“Properly configured, an iOS device is perhaps the most secure, general purpose communication device available,” Nicholas Weaver writes for Lawfare. “The iPod Touch in particular is my preferred communication device for those who need to operate in an extremely hostile network such as China or France, and for most users, iOS is vastly more secure than Android.”
“Despite this, ‘best’ does not mean ‘impregnable.’ The FBI claims that iPhones are ‘bricks’ containing no useful information and Apple claims that iMessage is ‘end-to-end’ secure. Neither is the case,” Weaver writes. “A suspect’s iPhone is hardly a brick, but rather a vast trove of information and iMessage, rather than being an impenetrable fortress, is actually metadata-friendly and seems designed to support a backdoor.”
“The IMEI on the back is enough information for the FBI to find the phone’s carrier and, with a simple warrant, gain a trove of information,” Weaver writes. “Smart phones continuously communicate on the cellphone network, and Apple’s Siri in particular will still use cellular connectivity even when on a WiFi network. This allows the FBI to discover the phone’s entire movement history as long as the phone was on. At a minimum, the cellular providers will provide tower-level information, localizing the phone within a few square kilometers on an effectively continuous basis.”
“But what about information stored on the phone itself, such as Joe Jihobbiest’s selfie with an ISIS flag? Unless the target knew how to set up his phone correctly, its actually straightforward to arrest someone with an iPhone,” Weaver writes. “Yes, an iPhone configured with a proper password has enough protection that, turned off, I’d be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don’t configure their phones right… Furthermore, most iPhones have a lurking security landmine enabled by default: iCloud backup. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages!”
“Finally, there is iMessage, whose ‘end-to-end’ nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage’s encryption does not obscure any metadata, and as the saying goes, ‘the Metadata is the Message,'” Weaver writes. “There are similar architectural vulnerabilities which enable tapping of ‘end-to-end secure’ FaceTime calls.”
Read more in the full article here.
MacDailyNews Take: It would be nice for Apple to issue an official statement addressing each of the points made in Weaver’s article, but we wouldn’t hold our breath waiting for it. We’d also like to see some independent security experts’ takes on these points.
SEE ALSO:
Edward Snowden supports Apple’s stance on customer privacy – June 17, 2015
U.S. Senate blocks measures to extend so-called Patriot Act; NSA’s bulk collection of phone records in jeopardy – May 23, 2015
Rand Paul commandeers U.S. Senate to protest so-called Patriot Act, government intrusion on Americans’ privacy – May 20, 2015
Apple, others urge Obama to reject any proposal for smartphone backdoors – May 19, 2015
U.S. appeals court rules NSA bulk collection of phone data illegal – May 7, 2015
In open letter to Obama, Apple, Google, others urge Patriot Act not be renewed – March 26, 2015
Apple’s iOS encryption has ‘petrified’ the U.S. administration, governments around the world – March 19, 2015
Obama criticizes China’s demands for U.S. tech firms to hand over encryption keys, install backdoors – March 3, 2015
Apple CEO Tim Cook advocates privacy, says terrorists should be ‘eliminated’ – February 27, 2015
Apple’s Tim Cook warns of ‘dire consequences’ of sacrificing privacy for security – February 13, 2015
DOJ warns Apple: iPhone encryption will lead to a child dying – November 19, 2014
Apple CEO Tim Cook ups privacy to new level, takes direct swipe at Google – September 18, 2014
A message from Tim Cook about Apple’s commitment to your privacy – September 18, 2014
Apple will no longer unlock most iPhones, iPads for police, even with search warrants – September 18, 2014
Apple, Google, others call for government surveillance reform – December 9, 2013