CIA leak to WikiLeaks underscores iPhone security risks

One year ago, the FBI asked Apple to create a backdoor into the iPhone and give the key to the FBI so that the FBI could use it — most immediately, to access an iPhone used by one of the shooters in terrorist attacks in San Bernardino, California, but other law enforcement officials soon announced that they also could use such a key to help them to investigate other crimes.  Apple refused.  Even if the FBI had the best of intentions, there was simply too much of a risk that any such tools created by Apple and given to the FBI would eventually end up in the hands of bad guys.  As Tim Cook stated in an open letter posted on the Apple website, “Once created, the technique could be used over and over again, on any number of devices.  In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes.”  After full briefing, the FBI ultimately backed down in the San Bernardino case, saying that it found another way to access the iPhone in question, but I always thought that Apple had the better argument.

I thought about this yesterday when WikiLeaks released documents that it claims are from the CIA detailing techniques created by the CIA to hack into the iPhone and other devices.  As the New York Times reports:  “In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.”  If even the CIA could not manage to prevent disclosure of the secret tools that it created for breaking into devices, how could the FBI be expected to safeguard any tool that everyone would know that it forced Apple to create?

As for the specific iPhone vulnerabilities made available by WikiLeaks, Apple said in a statement released to many news organizations, such as TechCrunch, that many of the exploits had already been fixed:

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.

Notably, Apple did not state that all of the vulnerabilities had already been fixed.  This makes me think that there may now be one or more techniques described in the WikiLeaks document that could currently be used, under the right circumstances, to gain access to an iPhone.

Every iPhone user should be concerned about security because we all keep private information on our smartphone, but lawyers should of course pay particular attention to iPhone security because so many of us keep confidential attorney-client communications on our iPhones.  I am not aware of any reported incident in which a bad guy was able to access, remotely or otherwise, confidential information on a lawyer’s iPhone.  And given Apple’s focus on maintaining and enhancing iPhone security, I hope that no such incident ever occurs.  But there is always a risk, and that is why I encourage all attorneys to install iOS updates when Apple releases them.  Almost every iOS update addresses security in some way, and I suspect that Apple’s next iOS update — and perhaps the new few updates — will address issues relating to the CIA documents.

If there is a silver lining to this latest news, hopefully it will help courts to realize that Apple should not be ordered to create an iPhone skeleton key for the FBI or anyone else.  Once any such tool is created, you have to assume that, eventually, it will find its way into the wrong hands.