Not to Encrypt iCloud: Today Reuters claimed that Apple did bow to pressure from the Federal Bureau of Investigation (FBI). As they reportedly demanded that the Cupertino firm drop plans to roll out end-to-end encryption for iCloud device backups, alleging doing so would harm investigations.
Although Apple pressured from the FBI in 2016 wanted it to add a backdoor to iOS to bypass code. As it limits password guesses to ten attempts. It’s never employed end-to-end encryption for iOS device backups in iCloud, and now we know why.
- 0.1 From the report:
- 0.1.1 According to a former Apple employee – Not to Encrypt iCloud:
- 0.1.2 According to the Company’s Latest Transparency Report:
- 0.1.3 According to 9to5Mac’s Benjamin Mayo:
- 0.1.4 According to Apple – Not to Encrypt iCloud:
- 0.1.5 Jack Nicas, writing for The New York Times:
- 0.1.6 So, what does all of the above amount to?
- 0.2 According to Daring Fireball‘s John Gruber:
- 1 Conclusion:
From the report:
About two years ago the tech giant’s reversal has not previously been reported. It displays how much Apple has been willing to help US law enforcement and also intelligence agencies. Besides taking a tough line in high-profile legal disputes with the government and casting itself as a defender of its customers’ information.
According to a former Apple employee – Not to Encrypt iCloud:
The Cupertino tech giant was inspired to avoid bad PR and didn’t want to be painted by public officials as an enterprise that secures criminals.
“They plan they weren’t going to jab the bear anymore,” the person said. Another employee said, “legal destroy it, for reasons you can imagine”.
Apple also admits to providing iOS device backups from iCloud to law enforcement agencies.
According to the Company’s Latest Transparency Report:
Examples of such requests are where LEA – law enforcement agencies are working on behalf of customers. As they requested assistance regarding lost or stolen devices. Also, Apple regularly receives multi-device requests related to spam investigations. Generally, device-based requests pursue details of customers associated with devices or device connections to Apple services.
According to 9to5Mac’s Benjamin Mayo:
End-to-end encryption works by making an encryption key that is based on those factors that are not stored on the server. It means twisting the key with a user password or other cryptographic key stored on the hardware of the local iPhone or iPad. Also, if someone hacked into the server and allow access to the data, the data would look like random noise without having the twisted key to decode it.
Currently Apple stores iCloud backups in a non-end-to-end encrypted manner.
As it means that the decryption key is stored on Apple’s servers. If police come to Apple having a subpoena, then the company provides over all of the iCloud data — including the decryption key. For instance, whilst the iMessage service is end-to-encrypted, the conversations saved in an iCloud backup are not.
According to Apple – Not to Encrypt iCloud:
It ensures you can also recover your Messages. “While turning off iCloud Backup, a new key is created on your device to secure future messages and isn’t stored by Apple”. The company claims in a support document on its website outlining iCloud security.
Also, Apple employs iCloud end-to-end encryption. For those things like your calendar entries, the Health database and saved Wi-Fi passwords, iCloud Keychain, but not your photos, files in your iCloud Drive, emails and other categories.
That doesn’t mean that Apple’s latest iPhones are insecure or liable to hacking with tools like the GrayShift device or the Cellebrite software. As it means that iOS can be hacked.
What tools like GrayKey do is guess the password by utilizing bugs in the iOS operating system to wipe the limit of ten password attempts. After deleting this software, such tools simply take benefit of a brute-force attack to try thousands of passcodes until one works.
Jack Nicas, writing for The New York Times:
That approach means the wild card entry in the Pensacola case. If it’s six numbers the default on iPhones official certainly can break it. If it’s longer, it might be impossible.
A four-number passcode, the earlier default length, would take on average about seven minutes to guess. If it’s six digits, it takes an average of about 11 hours. Also, if its eight digits then it takes 46 days. If it’s ten digits then it takes 12.5 years.
If the passcode uses both letters and numbers, then there are far more possible passcodes thus breaking it takes much longer. A six-character alphanumeric passcode would take on average 72 years to guess.
It takes 80 milliseconds for an iPhone to complete each guess. With the delay, it can try only 12 a second.
Your key should take 80 millisecond processing time for passcode evaluation. Because that limitation is compulsory in hardware by the Secure Enclave.
So, what does all of the above amount to?
According to Daring Fireball‘s John Gruber:
If you’re anxious about your phone security, then use an alphanumeric passphrase as your passcode. Make sure you do not use a 6-digit numeric passcode.
And when it comes to encryption, Apple recommends that it cannot and will not overthrow the encryption on the device. Here’s the following latest Transparency Report:
We have always maintained there is no such thing for the good guys. Those who use Backdoors can also destroy our national security and the data security of our customers. Today, law enforcement has access to more data than ever before in history. So Americans do not have to pick between weakening encryption and solving investigations. We strongly encryption is vital to securing our country and our users’ data.
Here’s all about Not to Encrypt iCloud. What are your views about the latest Apple vs FBI, and encryption in general? Let us know in the comment section below. Drop a comment if you want to share anything else.