Are we doomed to repeat the mistakes of the past? With a little luck, we are. I know that sounds rather pessimistic but in light of the current FBI and Apple battle over encryption security, we are standing at a familiar crossroads. Last time, the U.S. avoided widespread security failure was the ill-proposed Clipper Chip in 1993. The Clipper Chip was invented by the NSA to ensure that all telecommunications companies would encrypt their devices with a chipset that also conveniently allowed backdoor access for the NSA. This was proven to be vulnerable to brute force attacks in a security paper published by Matt Blaze back in 1994 and as a result, the entire project went defunct by 1996. Just imagine if that vulnerability hadn’t been caught. We would’ve been well on our way to having potentially every phone spied on by not only our own government, but by hackers and foreign agents exploiting security holes in the clipper chip. Now multiply that situation by every single device on the internet and you start to see the encryption and security issues facing IoT.
Ask For a Warrant, Not Permission
Before the dust on the whole Clipper Chip thing even settled, the Clinton administration passed the CALEA statute in late 1994. Fearing the unfettered growth of unmonitored digital voice communications, Congress enacted CALEA to require all U.S. telecommunications companies to ensure law enforcement could digitally wiretap any device provided they produce a court order. Soon after, Internet access providers of VoIP (Voice over Internet Protocol) were also compelled to provide all communications to Feds with warrants but they were still relegated to conversations between two parties. And while this gave law enforcement rather broad capabilities, they still had to present legal documents to allow for this digital wire tapping that internet companies would then facilitate. You didn’t have mass data collection systems capable of intercepting and recording every piece of information about us…yet.
Fast forward to this decade. We now walk around with our smartphones holding more data on us than all the wiretaps in the world could ever deliver. Leading the charge in smartphone technology is Apple and their massively popular iPhone. Back in as early as 2012, Apple passed a Key Security Threshold according to MIT Technology Review.
“I can tell you from the Department of Justice perspective, if that drive is encrypted, you’re done,” Ovie Carroll, director of the cyber-crime lab at the Computer Crime and Intellectual Property Section in the DOJ, said during a keynote address at a DFRWS computer forensics conference.
This is because iPhones are end-to-end hardware and software encrypted. Regardless of the FBI’s true capabilities, they have admitted to not being able to hack modern iPhones and are now compelling Apple, through the courts, to build a backdoor into a single iPhone 5C. That doesn’t sound like much but the precedent for such a compliance is already beginning to send shockwaves throughout the security and tech communities. So we’ve come a long way from the mid 90’s and yet come back full circle. There are far too many smartphones to be unlocked and law enforcement just doesn’t have the time or resources to do it without forcing tech companies to do it for them. So where does IoT come into all of this?
With Great Connectivity Comes Great Responsibility
IoT or Internet of Things is poised to dominate the latter half of this decade. We are promised that billions of devices will be connected and offer convenience and value to our digital lives. If the smartphone is the hub, then the smart toaster, car, thermostat and bluetooth speaker are the spokes leading to that hub. So what if that hub is fundamentally flawed in its security? We already know that the spokes are flawed. In 2015, hackers took control of a Jeep remotely. In that same year, Nest Thermostats were hacked as part of a demonstration at the BlackHat USA conference. The point is that IoT devices are the wild west of security and without a sheriff or industry standard, all of them would be left vulnerable.
The conversations we are having right now on encryption are beginning to wake up the IoT industry to the dangers of weak security facing billions of devices. Unfortunately, the government’s basic lack of security understanding risks undermining that entire effort. We need government to legislate and law enforcement to prosecute bad actors but if they can’t distinguish the difference between their citizens’ privacy they are employed to constitutionally protect and the terrorists and hackers they are commissioned to prosecute, they will never be effective in helping IoT stability and security advance. It’s not government’s job to innovate and drive the tech industry just like it’s not Apple’s job to help police terrorism by weakening their own security.
Tech companies have and will continue to assist law enforcement with smartphone data extraction but will they continue to do so when that same government threatens their core business and all of their customers’ privacy in the process? These same trials and tribulations that the smartphone industry currently faces are just around the corner for the IoT industry.