̽��ֱ��

After a over an encrypted terrorist’s smartphone, the FBI has in its court case against Apple, stating that an “outside party” – rumoured to be – has found a way of accessing the data on the phone.

̽��ֱ��exact method is not known. Forensics experts that it involves tricking the hardware into not recording how many passcode combinations have been tried, which would allow all 10,000 possible four-digit passcodes to be tried within a fairly short time. This technique would apply to the iPhone 5C in question, but not newer models, which have stronger hardware protection through the so-called , a chip that performs security-critical operations in hardware. ̽��ֱ��FBI has denied that the technique involves .

So while the details of the technique , it’s reasonable to assume that given sufficient resources. In fact, the technology industry’s dirty secret is that most products are frighteningly insecure.

Even when security technologies are carefully designed and reviewed by experts, mistakes happen. For example, researchers recently found a way of , one of the most prominent examples of end-to-end encryption (which ensures that even the service provider cannot read the messages travelling via its network).

Most products have a much worse security record, as they are not designed by security experts, and often contain flaws that are easily found by attackers. For example, that could be hacked and allow strangers to at night. Insecure cars that while being driven. Drug infusion pumps at US hospitals that could be hacked by an attacker to .

Even national infrastructure is vulnerable, with software weaknesses exploited to cause serious damage at a , bring down parts of the , and . While our lives depend more and more on “smart” devices, they are frequently designed in incredibly stupid ways.

Insecure by design

̽��ֱ��conflict between Apple and the FBI was particularly jarring to security experts, seen as an attempt to deliberately make technology less secure and win legal precedent to gain access to other devices in the future. Smartphones are becoming increasingly ubiquitous, and we know from the Snowden files that the NSA can remotely without the owner’s knowledge. We are heading towards a state in which every inhabited space contains a microphone (and a camera) that is connected to the internet and which might be recording anything you say. This is not even a paranoid exaggeration.

So, in a world in which we are constantly struggling to make things more secure, the FBI’s desire to create a backdoor to provide it access is like pouring gasoline on the fire.

̽��ֱ��problem with security weaknesses is that it is impossible to control who can use them. Responsible researchers report them to the vendor so that they can be fixed, and sometimes receive a in return. But those who want to make more money may . Customers of this often include .

If the FBI has found a means of getting data off a locked phone, that means the intelligence services of other countries have probably independently developed the same technique – or been sold it by someone who has. So if an American citizen has data on their phone that is of intelligence interest to another country that data is at risk if the phone is lost or stolen.

Most people will never be of intelligence interest of course, so perhaps such fears are overblown. But the push from governments, for example through the pending in the UK, to allow the security services to hack devices in bulk – even if the devices belong to people who are not suspected of any crime – cannot be ignored.

Bulk hacking powers, taken together with insecure, internet-connected microphones and cameras in every room, are a worrying combination. It is a cliche to conjure up Nineteen Eighty-Four, but the picture it paints is something very much like Orwell’s telescreens.

��

��

Used by one, used by all

To some extent law enforcement has historically benefited from poor computer security, as hacking a poorly secured digital device is easier and cheaper than planting a microphone in someone’s house or rifling their physical belongings. No wonder that the former CIA director .

This convenience often tempts governments to deliberately weaken device security – the FBI’s case against Apple is just one example. In the UK, the proposed Investigatory Powers Bill allows the secretary of state to issue “”, which are secret government orders to demand manufacturers make a device or service deliberately less secure than it could be. GCHQ’s new MIKEY-SAKKE standard for encrypted phone calls is also to allow easier surveillance.

But a security flaw that can be used by one can be used by all, whether legitimate police investigations or hostile foreign intelligence services or organised crime. ̽��ֱ��fears of , but the risk to life from insecure infrastructure is real: fixing these weaknesses should be our priority, not striving to make devices less secure for the sake of law enforcement.

, Research associate,

This article was originally published on . Read the .

̽��ֱ��opinions expressed in this article are those of the individual author(s) and do not represent the views of the ̽��ֱ�� of Cambridge.