Your iPhone is Not Secure: Product Design Changes to Secure iPhones
(At least against the kind of attack the FBI is proposing)
UPDATE: Well, that was quick. The FBI announced they have cracked the San Bernardino shooter’s phone, and withdrew their suit against Apple. Based on the little we know about the method used, a six-digit passcode would have held out much longer against the FBI’s efforts, and an eight-digit passcode would have been effectively secure.
Summary
Your modern iPhone is not secure; at least, not against the FBI if they get your phone after you die committing a terrorist attack, or if they subpoena it.
Two Kinds of Attack
There are (at least) two different types of attack your iPhone might face:
Casual Attacks
This attack is far more likely. The typical example is if your phone is lost or stolen. The thief wants to unlock your phone to sell it.
Institutional Attacks
If the police, the FBI, or some other institution wants access to your phone’s contents, significantly more sophisticated attacks are possible.
Product Design for Casual Attacks
Present security measures already make the iPhone a poor target for theft. A thief is unlikely to be able to replicate your fingerprint, and while older versions of iOS were somewhat vulnerable to pin-cracking devices, Apple’s current six-digit passcode means that even if the current iOS does prove vulnerable to pin-cracking — it hasn’t so far, to my knowledge — it would take months to crack your phone.
Common Passcodes
That doesn’t mean the situation can’t be improved. Many people use really bad passcodes like 1111 or 1234. When most passcodes were four digits, knowing the most common ten passcodes gave about a 15% chance of unlocking an iPhone.
Apple has improved this by defaulting to six digit passcodes, but a simple code change could improve security further: Apple should warn people who try to set the most common passcodes. Note that Apple doesn’t need to prohibit those passcodes — it just needs to give enough of a warning that they drop down close to their normal frequency.
Product Design for Institutional Attacks
In the case of the San Bernardino shooters, the iPhone passcode is highly likely to be only four digits, which an ordinary human being could enter in less than a day.
However, the iPhone slows down the processing of passcodes to an hour each after a few incorrect tries. At that rate it would take as long as 400 days to try all the combinations. Further, the iPhone can be set to lock completely after ten failed attempts in a row.
What the FBI Wants
There is a common misconception that the FBI wants Apple to “unlock” the iPhone. To be perfectly clear:
APPLE HAS NO BACK DOOR TO UNLOCK AN iPHONE.
Updates to iOS that are signed by Apple can be loaded onto an iPhone without knowing the passcode. So the FBI wants Apple to create a hacker-favorable version of iOS that:
- Disables the “10 failures and the iPhone locks” feature.
- Removes the slowdown.
- Allows the iPhone to be imaged so the entire process can be run on faster hardware than the phone itself.
The first two items alone would get back to the “dedicated person in a day” scenario, so if Apple complies, the FBI would be able to unlock the San Bernardino shooter’s phone in less than a day. Newer versions of iOS suggest a six-digit passcode. This would increase the time required to perhaps a few months, depending on how fast modern iPhones can process attempts to unlock them.
The third item would crack a four-digit passcode almost instantly, and a six-digit passcode would take seconds at most.
The Larger Vulnerability
The San Bernardino shooter’s iPhone is an older model that has no fingerprint scanner. But in an institutional attack on a modern iPhone, the fingerprint scanner is a much greater vulnerability than the passcode.
In a situation like San Bernardino, where the suspect’s fingers are available to the FBI, the iPhone could be easily unlocked with the deceased’s finger — yes, there are ways to re-inflate dead fingers so they resemble their original living state.
Of course the far more likely case is that a living suspect — you — might be compelled by the court to unlock the iPhone. You can refuse to enter a passcode; a fingerprint is more easily coerced.
Unlocking by fingerprint scan can be disabled, but if you don’t have the foresight to take that preventive step beforehand, you’re out of luck.
Addressing the Fingerprint Scanner
There are several steps Apple can take to reduce the vulnerability of the fingerprint scanner.
The iPhone already requires the passcode (instead of a fingerprint) whenever it is restarted. Call this a “hard lockdown.” If the FBI (or whatever agency is trying to break into your phone) mistakenly restarts your iPhone for any reason, they’ll have to work on the passcode.
Apple currently also requires the passcode when 48 hours have passed. They could enhance this protection by shortening this timer: triggering a hard lockdown whenever more than six hours has gone by without unlocking would make your fingerprint a much smaller vulnerability. More paranoid people might set the delay to an hour.
Geofencing would also work: triggering a hard lockdown if the iPhone has traveled more than a mile since the last unlock would improve security — people on roadtrips would of course disable this feature.
My Voice is My Password
If requiring the passcode is too onerous, a lesser degree of security could be achieved by offering additional authentication factors — face or voice. After a hard lockdown, the iPhone would require a fingerprint and also either a picture of the user, or the user saying a short pass phrase. Neither would be as secure as a lengthy passcode (see below) but both would be an improvement over the current setup, and not particularly onerous.
Secure Passcodes
To secure an iPhone against being imaged and run on advanced hardware requires significant effort: something like a twenty-five-digit passcode. That’s 10,000,000,000,000,000,000,000,000 possibilities, ten million billion billion. Even if exotic hardware could run a million billion trials per second, that would still average over a century to crack. Obviously, this is taking security to an extreme level that exceptionally few people would need or want, but anyone who considers the possibility of someone imaging their iPhone would want to use sixteen digits at a minimum.
This requires that you don’t choose a predictable passcode: no children’s birthdays, no phone-pad encyphering of pet’s names, etc. The best method of choosing the passcode would be to roll a ten-sided die 25 times — someplace very private.
My Voice is My (Long) Password
A twenty-five digit passcode is hard to remember, and harder to enter. An alternative solution would be to use the pass phrase option, and make the phrase long enough to be secure. “Angry green lemurs swim across Lake Victoria. Mighty Mouse plays chess in Kinshasa. A blue Rolls Royce ran over a doctor and a politician on Laurel Avenue.” Doesn’t exactly roll off the tongue, but it’s about the same security as twenty-five digits, can be generated randomly, and is much easier to remember and enter than twenty-five random digits.
In this case you would want to consider very carefully how and when to require the pass phrase. Depending on the nature of the institutional attack, surveillance has to be considered, and either entering a passcode or saying a passphrase is a vulnerability. Ideally you would have a simpler security system for intermediate lockdowns, and only trigger a hard lockdown after a greater delay, a longer distance, or a limited number of failed attempts at the intermediate system. This is potentially vulnerable if the triggering mechanism can be disabled.
Conclusion
Security is a moving target. No solution I propose here would be forever secure. There are many different ways of providing security, and no doubt smart people at Apple are considering their options.
That said, while the fingerprint scanner is an incredible convenience, it is also a significant weakness. Some means of hardening it (or the system within which it works) is necessary.
