Nicholas Weaver on iPhone Security
Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don't configure their phones right. Beyond just waiting for the suspect to unlock his phone, most people either use a weak 4-digit passcode (that can be brute-forced) or use the fingerprint reader (which the officer has a day to force the subject to use).
Furthermore, most iPhones have a lurking security landmine enabled by default: iCloud backup. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages! About the only information of value not included in this backup are the known WiFi networks and the suspect's email, but a suspect's email is a different warrant away anyway.
Finally, there is iMessage, whose "end-to-end" nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage's encryption does not obscure any metadata, and as the saying goes, "the Metadata is the Message". So with a warrant to Apple, the FBI can obtain all the information about every message sent and received except the message contents, including time, IP addresses, recipients, and the presence and size of attachments. Apple can't hide this metadata, because Apple needs to use this metadata to deliver messages.
He explains how Apple could enable surveillance on iMessage and FaceTime:
So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice. Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future. A similar modification, adding an FBI key to every request Alice makes for any keys other than her own, enables tapping all messages sent by Alice. There are similar architectural vulnerabilities which enable tapping of "end-to-end secure" FaceTime calls.
There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing. This might explain Apple CEO Tim Cook's somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.
Posted on August 6, 2015 at 6:09 AM • 39 Comments