Cops and spies should blame THEMSELVES for smartphone crypto 'problem' - Hyppönen
Spooks are 'imperfect' warns top securo-bod
IP Expo Law enforcement and intel agencies have no right to complain about the improved security of smartphones because they brought the problem on themselves, according to security guru Mikko Hyppönen.
Policing and government officials on both sides of the Atlantic have been vociferous in their complaints about Apple and Google's respective decisions to include more effective encryption on their smartphones.
FBI Director James Comey, US attorney general Eric Holder and Europol boss Troels Oerting have all waded in to say that the changes would make life difficult for law enforcement.
“Governments annoyed by companies taking a stand on security should remember they caused this themselves by hacking companies from their own countries,” Mikko Hyppönen, chief research officer at F-Secure, told El Reg.
“Instead of just considering attacks from criminals some of the largest software companies have to consider attacks from their own governments too.”
Hyppönen singled out the Flame malware which spread using Microsoft’s software update mechanism back in 2012. “The binary was signed but not by Microsoft,” Hyppönen explained. “Forging this would have been impossible without access to a supercomputer. This was NSA malware,” he said.
The cyberspy tool offered a marginal gain for intel agencies while having the far more significant and damaging effect of demising trust in Microsoft’s software update mechanism, which is used by millions of businesses and consumers worldwide.
Against this background it’s not surprising that IT giants are introducing encryption links between data centres, always-on crypto to their websites and (in the case of Apple and Google) improving smartphone encryption.
Apple has tweaked file encryption in iOS 8 so that Apple doesn't hold people's crypto-keys and therefore can't be forced to hand them over to law enforcement. An iPhone or iPad's passcode is used to create the encryption and decryption key. Google has since promised to do something similar with Android smartphones.
There’s always the possibility of undocumented features but Apple’s PIN-code changes for the iPhone “seems to be strong”, according to Hyppönen.
He pointed out that although the move may safeguard data on protected smartphones intel and police agencies would still have the same access to call record metadata about things like their location, as well as who they are calling and how long a call lasts.
The Lives of Others
El Reg caught up Hyppönen as he was giving a presentation on Living in a Surveillance State at the IP Expo conference in London last Wednesday.
"George Orwell was an optimist," Hyppönen told conference delegates during his packed-out talk. "Governments can not only watch what you do (telescreens) but what you think" by monitoring web searches through tools such as PRISM.
"Show me your search history and within five minutes I'll find something embarrassing or incriminating. Guaranteed," Hyppönen added.
Hyppönen's talk covered the current use of Android and iPhone trojans targeted protesters at Hong Kong as well as the spying of engineers at telcos by GCHQ spies, among other topics.
“I’m not against surveillance per se: I’m against blanket surveillance,” Hyppönen later told El Reg. “There’s a trade off between privacy and security."
"Law enforcement is imperfect so the question is whether or not it’s a good trade off to have blanket surveillance,” he added.
The security veteran went on to refer to the controversy about the weak Dual_EC_DRBG pseudo-random number generator, a key component of crypto systems shipped by the likes of RSA Security for years and now widely viewed as an NSA backdoor.
“Intel agencies will go to any means to get what they want. I can understand why they might want to infiltrate standards bodies and push weaker cryptography but that weakens everybody’s security.”
Law enforcement has been pushing technology vendors to put backdoors into their products since the days of the Clipper Chip. The concept was defeated and the right to export cryptography secured back in the 90s. Now the spooks are back and stronger than ever, according to a veteran of what became known as the First Crypto War, which security experts (here and here) argue is being fought along the same lines once again in the wake of the Snowden revelations.
“This is a golden age for law enforcement,” Jon Callas, Blackphone CTO and PGP alumni told El Reg. “They are nine steps ahead of where they were a few years ago”
Apple and Google are responding to the same need to be safe coming from smartphone users that Blackphone is trying to address, he added. ®