Home iOS Details of how the feds broke into iPhones should shake up enterprise...

Details of how the feds broke into iPhones should shake up enterprise IT

86
6

Apple has an awkward history with security researchers: it wants to tout that its security is excellent, which means trying to silence those who aim to prove otherwise. But those attempts to fight security researchers who sell their information to anyone other than Apple undercuts the company’s security message.

A recent piece in The Washington Post spilled the details behind Apple’s legendary fight with the U.S. government in 2016, when the Justice Department pushed Apple to create a security backdoor related to the iPhone used by a terrorist in the San Bernardino shooting. Apple refused; the government pursued it in court. Then when the government found a security researcher who offered a way to bypass Apple security, the government abandoned its legal fight. The exploit worked and, anticlimactically, nothing of value to the government was found on the device.

All of that is known, but the Post piece details the exploit the government purchased for $900,000. It involved a hole in open-source code from Mozilla that Apple had used to permit accessories to be plugged into an iPhone’s lightning port. That was the phone’s Achilles Heel. (Note: No need to worry now; the vulnerability has long since been patched by Mozilla, rendering the exploit useless.)

The Apple security feature that frustrated the government was a defense against brute force attacks. The iPhone simply deleted all data after 10 failed login attempts.

One threat researcher “created an exploit that enabled initial access to the phone — a foot in the door. Then he hitched it to another exploit that permitted greater maneuverability. And then he linked that to a final exploit that another Azimuth researcher had already created for iPhones, giving him full control over the phone’s core processor — the brains of the device,” the Post reported. “From there, he wrote software that rapidly tried all combinations of the passcode, bypassing other features, such as the one that erased data after 10 incorrect tries.”

Given all of this, what is the bottom line for IT and Security? It’s a bit tricky.

From one perspective, the takeaway is an enterprise can’t trust any consumer-grade mobile device (Android and iOS devices may have different security issues, but they both have substantial security issues) without layering on the enterprise’s own security mechanisms. From a more pragmatic perspective, no device anywhere delivers perfect security and some mobile devices — iOS more than Android — do a pretty good job.

Mobile devices do deliver very low-cost identity efforts, given integrated biometrics. (Today, it’s almost all facial recognition, but I am hoping for the return of fingerprint and — please, please, please — the addition of retinal scan, which is a far better biometric method than finger or face.)

Copyright © 2021 IDG Communications, Inc.

6 COMMENTS

  1. 422168 778880Im so pleased to read this. This really is the type of manual that needs to be given and not the accidental misinformation thats at the other blogs. Appreciate your sharing this greatest doc. 57450

  2. 209481 935002Pretty part of content material. I just stumbled upon your weblog and in accession capital to assert that I get in fact loved account your weblog posts. Any way Ill be subscribing on your feeds or even I success you access constantly quick. 409572

  3. 629780 362713But wanna admit that this is really useful , Thanks for taking your time to write this. 12341

  4. 212665 289255Hey, you used to write wonderful, but the last few posts have been kinda boring I miss your tremendous writings. Past few posts are just a little out of track! come on! 37254

LEAVE A REPLY

Please enter your comment!
Please enter your name here