A Bomb on a Leash

The idea of a controlled explosion comes to mind when I think about pending proceedings with Apple. The Department of Justice argues that a backdoored version of iOS can be controlled in that Apple’s existing security mechanisms can prevent it from blowing up any device other than Farook’s. This is quite true. The code signing and TSS signing mechanism used to install firmware have controls that can most certainly bind a firmware bundle to a given device UDID. What’s not true is the amount of real control and protection this provides.

Think of Apple’s signing mechanisms as a kind of “leash” if you will; they provide a means of digital rights management to control any payload delivered onto the device. Where the DOJ’s argument falls into error is that their focus is too much on this leash, and too little on the payload itself. The payload in this scenario is a modified version of iOS that has a direct line into a device’s security mechanisms to both disable them and manipulate them to rapidly brute force a passcode (remotely, mind you). It’s the electronic equivalent of an explosive for an iPhone that will blow the safe open (FBI’s analogy, not mine). What Apple is being forced to design, develop, test, validate, and protect is essentially a bomb on a leash.

The leash, as I’ve mentioned, is the DRM component of Apple’s firmware that allows them to restrict what payload gets delivered to a device. This is the equivalent of placing a GPS tracker on a nuclear bomb and then telling Congress that the bomb has been made safe because it can only be detonated over a specific country. In reality, the true danger is in the bomb itself, and the leash is irrelevant in the grand scheme of things. The danger with respect to this court order is in the development of Apple’s electronic bomb that is capable of dismantling all of the security of an iOS device. On the surface, it looks as if this payload is under control, but just like a real bomb, that leash can be easily removed. Even more crucial to consider, the bomb itself can be reverse engineered to make a new bomb without the leash. What are some ways in which the leash can be removed?

The first, and easiest way, to remove the leash is with a court order. As we’ve all since been forced to re-learn our understanding of sixth grade civics lately, we’ve found that our country really doesn’t have the constitutional government we thought it did. Court documents have flat out told us that certain factions within the government believe the Fourth Amendment actually grants the government powers of unlimited search and seizure, rather than protecting Americans’ rights against it. Apple is expected to create a bomb on a leash, and Americans are expected to believe that this leash will only be used for this one controlled explosion, and will never be removed by DOJ or by Congress in the future. We have seen only the opposite play out through history. Even just this week, it’s been reported that access to NSA dragnets would be made available to other agencies for non-terrorism related uses. The leash on that bomb was extended so that others could use the bomb for targets that weren’t originally even in the plans. Another example is the Stingray. These were once held on a tight military leash, then were gradually let out for federal agencies to use. Before much time, that leash has now virtually been removed so that any law enforcement agency can use a Stingray without a warrant. Leashes inevitably and consistently end up getting removed, yet they are used over and over again as the justification for dangerous projects that affect our civil liberties. Things will be no different with the bomb Apple is forced to create here, because history has proven that it will be no different.

Another way the leash can be removed from Apple’s bomb is through signing theft. The OPM data breach left the personal data of anyone who’s ever held a clearance exposed. Many of these individuals are likely to work for Apple with in either active or inactive clearances. Regardless of whether you’d need to kidnap one, five, or twenty Apple employees, possibly hundreds or even thousands have been compromised through this data breach, making this a possibility. Even worse than kidnapping, their families could be kidnapped. They could be blackmailed. There are ways these employees could be compromised and yet still show up for work the next day. Apple’s policy regarding such compromises is (rightly so) to give them anything they ask for. This leash could be removed by such means, and we’d never even know.

The third way the leash will be removed from this bomb is for domestic or foreign government agencies, or professional hacking teams, to reverse engineer the bomb when it leaks out – something I’ve already written is likely to happen as a result of standard court process. This direct line into the security architecture of iOS is the core of this explosive, and once it’s reverse engineered, a new bomb just like it can be made without the leash intact. Hacking teams like Pangu (who compromise the iPhone for profit to install a black market Chinese App Store), undoubtedly have the technical capability to fuse Apple’s code with one of the dozens of code execution exploits that get found in almost every release of iOS. Anyone with a few thousand dollars can take an exploitation class by one of a number of iOS hackers, with virtually no vetting and walk away with undisclosed code execution or other exploits to easily make this bomb work on its own.

The software that Apple is being forced to create is extremely dangerous – that’s what Tim Cook said at the very beginning of this. He wasn’t lying or being dramatic. The government has tried to shift the narrative to focusing on the leash, but the software here is the real bomb, and will rely on a very weak leash that can – and will – be removed. The bomb is where the courts and the general public should have their focus – the leash is insignificant.