The iPhone, the FBI, and the lessons for bankers
With today's news comes the interesting development that the FBI has apparently used a "tool" acquired from an unnamed third-party white hat security firm to gain access to the locked iPhone of one of the San Bernardino shooters without requiring Apple's cooperation. This issue had been the subject of a recent tug-of-war between Tim Cook and the US Department of Justice.
While FBI Director James Comey has been mum on the details, some in the IT security community have speculated that the new tool employs a so-called "brute force attack" on the iPhone by sequentially guessing the device's passcode until the device unlocks itself. While the lock-out feature is user-configurable, an iPhone running the current version of iOS will normally give the user 10 chances to input the passcode correctly before permanently locking the user out while deleting all user data from the device.
Cloud services to the rescue. The speculation is that the newly acquired FBI tool was able to get around this measure by simply cloning the software from the perpetrator's iPhone -- including the operating system and all of the user data files -- hundreds or thousands of times and performing what is effectively a "distributed brute force attack" by repeatedly guessing passcodes from a master checklist across the clones in parallel. When an individual clone became locked, that clone is discarded and the tool continues the guessing game with other clones on a reduced list of candidate passcodes until one of the guesses finally works.
The likely reason why the FBI has apparently succeeded is the fact that the perpetrator's passcode was static, meaning it didn't change during the course of the many times that the FBI tried one guess after another. (In this context, it was important that the perpetrator was caught, as otherwise he would have changed his passcode and/or wiped the data remotely, a capability that Apple provides to all iPhone users.)
What does this have to do with banking security?As demonstrated by the success of the FBI's new white hat tool in breaking Apple's device security, the simple reality of data protection is that no encryption technique is foolproof, particularly from the threat of a brute force attack.
Given the power of the cloud to solve a large computational problem like guessing an large encryption key using a cloud-based "divide and conquer" approach, bankers need to pay attention to the need to employ strong encryption keys while rotating their keys on a regular basis.
The definition of "regular basis" will depend on the sensitivity of the data to be protected, but one thing is for sure: the bank that creates an enterprise encryption key once and thinks the bank is protected forever is dangerously vulnerable to a future cyber attack based on a distributed brute force technique such as the one that was quite possibly used by the FBI's white-hat vendor.
Given the importance of encryption to maintaining a safe and FFIEC-compliant environment for the safekeeping of NPI, and especially in light of the emergence of services like Blockchain that are dependent on encryption for success, banks ought to be paying close attention.