Apple’s refusal to comply with a judge’s demand that it help the FBI unlock a terrorist’s iPhone has triggered a roiling debate about how much the U.S. government can or should demand of tech companies.
It is also leading some experts to question the trustworthiness of one of the bedrocks of modern computer security: the way companies like Apple distribute software updates to our devices. Efforts are now under way to figure out how a company could make it impossible for agencies like the FBI to secretly borrow the systems used for those updates.
The FBI is asking Apple for two things: to supply software that would disable protections against guessing the device’s passcode, and to validate or “sign” that software so that the phone will accept it.
That second demand has left some experts horrified. In order to prevent our laptops and phones from being tricked into downloading malicious software, companies carefully guard the encryption keys they use to sign updates. “Signing keys are some of the crown jewels of the tech industry,” says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. “I don’t think anyone envisioned that the thing keeping malware at bay from very popular platforms like iOS could in itself be a weakness.”
Hall and others say that if Apple can be forced to sign updates for the FBI, then the government could use this tactic again and again, perhaps in secret.
To read more, click here.