Since Charlie Miller became the first hacker to demonstrate how to take over an iPhone in 2007, he's had a complicated relationship with Apple. He's hacked everything from Macbook batteries to the iOS App Store---a stunt that led Apple to ban his developer account in 2011. But now that Apple is facing the legal fight of its life against the FBI's own attempt to break into its devices, Miller and several other fellow world-class iPhone hackers have come to the company's defense.
On Thursday, a group of those iPhone hackers and other security researchers filed an amicus brief siding with Apple in its intensifying legal battle over the FBI's court order to assist in cracking an encrypted iPhone that belonged to San Bernadino killer Syed Rizwan Farook. Those security experts include Miller, a former elite NSA hacker; Dino Dai Zovi, a well-known Apple hacker and co-author of the iOS Hacker's Handbook; and Jonathan Zdziarski, a top iPhone forensics expert who has built tools for police to analyze seized iPhones in the past; as well as computer security and crypto experts Dan Boneh, Bruce Schneier and Dan Wallach. Their brief was prepared by lawyers Jennifer Granick and Riana Pfefferkorn of Stanford's Center for Internet and Society.
That group---many of whom have themselves spent their careers breaking into iPhones---warned that the FBI's demands represent an unprecedented threat to the security of the iPhone and computer security in general. "[We] have dedicated [our] careers to studying and improving iPhone and cryptographic security," the group writes in its brief. "Despite the Court’s efforts, this Order endangers the privacy and safety of iPhone users and those who come into digital contact with them. Worse, it sets a precedent for other such orders that would create even greater risks."
In their brief, the hackers and cryptographers address the FBI's demand that Apple create a new, weakened version of its operating system that removes certain safeguards designed to prevent attackers from repeatedly guessing passcodes to decrypt the phone's storage. They zero in on the FBI's claim that this operating system could be created for the single phone in the case and not be used by law enforcement officials—or worse, hackers and cybercriminals—to break into other phones in the future. They argue that the crippled operating system could fall out of Apple's control, and that unintended security flaws in Apple's FBI-friendly code could allow it to be used to crack other iPhones.
"Vulnerabilities in Apple’s software have persisted for years even though Apple very much does not want them to. This is a lesson for this case," they write. "The most probable outcome of this Order is that Apple will be forced to create forensic software that bypasses the passcode but is not limited to the Subject iPhone."
The brief also focuses on the possibility that if the FBI succeeds in forcing Apple to create a new, cryptographically signed version of its operating system, it might use that precedent to later demand that companies push software updates to smartphones or other devices designed for surveillance---and in doing so, undermine users' trust in security updates that are critical to keeping them safe. In a phone interview, Miller pointed to that notion as threatening Apple's strong history of getting users to adopt new security updates, which is one of the highest in the tech industry. "That's an important part of their security model," Miller says. "If people stop trusting the updates, that won’t continue."
In their brief, the researchers argue the mistrust of security updates that might result from an FBI win could extend beyond iPhones and weaken computer security as a whole. "The more users who turn off automatic updates, the more devices, the more information, the more people put at risk," the brief reads. "Just as herd immunity to a disease is lost if enough members of the group are not vaccinated against the disease, if enough users stop auto-updating their devices, it will weaken the entire device security ecosystem."
The problem of surreptitious surveillance updates, the brief continues, could reach beyond traditional computers to other "internet of things" devices, forcing Amazon's Echo speaker systems or Samsung's "smart TVs" to record video and audio of users in their homes. And those future surveillance techniques could be used remotely rather than on a seized device, and could be even less restricted to a single gadget than the FBI's request in the San Bernardino iPhone case. "A 'skeleton key' that can be used remotely against numerous devices is...a formidable cybersecurity threat should it fall into the wrong hands," they write. "On its face, the Court’s Order does not call for such a tool---but it opens the Pandora’s box that contains it."
The far more immediate threat in Apple's fight with the FBI, however, is the security of iPhones themselves. And despite his sometimes-adversarial relationship with Apple, Charlie Miller says he's been gratified to watch Apple steadily improve the iPhone's protections since it first launched---from the time when he could break into it with an attack on its Safari browser or even a text message, to today, when a rare iPhone-cracking exploit is valued at around a million dollars. "I’ve seen the security of the iPhone increase since 2007, and I’m happy about that since I use an iPhone, too," Miller says. "I don’t want to see us going backwards."
