Why Apple doesn’t want to create a “hacking department” for the FBI.
In its fight against the FBI, Apple isn't just worried about this controversial case becoming a precedent for more intrusive government requests. The company is also concerned about having to create an in-house "hacking department" that would become an irresistible target for hackers and foreign spies.
Given a long history of hackers and spies targeting tech companies' surveillance and law enforcement assistance mechanisms, experts agree that Apple's "hacking department" for the FBI would become one of the most prized targets for cyberspies and hackers looking to get around the iPhone's vaunted security.
That would be a "big bull's eye" on Apple's "front door," according to a person close to the company, who spoke to Motherboard on condition of anonymity.
That would be a "big bull's eye" on Apple's "front door."
Ever since the FBI came out with an unprecedented, and technically clever, order requesting Apple to help its agents hack into the iPhone of a suspected terrorist, the tech giant has gone on an unusual media push accusing the feds of asking for something that would not only put the privacy and security of its users at risk, but also create a dangerous precedent that could be abused again not just by the US government, but also other, more repressive countries.
For Apple, this is not just about the iPhone of the alleged terrorist who killed 14 people in San Bernardino last year. Considering that the US Department of Justice has nine other lawsuits in which it's trying to compel Apple to get data out of several iDevices, the Manhattan District Attorney has claimed he has more than a hundred phones he'd like to get into, and even the FBI director has himself admitted this case could set a precedent, few at this point doubt this is just about this one phone.
But among the legal arguments and talking points, one potentially dangerous scenario has been somewhat overlooked. If it loses this case Apple might be forced to create a team dedicated to making custom operating systems for the FBI—Apple called this a "forensic lab" and a "hacking department."
That team will be handling tools designed to get around the iPhone's security features, as well as Apple's secret developer signing key, which it will need to put a digital stamp of approval on all these tools given that iPhone only run Apple-approved software. Those are highly sensitive tools that will make this team, and people working on it, a huge target.
Apple is worried about several scenarios, the source explained. Criminal hackers who get into US government computers could then send fake legal requests to Apple to get into other people's iPhones, or even malicious insiders at the company could abuse the tools for their personal gain.
"There's just a whole different amount of scenarios that would make this a security nightmare," the source said.
While these are theoretical scenarios, there are some precedents of spies and hackers targeting tech companies's departments tasked with assisting law enforcement agencies.
In 2009, hackers working for the Chinese government attacked several American tech giants, including Google and Microsoft, in what's known as "Operation Aurora." Years later, US government officials told the Washington Post that as part of those attacks, the hackers breached a Google database that contained information on targets of US national security and law enforcement surveillance requests. At the same time, a Microsoft official said the hackers had tried to get the same information from Microsoft servers.
In 2005, someone, perhaps a rogue NSA operative working at the US embassy in Athens, hacked into the computers of telecom giant Vodafone, taking over its surveillance systems to bug the Greek prime minister and other highly-ranked officials.
But it's not just sophisticated government hackers. In 2014, the Syrian Electronic Army hacked the email addresses of several Microsoft employees, including some working for the company's law enforcement compliance team. In their accounts, the Syrian hackers found a trove of sensitive information, including criminal subpoenas, names and email addresses of surveillance targets, detailed receipts showing how much the FBI had paid the company to process surveillance requests, and even passwords that Microsoft provided to police agents to access files.
This hack was not just "embarrassing," but it highlighted how poorly Microsoft and the FBI were using when handling highly sensitive information, security and privacy researcher Ashkan Soltani wrote at the time.
Perhaps the biggest target inside Apple's hacking department would be the company's secret signing keys. Apple likely treats these keys very carefully, using special tamper-resistant devices known as hardware security modules, or HSMs, to manage, store, and process store them, according to Dan Guido, the CEO of cybersecurity company Trail of Bits.
While this the best practice to secure secret keys, it's not hacker-proof. Certificate Authorities, organizations that verify the identity of websites or entities online and essentially tell computer who to trust on the internet, also use HSMs, given that the prospect of hackers getting their hands on those keys is near-disastrous. But some of them, such as the Dutch authority DigiNotar, have been breached in the past, and hackers were able to get to their HSMs too.
"This team will certainly become one of the most valuable targets for foreign intelligence."
Considering these precedents, privacy and security experts agree that Apple's "hacking department" would be an "attractive" and "irresistible" target for foreign spies and hackers. Guido described it as "one of the most valuable targets for foreign intelligence."
Targeting the signing process and Apple's keys "is a way around all of Apple's security, vetting, etc," Steven Bellovin, a professor of computer science at Columbia University, told Motherboard in an email. "Think about the tens of millions of iPhones in China (Apple's largest market), that are locked against the Chinese government."
If the FBI wins this case and decides to stretch its interpretation of legal assistance, and requires Apple to hack a phone remotely via online malicious updates, that department is going to get so many requests it will have to create a generic tool that works on all phones, or create a way to send the FBI phone-specific hacking tools or backdoors that the feds can then use on their targets.
"This would create a huge critical weakness in our infrastructure which foreign intelligence would certainly exploit," Nicholas Weaver, senior researcher at the International Computer Science Institute at University of California, Berkeley, told Motherboard.
Apple prides itself on its security practices, according to the source close to the company, but even Apple knows its systems could be hacked, and that perfect security does not exist. If Apple is forced to create a new "hacking department," it might just realize that the hard way.