News broke on Forbes today that a major government contractor in the United States found a way to crack the encryption on Apple’s ever-popular iPhone devices. Previously, Apple has been commended for their superior security, even fighting back against the United States’ prominent FBI agency’s request to break encryption into a users’ device. Apple has long touted due to the end-to-end encryption implemented, they do not have access to user communications and thus could not share them – even if they wanted to. Thus, this latest news is creating major concerns online, with Edward Snowden even chiming in:
The only compelling reason for someone to buy an iPhone over more open, less expensive competitors was @Apple‘s stronger stance on users’ right to privacy and security. This story and Forbes’ Cellebrite report (https://t.co/insMgQARrY) threaten the core of an iPhone’s value. https://t.co/qgXBmnJphl
— Edward Snowden (@Snowden) February 26, 2018
As news reports indicate, an Israel-based company, Cellebrite, is claiming they can access encrypted information on iPhones. Cellebrite is a vendor for the US government and has previously been hired to unlock mobile devices to assist with various investigations. Reportedly, Cellebrite is telling its customers (law enforcement and private forensics workers) they can get around security of devices running iOS11, although the company has not confirmed such publically. This is a development for them, as they have created new technologies to achieve this goal. Their “literature” further validates the concept, stating they can “break security” of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.”
The firm’s business model is as follows: The client (i.e. government or law enforcement) sends the device to Cellebrite, who in turn unlocks it and sends it back to the client, who can then access the data. Cellebrite can also access the data and send that back directly to the client. Reportedly this can cost as little as $1,500 USD per unlock, which is an insubstantial amount.
As mentioned above, one main reason to utilize Apple devices over other devices has previously been their security and strong encryption, but this latest development calls these certainties into question.
If Apple devices are less secure than believed and also as vulnerable, it means users have no good options to protect their privacy. Additionally, there are concerns associated with the fact a company – Cellebrite in this case – is “hoarding” vulnerabilities, or intentionally not disclosing them in the interest of profit. When vulnerabilities are found, ideally, they are shared with technology companies so they may address and close them, to bolster security in products and deliver the protection promised to users.
This latest news serves to confirm the importance of a few things to consumers. Firstly, as always, it’s essential to select providers whom you can trust. While Apple has generally proved trustworthy (their recent actions in China notwithstanding), Cellebrite’s actions indicate many companies cannot be trusted or prioritize profits over security. It’s essential to vet all providers before you use them.
Additionally, this news reinforces the importance of taking actions to protect yourself online and secure your devices. We have repeatedly seen that we cannot rely upon the government to protect us (this is why Golden Frog was founded, after all) nor can we trust the security of all our products. Using a VPN, such as VyprVPN, still remains the best way to protect yourself and add an additional layer of security, even when using products with encryption built in.