clock menu more-arrow no yes

Filed under:

Apple says it has the 'most effective security organization in the world'

New, 31 comments

Apple engineers pull back the curtain on iPhone security

Apple said in a press briefing earlier today that it has the "most effective security organization in the world," and discussed multiple layers of iPhone security on both the hardware and software side to underscore this point.

The press briefing with Apple engineers was highly technical, including details that were previously undisclosed and in some cases might require deep knowledge of security protocol to understand. But it doesn't take a degree in CS to understand the timing and relevance of the briefing: Apple is currently at odds with the U.S. government over the issue of encryption. While the government is exerting pressure on Apple to make the iPhone less secure and to cooperate when it comes to obtaining crucial digital information, the company is adamant that doing so would compromise the privacy and security of consumers.

Apple used today's briefing to hammer that point home and to point out that it can build security into every level, because it controls the entire phone.

The chances of a bug deep within the iPhone are very, very low, Apple says

The security for iPhone involves multiple layers, some of which are industry-standard and others that are specific to Apple hardware. The protection starts with the chip inside of the phone, these Apple engineers said. The Boot ROM includes a certificate or private key that only Apple has access to. If an attacker wanted to try to take over an iPhone by taking a version of iOS and modifying it to run their own code, the software wouldn't run because the attacker wouldn't have access to that secret key, Apple said. This is the case for iPhones 3GS and later.

There's also a "chain of trust" built directly into the iOS mobile software, known in the tech industry as the boot chain. This, again, ensures that the certificate or key is validated before iOS even begins to boot up on the phone. (Much of the secure boot chain processes are detailed in a whitepaper that Apple has released about iOS security.)

While a bug is always possible, this architecture makes it very difficult for hackers to exploit a bug at the base level of the iPhone. If you have millions of lines of code at the highest level of iOS, and only thousands of code at the boot level, the chances of there being a bug at the low level is very, very low, these engineers said.

Getting consumers to actually install their iOS updates is another big part of ensuring iPhone security, since the company is regularly improving security or issuing bug fixes through new software. Making iOS a smaller update to install (1.3 gigabytes of space required on the phone, versus 4.6GB for iOS 8), coupled with the introduction of a "while you were sleeping" update option, has given iOS 9 an update rate of 80 percent.

Of course, industry-standard encryption is also a part of the process. The iPhone includes a piece of hardware that exists between the phone's flash memory and its RAM simply to perform encryption; there's also, as a part of this architecture, an Apple-specific "Secure Enclave," a coprocessor introduced in 2013 (so, in iPhones 5S and later) that uses encrypted memory and is not accessible to other parts of the system.

Nearly 90 percent of iPhone users now use a secure passcode, thanks to Touch ID

The TouchID sensor is yet another component of this. Prior to the introduction of Apple's TouchID fingerprint sensor in 2013, around half of all iPhone users had a passcode set up. Since TouchID came out, nearly 90 percent of iPhone users are using a passcode, Apple said. (Setting up TouchID requires entering a four- or six-digit pin.) That's great for consumer protection — but creates a quandary for law enforcement agencies who may previously had unfettered access to data on criminal iPhones.

Apple's discussion of its various security layers comes at a heated moment in tech security. Earlier this week The Washington Post reported that the FBI had cracked the iPhone in the San Bernardino, Calif. terrorism case with the help of an undisclosed group of hackers, some known to be "grey hats," who reportedly discovered at least one unknown security flaw in the iPhone 5C. According to The Washington Post, the hackers were able to "create a piece of hardware ... to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data."

But it's unclear exactly how such a tool would work. Previously, it was reported that the FBI had received help from the Israeli firm Cellebrite, but that has since been refuted. The FBI did not immediately respond to Verge requests for comment or explanation as to how the San Bernardino iPhone was hacked.

Apple is also scheduled to testify about encryption in another Congressional hearing next week, along with the FBI. And the company is still sparring with the Justice Department over a case in New York, where an iPhone 5S was seized as part of a drug investigation in 2014. Just today, Apple said that the FBI had not "exhausted" its options for getting data out of the iPhone without the company's help.

The government is hoping to set a precedent in which tech companies like Apple have to decrypt data in specific cases like these. But Apple has pushed back, insisting that forcing Apple to break into the phone would be an overreach and would hold back innovation in cybersecurity. Apple engineers said in today's briefing that threats are evolving as technology is evolving, and that the company believes data security to be fundamental to personal safety and health as a society going forward.