On Ribbons and Ribbon Cutters

With most non-technical people struggling to make sense of the battle between FBI and Apple, Bill Gates introduced an excellent analogy to explain cryptography to the average non-geek. Gates used the analogy of encryption as a “ribbon around a hard drive”. Good encryption is more like a chastity belt, but since Farook decided to use a weak passcode, I think it’s fair here to call it a ribbon. In any case, lets go with Gates’ ribbon analogy.

Where Gates is wrong is that the courts are not ordering Apple to simply cut the ribbon. In fact, I think there would be more in the tech sector who would support Apple simply breaking the weak password that Farook chose to use if this had been the case. Apple’s encryption is virtually unbreakable when you use a strong alphanumeric passcode, and so by choosing to use a numeric pin, you get what you deserve.

Instead of cutting the ribbon, which would be a much simpler task, the courts are ordering Apple to invent a ribbon cutter – a forensic tool capable of cutting the ribbon for FBI, and is promising to use it on just this one phone. In reality, there’s already a line beginning to form behind Comey should he get his way. NY DA Cy Vance has stated that NYC has 175 iPhones waiting to be unlocked (which translates to roughly 1/10th of 1% of all crime in NYC for an entire year). Documents have also shown DOJ has over a dozen more such requests pending. If the promise of “just this one phone” were authentic, there would be no need to order Apple to make this ribbon cutter; they’d simply tell them to cut the ribbon.

Why has the government waited this long to order such a thing? Because in spite of all of iOS 8’s security, the Chinese invented a ribbon cutter for it called the IP BOX. IP BOX was capable of brute forcing any numeric passcode in iOS 8, and even though it was junky, Chinese-made hardware with zero forensic credibility (and actually called home to servers in China), our government used it widely to break into iOS devices without Apple’s help. The government has really gone dumpster diving for forensic solutions for iOS. This ribbon cutter was used by both law enforcement and anyone with $200 to break into iOS devices, and is a great example of how such a ribbon cutter is often abused for crime.

So here’s the real question: Why is the government demanding the invention of a ribbon cutter instead of just asking Apple to cut the ribbon? Well the answer to that comes back to precedent. If the courts can order the development of this ribbon cutter, Cy Vance’s 175 phones will be much easier to push through the courts without the same level of scrutiny as a terrorism case. If FBI were simply asking the courts to force Apple to cut the ribbon, all future AWA orders would have to go through the same legal scrutiny in the courts for justification. Getting the ribbon cutter invented for a terrorism case opens the door for such a tool to then be justified by the DA for weaker cases – such as narcotics, computer crimes, or even simply investigations where the government can’t even prove to the courts that a crime was ever committed. Once it’s a tool, just like a Stingray box or a breathalyzer, the court’s leniency in permitting its use increases dramatically.

The existence of a ribbon cutter is really only the first stepping stone in breathing a whole suite of forensic modules into existence, as I mentioned in another blog post. If you simply ask Apple to cut the ribbon, you have nothing to build on when expanding future requests for information from iPhone 6 devices, and the next generation.

Also consider that the courts aren’t about to force Apple to hack into their own customer products. In fact, the customer purchased these products trusting that the manufacturer wouldn’t – even couldn’t – intentionally compromise them; ever since iOS 8, Apple has marketed these devices as so secure that Apple themselves cannot hack them. For Apple to be forced to backdoor their own devices would invite countless lawsuits from their own customers, betray consumer trust, and likely cost Apple millions, if not billions, in sales depending on how big of a PR nightmare it created. The courts, however, appear to be OK with forcing Apple to write what is being portrayed as an innocent, fluffy tool for just this one device.

In reality, the backdoor that is being ordered is incredibly dangerous. Once the backdoor is created, it can be used on over half a billion devices at the whim of the courts – both in this country, and in China, or other countries that oppress human rights. It will weaken our own national security and create an incredibly tangled legal web for Apple to fight through with every other country that follows in the US’ footsteps. While the analogy of a ribbon is easy to understand, the implications are far more serious than the frilly ribbon you probably think of.