31 December 2013

Cryptopocalypse: Can your iPhone be hacked by the NSA?

Today the Intertubes are awash with hysteric headlines like "The NSA Has Crazy Good Backdoor Access to iPhones".  It's quite the pile-on: besides the press' inclination to tear down the tall dog, there's something stunning about the well-regarded security of latter-day iDevices being easily circumvented by shadowy spies in Ft. Meade.

What's missing--as is all too typical--is a close and sober look at what's being disclosed.

Here's what we know from the latest Snowden documents:

The DROPOUTJEEP iPhone exploit requires physical access to the phone, which suggests it’s based on the sort of hard-boot privilege escalation that has animated the cat-and-mouse game of jailbreaking since 2007.  With each generation of hardware and software, old boot-time-access doors are closed by Apple and new ones discovered by jailbreak hackers.  The result has been continuous improvement of device security.

But hardware and iOS advancements now necessitate that all recent jailbreaks require the device filesystem be unencrypted by removing any passcode (and, in the case of the iPhone 5S, the fingerprint authentication).  That offers good likelihood that your recent iPhone or iPad is safe from this exploit if you enable the passcode.

But here’s something interesting that I’m not seeing discussed amid all the hoo-hah.  The source document that’s being splashed all over the Internet is dated 2007:

Specifically, the document datestamp is “20070108”.  It’s unclear if the date format is year-day-month, as is typically seen in the US outside of at least some government and military usage, or the more globally accepted year-month-day.  I’d argue the latter, because the iPhone was released on June 29, 2007.

Either way, the document relates to the very first generation of iPhone, before the filesystem encryption capability was even introduced.  (That came a year later, with iOS 2.)

So, calm down, people.  Enable your passcode.  And know that there are much more probable threats to your rights and privacy than this one.


Post a Comment