28 March 2016
As you probably know (if you read this blog), the FBI has gotten into Syed Farook's iPhone. Many people have asked the obvious questions: how did the FBI do it, will they tell Apple, did they find anything useful, etc.? I think there are deeper questions that really get to the full import of the break.
- How expensive is the attack?
- Security—and by extension, insecurity—are not absolutes.
Rather, they're only meaningful concepts if they include
some notion of the cost of an attack. If an attack is
cheap, it can be used frequently; if it's expensive, it
will be reserved for high-value targets.
We don't know anything about the cost. Did it require special hardware? Unusual skills?
- How long does the attack take to carry out?
- This attack took at most a few weeks to launch, probably less: the FBI would have wanted to test the exploit on unimportant phones before trying it on Farook's phone. But there's a big different between an exploit that takes a few seconds and one that takes several days. The former is a risk to, for example, business travelers crossing a border; the latter would likely be used only if there is already good reason to think that valuable information will be retrieved.
- How easy is it to launch?
- Can the attack be launched remotely, say via a carefully crafted text message? Does it require tethering to a computer? Does it work if the phone has been pair-locked to a particular computer? Do chips have to be unsoldered? Is special equipment necessary?
These questions are interesting because together, they define the risk to everyone else if the hole is not patched. More importantly, the answers set the parameters of the vulnerabilities equities discussion without divulging information that the FBI may consider too sensitive to reveal as yet. A cheap, fast, easy attack is a serious risk; an expensive, slow, difficult attack is a risk to only a few.