How to Freak Out a Security Geek
You can pry my phone from my cold, dead… oh never mind; here you go.
Last week, my 8-year streak of avoiding cracks in my phone screen came to an end. It turns out that squatting in your driveway, balancing your new, case-less iPhone 7 on one knee so that the flashlight can shine on the sprinkler you’re trying to fix is… a bad idea.
But that wasn’t the riskiest thing I did with my phone in the past week.
On Saturday, I went to the Apple Store to get the screen replaced.
Things started out great. The Genius I met with, Ajay, inspected my phone and looked up the device ID. Ajay then informed me that since the phone was so new and just had a single hairline crack, he could waive the repair fee for me. Score!
He then asked whether I had backed up my device recently. I informed him that I had — both the night before and earlier in the day before I came to the store. I came prepared!
What happened next made me deeply uncomfortable.
Ajay navigated to the iCloud settings menu, turned off Find My iPhone, and asked me to put in my password to confirm.
“Uh, ok,” I thought. “I guess they do this so nobody messes with the repair folks by sending an alert (which would override “Do Not Disturb” mode) while they’re working on the phone.”
I typed in my passcode and handed my phone back to Ajay.
Then he went to the Touch ID & Passcode settings and had me enter my passcode again. I did.
He selected “Turn Passcode Off”.
My stomach churned.
“Hey, I get why you need to turn that off, but can I just wipe my phone for the repair?” I asked.
“No,” he said.
All those warning bells going off in my head — the ones urging me to press him and ask what would happen if I did just wipe the phone right now, or ask to talk to a manager, or point out that they shouldn’t need carte blanche access to everything on my phone just to replace a pane of glass on the front — they were all drowned out by an even louder voice telling me that I needed to get home to have dinner with my wife and put my son to bed, and besides, the likelihood of anything bad happening was extraordinarily small and I would only be arguing for the sake of feeling self-righteous, so why waste the time when I knew I needed that new screen and I would ultimately end up agreeing to whatever ridiculous policies were in place to get it?
Deep breath.
“Oh, ok,” I said.
“You’re all set,” Ajay told me. “We’ve got a few people ahead of you and it’s the end of the day, so come back at 7:50 and you can pick it up.”
Uh, I’m not only handing over my phone to a stranger; he also wants me to leave him and anyone else he works with with unfettered access to my personal communications, photos, data, 2nd factor authentication token, etc. for two hours?!
…
Ok.
☹️
…
I returned two hours later and picked up my phone with its newly repaired screen without incident.
I’m generally extremely security conscious — a few years working with folks in the Bitcoin/blockchain space will have that effect. I use a password manager to generate unique, random passwords for every account and enable two-factor authentication (preferably not SMS-based) for all services that offer it. But disabling my passcode and handing over my phone to a stranger effectively bypasses all those precautions.
I have no reason to believe anyone at the Apple Store went through my email, photos, or other applications, or did anything other than replace the glass on the front of my phone during the two hours it was in their possession… but I don’t know for sure.
The nature of digital security is such that if any of my accounts were compromised, the fact that my phone is now back in my possession doesn’t protect me. Being exposed for any period of time generally means that, for certain types of attacks, you remain exposed indefinitely.
Why was I willing to hand over the keys to my digital life to someone I had never met? The location, his shirt, his name tag, and the information I saw him pull up on his iPad made me 99.999% sure he was an authorized agent of Apple, a company I already trust to safeguard important aspects of my digital life on an ongoing basis.
Yes, I was asked to expose myself more than was necessary for a relatively simple hardware fix, but I understand the potential need to access parts of the software — the last thing the repair team needs is to encounter an unexpected problem and then not be able to fix it until the phone’s owner returns and provides them with additional access.
Most of all, I saw the cost in time (and potentially money, if I decided to go to a 3rd-party repair shop) of doing things “right”, and decided that trying to mitigate a low-probability/high-damage scenario was not worth the effort.
As security-conscious designers, engineers, product managers, and technologists, find ourselves walking a tightrope, trying to assess the probability and severity of various attack vectors, and implement features and UI flows that mitigate risks and encourage users to follow good security practices, while creating as frictionless an experience as possible.
The fact that in 2016, we can assume virtually everyone carries around an internet-connected supercomputer in their pockets, many with biometric authentication built in, is a powerful enabler of security.
There is no such thing as perfect security though. There will always be scenarios and steps in various processes where we need to trust other humans in some capacity.
There is much to be gained if we embrace that fact.
