Durante años, el gobierno de Estados Unidos ha suplicado a los ejecutivos de Apple que creen una puerta trasera para las fuerzas del orden. Apple se resistió públicamente, argumentando que tal iniciativa de aplicación de la ley se convertiría rápidamente en una puerta trasera para los ciber-terroristas y ciberterroristas.
Good security protects us all, the argument continued.
More recently, however, the federal government has stopped asking for a workaround to get through Apple's security. Why? Turns out they managed to break through on their own. IOS security, as well as Android security, is not as strong as Apple and Google have suggested.
A crypto team at Johns Hopkins University has just released an extremely detailed report on the top two mobile operating systems. Bottom line: Both have great security, but don't extend it far enough. Anyone who really wants to participate can do so with the right tools.
For CIOs and CISOs, this reality means that all those ultra-sensitive discussions taking place on employee phones (whether corporate or BYOD) could be easy options for any corporate spy or data thief.
It's time to dig into the details. Let's start with Apple's iOS and the point of view of the Hopkins researchers.
“Apple encourages the widespread use of encryption to protect user data stored on the device. However, we have observed that a surprising amount of sensitive data held by embedded applications is protected by a low protection class ``available after first unlock'' (AFU), which does not eject decryption keys from data memory when the phone is locked. The impact is that the vast majority of sensitive user data in Apple's built-in apps can be accessed from a phone that is logically captured and operated while on but locked. We found circumstantial evidence in DHS proceedings and investigative documents that police now routinely exploit the availability of decryption keys to capture large amounts of sensitive data from locked phones. "Well, that's the phone itself. What about Apple's iCloud service? There is something?
Oh yes, there is.
“We took a look at the current state of data protection for iCloud and determined, unsurprisingly, that enabling these features transmits a large amount of user data to Apple servers, in a form that can be accessed remotely criminals gaining unauthorized access to a cloud user. account, as well as authorized law enforcement agencies with subpoena power. More surprisingly, we identified several counterintuitive features of iCloud that increase the vulnerability of this system. As an example, Apple's ``Messaging in iCloud'' feature advertises the use of an end-to-end encrypted container that is inaccessible to Apple to sync messages between devices. However, activating iCloud Backup together results in the decryption key for that container being uploaded to Apple's servers in a form that Apple, and potential attackers or law enforcement, can access. We also found that Apple's iCloud Backup design results in the transmission of device-specific file encryption keys to Apple. Since these keys are the same ones used to encrypt data on the device, this transmission can present a risk in the event that a device is later physically compromised. What about Apple's famous Secure Enclave Processor (SEP)?
“IOS devices impose strict limits on password guessing attacks using a dedicated processor called SEP. We reviewed the public investigation log to examine evidence that clearly indicates that as of 2018, passcode guessing attacks were possible on SEP-enabled iPhones using a tool called GrayKey. To the best of our knowledge, this likely indicates that a SEP software bypass was available in the wild during this time. "What about Android security? For starters, their encryption protections seem to be even worse than Apple's.
“Like Apple iOS, Google Android provides encryption for files and data stored on the drive. However, Android's encryption mechanisms offer fewer gradations of protection. In particular, Android does not provide any equivalent of Apple's Full Protection (CP) encryption class, which removes decryption keys from memory shortly after the phone is locked. Therefore, Android decryption keys remain in memory at all times after "first unlock" and user data is potentially vulnerable to forensic capture. "For CIOs and RSSIs, that means you have to trust either Google or Apple or, much more likely, both. And you also have to assume that thieves and law enforcement can also access your data whenever they want, as long as they can access the physical phone.
<p>Copyright © 2021 IDG Communications, Inc.</p>