Should the FBI be able to hack your smartphone?
This postponement came on the heels of the FBI’s revelation that an outside firm may have found a mechanism to hack into Apple’s iPhones. But this hardly clears up the ethical and legal debate about whether the FBI should have the capability to hack any smartphone for which they can get a warrant.
This case exists at the intersection of a criminal investigation and national security. The FBI wants the chance to access the phone of Syed Farook, one of the shooters in the San Bernardino massacre that killed 14 and wounded 22.
The FBI has taken every necessary legal step to access the phone's data, but Apple simply does not have the technology to hack it and has refused to create it thus far. If Apple builds what the FBI is requesting, that creates more than a chance the FBI can access the phone's data: it is a guarantee.
But even if the FBI bypasses Apple and uses third-party technology to access Farook’s phone, Apple will develop stronger security measures on the next version of the iPhone, and this debate will happen again in the future.
This case affects every smartphone user in the world. Here is what you need to know about the implications for personal security, national security, and privacy.
What is end-to-end encryption?
In October 2014, in response to heightened privacy concerns following the Edward Snowden leaks, Apple announced that it would implement end-to-end encryption on all of its devices, effectively locking itself and everyone else out of its users’ phones. Before this change, Apple had a key that allowed it to access data on any iPhone.
With end-to-end encryption, data shared between two devices can only be accessed on those specific devices. The only way to read a message transmitted between two phones is to unlock one.
Take a simple message between a “sender” and “receiver”: The sender types and sends a message. This message is encrypted—basically transformed into an unintelligible combination of numbers and letters—and delivered to the receiver. The receiver’s phone gets the message and decrypts it, and the receiver reads it. To anyone else, including someone who intercepts the message along the way, it is impossible to read.
The reason these messages are only accessible to the sender and receiver is because each device has two “keys,” a series of numbers and letters used to decrypt the message, one private and one public. The private key exists only on the device and must be used to decrypt everything stored there. On an iPhone, this private key is tied to a user’s four- or six-digit passcode. When users type in their passcode, they activate their private key and can see their data. The public key is stored on the server that transmits the message, which can be accessed by any phone. The sender’s phone automatically grabs the receiver’s public key and uses it to store the still-encrypted message on the receiver’s phone. The receiver’s phone then uses its private key to decrypt and display the message.
What about “brute force”?
There are only 10,000 possible combinations for a four-digit code and one million for a six-digit code, which makes it possible to try all of the combinations— a ”brute force” hack—until the phone unlocks.
Anticipating this, Apple added an optional security feature that causes the private key on each iPhone to self-destruct after 10 failed password attempts, rendering all data useless. The possibility that Farook’s iPhone has this feature activated means the FBI cannot risk a brute force hack.
The FBI has sought a court order mandating that Apple disable this function, leaving the FBI with the surprisingly straightforward task of trying each of the one-million-plus combinations until they unlock the phone. The iPhone takes 80 milliseconds to process a passcode guess, or 12.5 guesses per second, which means it would take the FBI less than a day to crack a six-digit passcode and about 13 minutes to break a four-digit code using an external device.
What’s more important: privacy or national security?
This is hardly the first time there has been public debate on privacy and security, and it will certainly not be the last. What makes this issue unique are the security risks associated with Apple deactivating its own encryption security for a criminal investigation.
FBI criminal investigations are inarguably augmented by the ability to break into any iPhone, but the national security implications are stark. If Apple creates this code, it will immediately become the number-one target for hackers and foreign governments interested in accessing smartphone users’ private data. There will be 6.1 billion smartphone users by 2020, and if the FBI can compel Apple to weaken its security, the FBI can use that precedent to compel other companies to do the same.
A fundamental tenet of cybersecurity is that the more complicated it becomes, the easier it is to hack. Currently, end-to-end encryption has only one access point. The FBI wants a secondary, guaranteed access point. Are the criminal investigation benefits worth the risk to the personal security of smartphone users everywhere?
It is a difficult question. Many people will understandably accept that risk in the name of national security, but it creates a tangible cost to the privacy and personal security of billions of people—and their data—worldwide.
In this Friday, Sept. 25, 2015, file photo, a customer tries out a new Apple iPhone 6S at an Apple store in Chicago. Photo by Kiichiro Sato/AP/File