Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Pandora's Box: Data Privacy in the Modern Age

Pandora's Box: Data Privacy in the Modern Age

I just completed David Sanger’s “A Perfect Weapon” (amazing read, by the way) where he discussed in great detail the facts and circumstances surrounding the FBI’s request to unlock the employer-owned iPhone 5c that belonged to Rizwan Farook, the San Bernardino terrorist who murdered 14 of his co-workers before being killed in a police shoot-out.  According to people familiar with the investigation, the FBI asked the US NSA to use any known exploits and methods to access the device’s contents in order to examine them to find out if the perpetrators of the attacks had any outside help and if they were part of a bigger plot.  Since both attackers were dead, there was no one to interrogate and the phone was their last hope.  Our friends at Fort Meade were either unable or unwilling to assist in unlocking the phone without the passcode (speculation exists that if they did unlock the phone, they would have tipped their hand to America’s adversaries that we possess the technology to do so).  The FBI sought a court order to force Apple to develop a custom firmware to disable several security features of the phone, including the failsafe to delete all data on the device after 10 unsuccessful unlock attempts.  In the end, the FBI dropped its suit after it was able to hire Israeli firm Cellebrite to successfully unlock the phone.  Due to this case, former FBI director James Comey made the plea that Apple and other technology companies needed to program a method to access data on encrypted devices in the event a child was kidnapped and a smartphone was the only way to locate them.  Apple’s CEO Tim Cook rightly rebutted that if a skeleton key or backdoor was introduced into their ecosystem, it would create systemic weakness and that skeleton key would be the most highly sought after digital asset in the world.  The Shadow Brokers and Vault 7 leaks prove that even the most closely guarded secrets, even those held by the US government cannot be successfully protected.  

A master key to unlock every Apple Device would be the ultimate Mcguffin

A master key to unlock every Apple Device would be the ultimate Mcguffin

This event and several like it created one of the most complicated and divisive issues regarding data privacy.  20 years ago, criminals could store secrets in a safe and even without the combination, a safe cracker or brute force could open that safe and examine its contents.  With today’s encryption methods, failsafes, and limitations of computing power, it would be nearly impossible for a law enforcement agency to access encrypted data without some type of operational security lapse or side channel attack.  The alleged mastermind and owner of The Silk Road, a marketplace for illicit goods, was arrested in a San Francisco library and agents swooped in only after he opened and unlocked his laptop in order to be able to access its contents.  Encryption is a dual-use good, providing people the ability to keep private data private, but also allowing criminals to conceal their activities from law enforcement officials.  Some say this is the price to be paid for a free society.  Just this month, two Five Eyes governments went in two very different directions regarding data privacy.

Dread Pirate Robert was caught in a San Francisco library after unlocking his laptop

Dread Pirate Robert was caught in a San Francisco library after unlocking his laptop

Australia passed the so-called “Anti-encryption” bill requiring technology companies to perform certain actions to allow access to encrypted personal data or face a fine.  The Australian government argued on national security grounds to fight serious crime and that it needs access to encrypted personal data in order to prevent the next terrorist attack, stop human trafficking and child exploitation, catch tax evaders, and the like.  The law requires technology companies to comply with one of three government requests: voluntarily provide personal information, access personal information using existing means, or develop new technologies to decrypt normally encrypted communications.  Each level of request would require a higher threshold of evidence and need to become more targeted (specific device belonging to a specific person).  Lawmakers argued that the bill would not force a "systemic weakness" or "systemic backdoor” for all devices, but implement measures to make it easier for the government to lawful access to information.

At the same time when Australia was arguing for methods for the government to access encrypted communications, a United States judge ruled that law enforcement agencies cannot force people to unlock their phones using a fingerprint or facial scan.  In the US, citizens enjoy protections under the Fifth Amendment against self-incrimination.  Historically, protections against self-incrimination were related to the use of torture to extract information and confessions, but it was so important to the founders of the US that they included it in the Constitution’s Bill of Rights.  The judge also made mention that the information the police were seeking was available through other means (via subpoena to Facebook), that forcing a user to unlock their phone with fingerprint or facial scan was an overreach of authority.  As recent as 2017, a US judge declared that passwords to accounts to not receive fifth amendment protection, setting the state for a fight in the Supreme Court.  

FaceID introduced a more secure and convenient way to unlock the iPhone, but is prone to duress attacks

FaceID introduced a more secure and convenient way to unlock the iPhone, but is prone to duress attacks

While US Citizens enjoy protections against self-incrimination and unreasonable search and seizure, many constitutional protections do not exist at ports of entries or border exclusion zones.  There have been countless stories of US Citizens returning to the US from an international trip and being detained until they unlock their phone for search.  Some users also reported that customs agents were interested in cloud storage applications installed on mobile phones such as OneDrive and Dropbox so their interest extended beyond just data stored locally on the device.  .  A statement from the US Customs and Border Protection agency cite the statistic that only 0.0061 percent of arrivals are subject to electronic search.  However, certain risk factors can contribute to being selected and it is definitely an uncomfortable situation to be in if you are selected. The problem became so rampant that many pro-democracy and privacy groups started issuing guidance for users of smartphones when crossing international borders

USCBP is responsible for maintaining security at the borders

USCBP is responsible for maintaining security at the borders

The best method for crossing international borders with a smartphone is to travel with burner phone that does not contain any important information.  If the device is confiscated or duress is applied to unlock the device, the unlocked information will be useless.  If that is not an option, at a minimum power off the device before crossing a border so it requires a passcode or password to unlock the device after powering on.  LastPass introduced a travel mode feature which can be enabled when crossing international borders. While in travel mode, only a pre-specified list of accounts and passwords are stored on the device, granting the user plausible deniability.  Once the user reaches their destination and there is a reasonable belief that they are no longer in jeopardy of being searched, travel mode can be disabled and all accounts and passwords will be securely downloaded to the device.  

Literal Burner Phone

Literal Burner Phone

This fight between the government and technology companies is reminiscent of the California mobile phone driving law.  California first passed a law prohibiting a driver from holding a mobile phone in order to make a phone call, completely overlooking other mobile phone uses.  The next year, California hoped to plug that loophole by banning texting while driving, but still allowing use of the phone for any other means such as changing a song playlist or playing Pokemon Go. It took until 2017 for California to finally pass a ban on all use of mobile phones while driving, with the exception of a few emergency cases.  Simply put, the law has traditionally had a difficult time keeping up with technology.  It was disappointing that the FBI was able to unlock the iPhone 5c and dropped their lawsuit against Apple since a ruling in the case would have set a precedent for future information requests.  However, it is encouraging that cases are making their way to the courts that will settle this once and for all, though it may take some time.  

The Supreme Court has declined to hear cases involving the requirement for suspects to unlock their phones.

The Supreme Court has declined to hear cases involving the requirement for suspects to unlock their phones.

Build the Firewall: Government Shutdown Puts US Cybersecurity at Risk

Build the Firewall: Government Shutdown Puts US Cybersecurity at Risk

Phishing: Old Attack Vector, New Targets and Tactics

Phishing: Old Attack Vector, New Targets and Tactics