Monday, March 14, 2016

A leading German IT security expert accuses Apple of profiteering in "Apple vs. FBI" and gets it wrong

Disclaimer: It gets very messy in this post. The blogster is taking on Dr. Sandro Gaycken, according to Frankfurter Allgemeine (FAZ), "among the leading IT security experts". So, if you are easily upset, we suggest as an alternative reading experience.

Mr. Gaycken has struck again, this time in an FAZ guest article, "Profit is Apple's only motivation", accusing Apple of double standards because "the Chinese government already has access to the iPhone".

The big statement is "It has long been known in security circles that Apple is willing to cooperate with repressive regimes in pursuit of profit". [Our translation of "Denn Apple ist in Sicherheitskreisen schon lange dafür bekannt, für seinen Profit eben doch mit repressiven Regimen zu kooperieren."] **

Let's have a look at the arguments, there are few, luckily, because the article is short.

Gaycken claim: Apple has always claimed it could not undo its own encryption. [Apple hat nämlich immer behauptet, selbst sie könnten nicht die eigene Verschlüsselung aufheben.]

True (Apple)And we can’t unlock your device for anyone because you hold the key — your unique password. 
Apple acknowledged it can write code to unlock the phone in question.

For iCloud: This means that your data is protected from unauthorized access both while it is being transmitted to your devices and when it is stored in the cloud...never provides encryption keys to any third parties.
In short: Right now, although iCloud backups are encrypted, the keys for the encryption are also stored with Apple. This means that law enforcement can ask for this data to be provided from Apple’s servers. 

Gaycken uses the German word "aufheben", a smart choice because it does not commit to either "decrypt" or "unlock". This claim does not differentiate between the device and iCloud. His article does not acknowledge that Apple has the iCloud keys and can and will use them if lawfully requested. Yes, by, for example, the FBI.

Gaycken claim:  When the iPhone 4S was introduced in China, it had to be equipped with the Chinese WAPI WiFi chip. [Als das iPhone 4S in den chinesischen Markt kam, musste es mit einem chinesischen Wifi-Chip, dem WAPI, ausgestattet werden"

True: This is correct for the iPhone 4S. What he fails to say is that Apple sold an iPhone without WiFi capability in China before the 4S, presumably because Apple did not want to use the Chinese designed WAPI chip. Critically, Gaycken fails to mention that millions of unlocked foreign bought iPhones flooded China - no WAPI chip in these. At the time of this article from 2009, the estimate was two million unlocked, no-WAPI chip iPhones.
Gaycken also fails to state that the WAPI chip was dropped in later models.

Gaycken claim: Since 2014, the data of Chinese iCloud users are stored exclusively in China. Presumably, this was part of a deal between Apple and Bejing to allow the sale of the iPhone 6, which was introduced shortly afterwards. [ Seit 2014 werden die Daten chinesischer iCloud-Nutzer nur noch in China gelagert. Ein Deal zwischen Apple und Peking, vermutlich um das iPhone 6 verkaufen zu dürfen, das kurz danach freigegeben wurde.] China Telekom may not be able or allowed to access the data. But the authorities for sure can. The laws are unambiguous. [China Telecom mag nicht auf die Daten zugreifen dürfen oder können. Aber die Behörden dürfen dies ganz sicher. Die Gesetze sind da mehr als eindeutig.]

True: That's correct. But U.S. laws are also very clear on iCloud access. There is no difference in principle. The argument only works by omitting the legal situation in the U.S. and other countries.

Gaycken claim: Shortly after the launch of the iPhone 6, there was a massive attack on the data paths between the iPhones and the iCloud, in which the attackers - indications point to the Chinese government - used counterfeit Apple certificates to obtain all user names and passwords of Chinese iPhone users. All Chinese iPhone users.
[So kam es dort bereits kurz nach dem Verkauf des iPhone 6 zu einem massiven Angriff auf die Datenwege zwischen iPhones und iCloud, bei dem der Angreifer – Hinweise verdichteten sich um die chinesische Regierung – mittels gefälschter Apple-Zertifikate alle Nutzernamen und Passwörter der chinesischen iPhone-Nutzer abgefischt hat. Aller chinesischen iPhone-Nutzer.]

True: The man in the middle attack did occur. However, the claim "all user names and passwords of Chinese iPhone users" were obtained in the attack cannot be verified. Already at the time, both Firefox and Chrome prevented users from accessing iCloud in a man in the middle attack scenario.
Gaycken is just making up the "all".

He leverages somewhat understandable criticism against Apple as far as Apple not being explicit about the exact nature of the theft as well as those presumably responsible. But that's nothing compared to, say, German IT security communication.
He also fails to mention that an attack on Microsoft happened at the same time.

One point Gaycken could have made but didn't is that Apple has repeatedly removed apps from is AppStore on request of the Chinese authorities.

Conclusion: Despite the fact that Gaycken conflates iCloud and the iPhone, he makes no attempt to differentiate the current abilities of authorities to access the distinct repositories.
As one of Germany's leading IT security people, he should know - or google a few minutes and check the ample Twitter references.
If China has such great access to "the iPhone", why do they need to run a huge man in the middle attack in the first place?
He also fails to address the millions of unlocked non-WAPI phones, which would have taken some bite out of the double standard argument because Chinese users benefited from a double standard.****

Thanks for reading. Oh, and Mr. Gaycken has also advised NATO on cyber security.***

Hey NATO, offer me that job, will ya?

** As a NATO advisor, Mr. Gaycken might be familiar with cooperation with repressive regimes. Or one would hope that his view of, say, Turkey is realistic. And show me any major company that does cooperate with repressive regimes.
Shucks, I think, I just killed any chance of a job offer.

*** NPR on experts.

**** Assuming WAPI was backdoored, and accepting the generic flaws of contemporary standard WiFi.

No comments:

Post a Comment