputting the passcode before it wipes all data off the phone. For this reason, the FBI is asking for Apple’s assistance to disable this feature in order to alter the Apple-coded limits to the PIN input system, which would be attempted to crack through ‘brute-force attacks’ by attempting tens of thousands of combinations without risking the deletion of the data.

According to Ars Technica, these PINS are very highly susceptible to brute-force attacks, which is the exact reason why Apple came up with security features to combat what the FBI are attempting to carry out. The 3 security features are:

1) Apple’s iPhone imposes escalating time delays between PIN attempts. The first four attempts can be entered back-to-back, but the fifth attempt requires you to wait one minute, the sixth attempt five minutes, 15 minutes before the seventh and eighth, and a full hour before the ninth.

2) The second technique (as mentioned before) is that the iPhone can be configured to wipe the device after ten failed PIN attempts. When this feature is activated, the phone will discard its file system key after 10 bad PINs, rendering all the file system metadata (including the per-file keys) permanently inaccessible.

by Macobserver

(Source: Mac Observer)

3) The third security feature is that the computation used to derive the PIN key from the PIN itself is slow, taking approximately 80 milliseconds. Unlocking the phone depends on how long the passcode is. If it’s made of just six numbers (what Apple suggests by default), it would require less than a day, given that the iPhone’s hardware allows roughly 12 guesses per second (one every 80 milliseconds).

Rob Graham

Source: Rob Graham

Essentially, what the FBI is asking from Apple is to create a custom iPhone firmware that removes the escalating delays and omits the device wipe. However, the FBI has also taken the liberty to asking Apple for a way to enter PINs other than typing them in one after the other on the touchscreen. Therefore, the FBI wants Apple to make a special version of iOS that is open to brute-force attacks on its PIN.

 

The right to privacy

“This is what separates us from communism, isn’t it?” said Carole Adams, mother of a San Bernardino victim. “This is what makes America great to begin with, that we abide by a constitution that gives us the right of privacy…”. When even a victim’s mother sides with Apple that personal privacy trumps the feds’ demands for new software to break into iPhones, even if it was the phone of her son’s killer, should we not be sitting up and taking the issue of our privacy seriously too?

As outlined by Tim Cook in a letter to Apple’s customers, encryption needs to exist for the main reason of preserving all the customers’ privacy and security. It cannot be expected that weakening encryption or creating backdoors to encrypted devices for use by the good guys only to be possible. As stated by Cook in his chapter on the need for encryption:

“Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.

All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.

Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.

For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”

 

Even a factory reset on your phone leaves data traces

The problem with our privacy and security is that it can be so easily exploited given the right hacker with the skills. Even erasing or a full factory reset still leaves traces of data behind on a phone in which someone could easily recover data from your old devices, including emails, texts, photos, social security numbers and more. Which is why if you are planning to sell your phone or even pass it along to a friend, it is not enough to just ‘wipe it clean’, but rather encrypt it before resetting it. When you encrypt a phone, you are forcing a change to every chunk of memory available, and basically scramble everything.

The scary revelation of unencrypted phones containing remnants of owners’ information was highlighted in an investigation by Avast. What the Avast team found was that from their purchase of 20 used phones off eBay, the amount of recovered data was so astonishingly easy to retrieve through available recovery software to restore the deleted files.

What their analysts found:

avast1

(Source: Avast)

With these scary prospects of what all the baddies could do with that kind of information on us, clearly, it is simply not enough to just delete our data, and this should scare us enough to have us rushing off to encrypt our mobiles.

 

Sources

[1] Apple

[2] Motherboard

[3] Ars Technica

[4] Avast

[5] Popular Mechanics

Leave a Reply

Your email address will not be published. Required fields are marked *