This week saw two major pieces of security news affecting the services we use and the encryption on our phones. First, a major security vulnerability with glibc, a commonly-used library, which could potentially affect thousands of devices, apps and services was revealed by Google and RedHat. Second, following an FBI order to Apple, Tim Cook posted an open letter appealing for people to support its stance on encryption across its devices and services.
First, glibc. The issue with glibc was identified when a Google engineer recently noticed that their SSH client (a software program which uses the secure shell protocol to connect to a remote computer) was trying to access a memory location it was not permitted to access, each time the engineer tried to connect to a specific host.
According to the Google security blog, Google realised that the issue lay in glibc, not SSH. Glibc, officially named the GNU C Library, is an implementation of the C standard library by The GNU Project, a free software, mass collaboration project started in 1983.
Google was able to identify that the issue could result in remote code execution; making it vulnerable to attacks from hackers. Through its investigation, Google found that glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. The issue was separately identified and being looked into by open source software company, Red Hat. Working together, Google and RedHat combined their efforts to create a comprehensive patch and regression test to protect the use of glibc.
For more information, check out Google’s blog here.
As we’ve written about before, both the UK and US government are trying to force Apple to create backdoors to its devices and systems, in order to be able to bypass its high levels of encryption. This week, the FBI has demanded access to an iPhone 5C used by the San Bernardino bomber, on the grounds it could provide information on who Farook and his wife were communicating with.
Apple has taken one of the strongest stances on user privacy and made it one of its core tenets. Last year, Apple called for changes to the UK government’s investigatory powers bill, over fears that such a bill would weaken the security of law-abiding citizens. This week, following the FBI order, Apple CEO, Tim Cook, posted a public letter on its website, which can be read in full here.
In the letter, Cook argued that:
Smartphones, led by iPhone, have become an essential part of our lives. People use them to store an incredible amount of personal information, from our private conversations to our photos, our music, our notes, our calendars and contacts, our financial information and health data, even where we have been and where we are going.
All that information needs to be protected from hackers and criminals who want to access it, steal it, and use it without our knowledge or permission. Customers expect Apple and other technology companies to do everything in our power to protect their personal information, and at Apple we are deeply committed to safeguarding their data.
Compromising the security of our personal information can ultimately put our personal safety at risk. That is why encryption has become so important to all of us.
For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.
Apple rightly argues that building any form of vulnerability into its devices or services that could be used by law enforcement, could also be exploited by hackers or other people seeking to cause harm. With the amount of data that is stored on devices today, for both personal and professional reasons, it’s vital that we can trust that our devices are as secure as possible.
As Cook notes, Apple itself is unable to access the contents of an owner’s iPhone or iOS device, as that is the only way it can be sure that it is as secure as possible. Whilst there are clear cases where access to information stored on people’s phone may help law enforcement, it is also true that anyone trying to avoid the law, would use other ways to encrypt their communication.
For Apple, and other companies to protect their users and ensure that their devices can be used by business users and law-abiding citizens, encryption matters. It is one of the biggest issues that needs to be protected.
Removing the protection that has been added in recent years would be a catastrophe for all of us. It would also be letting terrorists win. Not only would they force technology companies to create backdoors, they could also exploit those backdoors for their own means.
Already, Google, Amnesty International and a large number of other companies have all voiced their support for Apple’s leadership with this topic.
As Edward Snowden, former National Security Agency contractor, tweeted recently:
— Edward Snowden (@Snowden) February 17, 2016