The FBI's fight with Apple over access to a dead terrorist's locked iPhone could undermine software security for banks and their vendors and complicate business in other ways.
As most readers know by now, the government has demanded that Apple create software that the FBI could use to try to crack open the iPhone of Syed Rizwan Farook, one of the San Bernardino shooters. Apple is resisting the order, arguing that it's tantamount to giving the FBI a master key that it could use to open other iPhones.
Regulators and other government agencies have long required companies to provide access to information for investigations, often secretly. The Apple-FBI case is unique, though, in that the FBI is asking for more than access to information. It's demanding that Apple create new code that could be used to bypass access controls built into the phone's operating system.
-
The precedent set in the ongoing battle between Apple and the FBI over custom access to a device in question opens up unsettling risks on privacy and security.
February 24 -
New York State's interim bank superintendent is asking pointed questions of a new instant messaging service. The outcome of the inquiry could broadly affect the way vendors work with regulators.
July 22 -
Symphony, the instant messaging service supported by fifteen large banks, says it will be ready to roll on Sept. 15 despite the objections of Sen. Elizabeth Warren and regulators who fear its encryption technology will impede supervision.
September 1 -
Bank regulators will stiffen their requirements and identity theft will escalate, but banks will toughen up their defenses.
January 5
"They're not just asking Apple to give them something they have. They're compelling them to create something they don't already have," said David Weiss, senior analyst at Aite Group who focuses on banking and capital markets. "That doesn't happen in our world too much. They're compelling them to create a back door that could be reverse engineered" and used again in other contexts.
Among the many problems with this, the fallout from the case could hamper banks' ability to use secure software for communications and other tasks.
"The technology community is afraid that the precedent will limit what sorts of security features it can offer customers," wrote security expert Bruce Schneier in a recent
A reusable back door like the one the FBI has asked Apple for could not only be used covertly by governments, but exploited by criminals, noted Stephen Cobb, senior security researcher at ESET, a provider of antivirus and security software. "Perhaps the best thing about this case right now is that it has engaged the public in a much-needed debate to a greater extent than anything since Snowden," he said.
The case could also affect banks' ability to do business internationally if it causes European leaders to nix a proposed deal that would let U.S businesses import customer data from across the Atlantic. "If the FBI gets what it wants, it will further bifurcate the U.S. from Europe and presumably from Asia," Weiss said.
And it could affect banks' ability to buy cloud services. "You'll have stronger domicile rules," Weiss said, referring to foreign countries' privacy and security regulations, "and that will chill what you do on Amazon Web Services. Where's your AWS server?"
Background on Back Doors
The tug of war between the government officials who want easy access to information to go after terrorists, money launderers and other criminals and the technology providers that want to sell secure, privacy-protected products has intensified as vendors have tried to strengthen the security of their offerings — sometimes, ironically, at the urging of bank regulators — in response to the ever-growing problem of cybercrime. One of American Banker's
There are a lot of back doors out there. Verizon and AT&T, for instance, provide the government with access to phone calls on their networks on an ongoing basis. They have to, under the Communications Assistance for Law Enforcement Act.
Congress passed CALEA in 1994 to require telephone companies to make their phones and systems wiretap-ready to execute court orders. It provided an exception for Internet protocol communications.
"That exception helped the Internet grow tremendously, because software and hardware for the Internet doesn't have to go through an FBI approval process," said Peter Swire, professor and privacy expert at Georgia Tech's Scheller College of Business. "But now the FBI encounters difficulty sometimes. The iPhone case is an example."
Closer to home for financial institutions, Bloomberg reportedly provided regulators with
Banks, too, are of course compelled to give regulators access to customer and employee records when asked. A purist might not call this a back door, but it produces the same result.
"If bank regulators or law enforcement want to gain access, they can go to the IT department and respond to court orders when they receive them," Swire said.
"Regulators worry about insider trading, and fully encrypted messages are a fabulous way to trade inside information," he said. "There are many special reasons to have financial records open to regulators because of the different ways fraud or other crimes have occurred."
Most banks use mobile device management programs for corporate phones; these programs can be used to unlock a phone's passcode restriction. (San Bernardino County, which employed Farook and issued his phone,
"The big conflicts come when government wants access to an individual phone that doesn't have a corporate IT manager," Swire said.
In a case similar to Apple vs. FBI, last year a bank-backed startup called
Unintended Consequences?
Regardless of whether there's useful information on Farook's phone, once the FBI had the proposed firmware in its possession, it could use it to open other iPhones of a similar vintage (Farook's was an iPhone 5c running iOS 9).
"In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone's physical possession," Apple CEO Tim Cook said in an open letter to customers.
Specifically, the FBI is asking Apple to write software to override an operating system feature that automatically deletes phone data after 10 failed logins and a feature that shuts down the phone if passwords are typed in too quickly in succession. Both elements are designed to block brute-force attacks, in which software automatically punches in PIN after PIN until it stumbles on the correct one. (For a four-digit password, there are 10,000 possibilities, which software could run through in short order.)
The FBI claims it only wants to use the firmware for one phone, Farook's. "We don't want to break anyone's encryption or set a master key loose on the land," FBI Director James Comey wrote in an
It's not a given that once the FBI has the special software, it will be accessible to criminal hackers. But over the past couple of years, the federal government has repeatedly demonstrated its incompetence at protecting personally identifiable information with breaches at the IRS, the U.S. Postal Service and the Office of Personnel Management.
The root of the problem here is that, between the Edward Snowden revelations about NSA surveillance and multiple massive data breaches, the government has severely diminished the trust that people once had in it. Giving the FBI a reusable back door to iPhones is a dangerous idea.
Editor at Large Penny Crosman welcomes feedback at
