As FBI, Apple spar over encryption, expert Charlie Miller says backdoor access is a ‘terrible idea’
Updated Feb. 17, 2016 at 10:00 a.m. with quotes about encryption, Apple news – Yesterday, a federal court ordered Apple to unlock the iPhone of one of the people involved in the San Bernadino shooting as a means to obtain evidence against the suspected shooter. Apple is refusing to unlock the phone, as CEO Tim Cook reaffirmed in a letter addressing the security of its customers.
In 2014, Apple announced that it would throw away encryption keys that had allowed law enforcement to unlock iPhones. According to Cook’s letter, here is what the FBI has now asked Apple to do:
“We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.
“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
"The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”
Meanwhile, law enforcement says that device encryption is hindering investigations. Speaking before the Senate Intelligence Committee, FBI director James Comey said that while the San Bernadino case is urgent, other encryption cases are also embroiled in lower-profile crimes. "It affects our national security work, but overwhelmingly this is a problem that local law enforcement sees," he said.
For more information about the issue, read this handy explainer from Vox.
On Tuesday’s “St. Louis on the Air,” cybersecurity expert and internationally-known hacker Charlie Miller said that backdoor access is “the only political question I actually have an opinion on.”
“I think it’s a terrible idea to have backdoor access for the government or for anyone else in our infrastructure,” Miller said. “The reason that online banking is safe and e-commerce is safe, is because we have encryption. So, you can safely sit in your coffee shop or in your home and not really worry that someone is going to snoop on your purchases or banking transactions and that’s because of an encryption.
“As soon as you build in a backdoor whether that’s designed for the government or not, that’s a way in. That means the attackers, that’s the first thing they’re going to try to get. There’s a history of this. When attackers attacked Google a few years back in something called Operation Aurora and the very first thing the attackers did is they went into the systems that were used for lawful intercept, meaning the systems that law enforcement was using, with subpoenas, to track various users. As soon as you build a backdoor, it’s a backdoor for everyone, not just the government but also for attackers.”
Suddenly, Miller’s words have more practical implications. Should Americans sacrifice the highest-levels of privacy to protect themselves from terrorism?
Original post: Cybersecurity expert Charlie Miller: ‘Some people do crosswords, I find vulnerabilities in software’
Last week, internationally-known hacker and cybersecurity expert Charlie Miller jet-setted to the Canary Islands alongside Chris Valasek to receive the MVP Award from Kaspersky’s 2016 Security Analyst Summit for their car hack security research. You may remember this story from last summer about how Miller and Valasek were able to remotely hack into a car driving on the highway and control it from home.
Through that research, Miller was able to get 1.4 million vehicles recalled because of a bug in the car’s security. But that’s just the beginning. Miller said there are a plethora of other cars out on the road that just haven’t been tested for such vulnerabilities.
On Tuesday, Miller was back in the “St. Louis on the Air” studio to discuss his work and answer questions about cybersecurity. Miller is based in St. Louis and works as a security engineer for Uber, though he is regarded as “one of the most technically proficient hackers on Earth", according to publications like Foreign Policy. Previously, Miller worked for Twitter and the National Security Administration (NSA).
Finding vulnerabilities in car technology, like he did last summer, or iPhones is not even technically part of Miller’s day job. He does it because he wants to help.
“Some people do crosswords, I find vulnerabilities in software,” Miller told host Don Marsh.
"Some people do crosswords, I find vulnerabilities in software."
Did we mention that he also has a PhD in mathematics from the University of Notre Dame? Yep, this guy knows his stuff.
Cybersecurity is an issue Americans are increasingly worried about. One of our listeners even emailed to say she only uses a secured email out of fear for her online privacy and sabotage. “Besides having a secured email, I don't do Facebook, Twitter, Instagram or anything else,” she wrote. “I don't do banking or shopping and keep my browsing to a minimum. When I do browse the web, I immediately re-scan my computer to clean up cookies.”
“Things are getting incrementally better but, if anything, if you look at research I’ve done with vehicles, it’s almost worse than it has ever been,” Miller said. “There is more and more code, more and more problems, and the same amount of people trying to fix it.”
The bad news? There is no way to make any system 100 percent “hack-proof,” Miller said. “No matter how much money you spend, this is software and hardware made by people and this is not perfect,” he continued. “There’s some problem that will eventually be found by somebody.”
Last week, President Obama sent his proposed budget to Congress. Included in it was a $19 billion cybersecurity plan. That would be a 35 percent increase over current spending on cybersecurity and would include security upgrades on government computers.
“[Obama] has an extremely difficult job,” Miller said. “If you think about a typical company, trying to keep out hackers, they are trying to keep out bored teenagers or people trying to deface their website for fun. For a more advanced company, like an Edward Jones, they may be trying to keep out professional hackers like the Russian mafia. But if you think about a government computer, they are trying to keep out other governments with nearly unlimited resources and talent and time. Trying to keep out those attackers is almost impossible.”
Another challenge is that it is not considered cool in the hacking community to go work for the government. That means that the best and the brightest are being lured to places that pay better or have more hacker culture prestige.
"There's no reason to think we're any more protected than any other country."
“There’s no reason to think we’re any more protected than any other country,” said Miller. “The thing that makes us more vulnerable is the amount we rely on the Internet. Some countries don’t rely on the Internet as much for commerce or other things as we do.”
Miller said that, on an individual level, the most secure computer a person could get would be “in a concrete block at the bottom of the ocean” and that for usability there are always security trade-offs. For example, if you want online banking, it makes your life easier but it also exposes you to security threats.
“I always try to err on being smart about what you use but using what you want to use,” Miller said. “I do online banking, I’m on Twitter … I’m just smart about it. If you use these big services, you’re probably going to be okay. If you only surf to popular websites, you’re going to be okay. It is when you get into the corners of the Internet that aren’t heavily patrolled, that you get in trouble.”
St. Louis on the Air brings you the stories of St. Louis and the people who live, work and create in our region. St. Louis on the Air host Don Marsh and producers Mary Edwards, Alex Heuer and Kelly Moffitt give you the information you need to make informed decisions and stay in touch with our diverse and vibrant St. Louis region.