I recently covered the famous battle between Apple and the FBI whereby the FBI wanted Apple to assist them in gaining access to a government-owned iPhone utilized by Syed Farook, one of those responsible for a massacre in San Bernardino, CA late last year. My article focused on best practices for mobile device management in order to prepare for and respond to similar situations from a technical perspective.
As a result, I recently got in touch with Nikias Bassen, head of iOS security research at Zimperium's zLabs, in
order to discuss the concept further. As a background, Zimperium performs in-depth security research on iOS and recently discovered iOS and OS X vulnerability CVE-2016-1722, "which can allow an attacker to execute coe with root privileges on iOS devices running any version between 6.0 to 9.2." Apple patched this bug in its January security update.
Scott Matteson: "Is the battle between Apple and the FBI - whereby Apple claims that protecting consumers is their top priority and the FBI says the same about protecting citizens - being accurately depicted? If not, where are the discrepancies?"
Nikias Bassen: "The device in question is of an older generation and has weaker security than newer models. The FBI and other agencies would have probably been able to brute force its passcode on their own or through a 3rd party company at a reasonable price."
SM: "What could/should Apple have done differently when responding to FBI demands? What did they do properly?"
NB: "Apple did the right thing by refusing to follow demands to backdoor their products and by educating the public about the dangers of such measures. Apple did comply with the search warrant to get the FBI the iCloud backup data - which may have been useful if the FBI hadn't reset the iCloud account password."
SM: "Can you tell us a bit about the basics of iOS security?"
NB: "iOS has many security features for different purposes and levels of protection, so it is difficult to cover all of them in a simple answer. Regarding this case, the most important security features are the secure boot chain and the filesystem encryption. The secure boot chain is what prevents loading boot images that are not Apple-approved (like ramdisk, kernel, etc.). The entire filesystem is encrypted and, on top of that, certain files are additionally encrypted and can only be decrypted after the device has been unlocked with a passcode. These files include Messages, Contacts, Photos, and so on and are not readable until a valid passcode is entered. Other features are code-signing, sandboxing, etc. but they are not especially relevant to this particular case."
SM: "Do you foresee the government passing laws mandating "backdoor" access to operating systems which can be obtained via court order?"
NB:"Any government who would pass such laws would put its own users - government employees - at risk. Once a backdoor is created, parties other than the original creator of the backdoor could use the same technique. Once the public discovers a backdoor, a vendor complying with such requests would lose credibility. In other cases, vendors could relocate from one country to another just to avoid complying with such orders. In that particular case, the country generating such laws would suffer economic losses (jobs, taxes paid by the vendor, etc)."
On a related note, Zimperium will offer a new cybersecurity threat protection solution called "Mobile Protect Pro" to Deutsche Telekom in order to help protect their business customers and reduce the business risks posed by an increasingly mobile workforce.
"As malicious hackers shift their attention to mobile devices, we are laser-focused on helping companies and employees get protection against the broadest array of device, network, and application based mobile attacks, in real-time," said Shridhar Mittal, CEO of Zimperium, Inc. "Deutsche Telekom shares this same goal, so we're thrilled to be working together on their Mobile Protect Pro solution."
Some key elements of Mobile Protect Pro:
- Detects new and/or unknown malware breeds via machine-learning algorithms
- Continuously checks the device for threats based on these algorithms, contrasting other solutions that require communication with cloud systems to scan surveillance data for possible threats
- Safeguards applications
- Prevents attacks through Wi-Fi or other connections
- Provides the ability to block compromised or suspected devices from company networks
- Sends alarms and forensic to a centralized management platform when threats are detected
- Allows customized user notifications when devices are compromised
- Features a low operational overheard which does not result in network/communication latency
- Works on both Android and iOS
Zimperium said, "these possibilities greatly increase the spectrum of detectable attacks, including a) attacks against mobile devices themselves and b) attacks against the company infrastructures that can be reached via such devices. Mobile Protect Pro detects attack vectors that are unknown to, or inaccessible for, mobile device management systems, and thereby greatly facilitates the initiation of adequate defense measures. At the same time, the combination of mobile device management and device-based attack detection enables reliable detection of compromised (i.e., infected) devices and automatic termination of their access to company data."
In terms of cost and availability, "As of April, Mobile Protect Pro will become available for selected pilot customers, free of charge, and in a proof-of-concept framework. In summer 2016, it will then become available to business customers for their regular operations. The solution is expected to cost only a few hundred cents per device per month, even for small business customers, and it is being offered by Deutsche Telekom in the role of exclusive German partner. Zimperium's solution will be available from DT's provisioning portal and the app will be available in the public app stores for download."
Regardless of whether you or your users utilize Deutsche Telekom, a solution such as Mobile Device Pro, which contains elements that should be part of any comprehensive cybersecurity package, can work hand-in-hand with mobile device management techniques in order to provide mobile users (and those who support them) greater security advantages in today's ever-evolving mobile landscape.
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.