If you’ve been online in the last few weeks you may have caught wind of a high profile battle of will between Apple and the FBI.
To summarise: The FBI want to gain access to an iPhone recovered from the San Bernardino massacre last year, but due to the security policies in place by Apple it is not currently possible. Should they try to brute force it, it’ll wipe itself after 10 failed attempts. To work around this the FBI want Apple to create a version of iOS that will remove this policy, essentially allowing the FBI to try all 10,000 possible combinations.
Creating this version of iOS in itself is no particularly difficult task; it is the aftermath that has the tech world concerned. Tim Cook himself said it best:
the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
While the FBI have been on the defensive, it’s recently come to light the DoJ could have about a dozen more iPhones they’ll want unlocking in the near future. The FBI winning this argument sets a disturbing precedent for the future of smartphone security and privacy, and to say it won’t ever fall into the wrong hands would be naïve.
The iPhone in question belonged to and was issued by San Bernardino county; a county that apparently uses an Enterprise Mobility Management platform to manage their mobile estate, but for reasons only they would be able to provide have not enrolled all of their devices – including this iPhone.
I spend a lot of time talking and writing about the advanced functionalities EMM suites are capable of providing – app management, location tracking, message/telephone histories, containerisation of apps/services and so much more. Yet at its core, every platform has one thing in common – device management.
That means enforcing security policies: encryption, passcodes, black/white lists and restrictions on capabilities of devices. But just as these policies can be enforced, it also means San Bernardino could have just as easily reset the PIN used to secure the iPhone in question and allowed the FBI access to the device with little effort.
San Bernardino could have resolved this fight before it even started.
The circumstances leading up to this are awful and tragic, but it shows the importance of MDM and managing corporate data. While Apple and the FBI/DoJ continue to publicly lambaste each other over who should do what, businesses with a fool-proof MDM strategy can take comfort in knowing they’ll never have to become subject to the same gruelling fight to extract data from their devices should the need ever become apparent. Obviously not necessarily in circumstances such as this, but any situation where extracting information may be warranted – fraud, anti-competitive practices, interpersonal issues, etc.
As mobile devices continue to dominate every aspect of our lives it is vital that we take steps to secure and manage them. If Apple wins this argument, and for the sake of privacy and security I hope they do, it will only reinforce the notion that businesses have to be responsible for their own devices, their own corporate data, and they can’t rely on someone else to try to put the entire industry at risk if they are not.