Home / Blogs

The FBI and the iPhone: Important Unanswered Questions

As you probably know, the FBI has gotten into Syed Farook’s iPhone. Many people have asked the obvious questions: how did the FBI do it, will they tell Apple, did they find anything useful, etc.? I think there are deeper questions that really get to the full import of the break.

How expensive is the attack?

Security—and by extension, insecurity—are not absolutes. Rather, they’re only meaningful concepts if they include some notion of the cost of an attack. If an attack is cheap, it can be used frequently; if it’s expensive, it will be reserved for high-value targets.

We don’t know anything about the cost. Did it require special hardware? Unusual skills?

How long does the attack take to carry out?

This attack took at most a few weeks to launch, probably less: the FBI would have wanted to test the exploit on unimportant phones before trying it on Farook’s phone. But there’s a big different between an exploit that takes a few seconds and one that takes several days. The former is a risk to, for example, business travelers crossing a border; the latter would likely be used only if there is already good reason to think that valuable information will be retrieved.

How easy is it to launch?

Can the attack be launched remotely, say via a carefully crafted text message? Does it require tethering to a computer? Does it work if the phone has been pair-locked to a particular computer? Do chips have to be unsoldered? Is special equipment necessary?

These questions are interesting because together, they define the risk to everyone else if the hole is not patched. More importantly, the answers set the parameters of the vulnerabilities equities discussion without divulging information that the FBI may consider too sensitive to reveal as yet. A cheap, fast, easy attack is a serious risk; an expensive, slow, difficult attack is a risk to only a few.

By Steven Bellovin, Professor of Computer Science at Columbia University

Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign