iPhones, the FBI, and Going Dark.
What follows is a guest post from Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley:
Properly configured, an iOS device is perhaps the most secure, general purpose communication device available. The iPod Touch in particular is my preferred communication device for those who need to operate in an extremely hostile network such as China or France, and for most users, iOS is vastly more secure than Android.
Despite this, "best" does not mean "impregnable". The FBI claims that iPhones are "bricks" containing no useful information and Apple claims that iMessage is "end-to-end" secure. Neither is the case. A suspect's iPhone is hardly a brick, but rather a vast trove of information and iMessage, rather than being an impenetrable fortress, is actually metadata-friendly and seems designed to support a backdoor.
The first reason an iPhone isn't a brick is that it is just that, a phone. The IMEI on the back is enough information for the FBI to find the phone's carrier and, with a simple warrant, gain a trove of information. Smart phones continuously communicate on the cellphone network, and Apple's Siri in particular will still use cellular connectivity even when on a WiFi network.
This allows the FBI to discover the phone's entire movement history as long as the phone was on. At a minimum, the cellular providers will provide tower-level information, localizing the phone within a few square kilometers on an effectively continuous basis. Yet we know some providers do even better: AT&T records the location of TRACPhone calls with 200m resolution. So unless the suspects already understood that the phone itself is an FBI tracking device and left it at home, the simple presence of an iPhone is a gift to investigators.
But what about information stored on the phone itself, such as Joe Jihobbiest's selfie with an ISIS flag? Unless the target knew how to set up his phone correctly, its actually straightforward to arrest someone with an iPhone.
Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don't configure their phones right. Beyond just waiting for the suspect to unlock his phone, most people either use a weak 4-digit passcode (that can be brute-forced) or use the fingerprint reader (which the officer has a day to force the subject to use).
Furthermore, most iPhones have a lurking security landmine enabled by default: iCloud backup. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages! About the only information of value not included in this backup are the known WiFi networks and the suspect's email, but a suspect's email is a different warrant away anyway.
Finally, there is iMessage, whose "end-to-end" nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage's encryption does not obscure any metadata, and as the saying goes, "the Metadata is the Message". So with a warrant to Apple, the FBI can obtain all the information about every message sent and received except the message contents, including time, IP addresses, recipients, and the presence and size of attachments. Apple can’t hide this metadata, because Apple needs to use this metadata to deliver messages.
Now iMessage's cryptography should prevent all retrospective analysis of message contents, but the FBI’s complaining about this is strange. Nobody wants the postal service to steam open and photograph the inside of every letter just in case the FBI might want a copy (although the post office does record the outside of every letter). And if the suspect didn’t turn off iCloud backup, the old messages are available anyway.
But beyond this, there is a sin-of-omission in iMessage that enables Apple to support wiretapping iMessage. When Alice wants to send a message to Bob, Alice's iPhone contacts Apple's keyserver, a central authority which knows everyone's public keys, and asks "I am Alice, please tell me all my public keys" and "I am Alice, please tell me all of Bob's public keys". Then Alice's phone encrypts the message with all the public keys and sends the result to Apple, which forwards the encrypted messages onto everyone’s devices. Since only the devices know the corresponding private keys and not appleID, Apple claims this is "end-to-end" secure.
The reason why Alice's phone asks for Alice's keys as well as Bob is to enable Alice to have multiple devices. In iMessage, each device has its own key, but its important that the sent messages also show up on all of Alice's devices. The process of Alice requesting her own keys also acts as a way for Alice's phone to discover that there are new devices associated with Alice, effectively enabling Alice to check that her keys are correct and nobody has compromised her iCloud account to surreptitiously add another device.
But there remains a critical flaw: there is no user interface for Alice to discover (and therefore independently confirm) Bob's keys. Without this feature, there is no way for Alice to detect that an Apple keyserver gave her a different set of keys for Bob. Without such an interface, iMessage is "backdoor enabled" by design: the keyserver itself provides the backdoor.
So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice. Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future. A similar modification, adding an FBI key to every request Alice makes for any keys other than her own, enables tapping all messages sent by Alice. There are similar architectural vulnerabilities which enable tapping of "end-to-end secure" FaceTime calls.
This may be why Apple has become the focus of the FBI's ire (which is already used to obtaining SMS and Google chat messages with a simple warrant): Apple’s architecture for iMessage supports wiretapping, yet Apple refuses to support the FBI. If I was in Director Comey’s position I would be angry with Apple's refusal to cooperate. Apple doesn't need to engineer a backdoor into iMessage, they simply need to either enable or publicly close the backdoor in key distribution that already exists! If we believe Apple's public statements, they've chosen to do neither.
Or perhaps (putting on an oh-so-fashionable tin-foil fedora) this is all a fraudulent dance between Apple and the FBI, as Apple simply doesn't want to admit that they are already tapping iMessage for the FBI or NSA and so simply want the Washington DC noise machine to obscure this architectural defect that makes iMessage anything but "end-to-end secure" lest any other intelligence or police agency demand similar access.
I still like iPhones, I still use and recommend iPhones, and iMessage remains perhaps the best usable covert communication channel available today if your adversary can’t compromise Apple. Yet setting up a iPhone properly is no easy task and if one desires confidentiality, I think the only role for iMessage is instructing someone how to use Signal.
Nicholas Weaver is a computer security researcher at the International Computer Science Institute in Berkeley. All opinions are his own.