Apple Is Said to Be Trying to Make It Harder to Hack iPhones
WASHINGTON — Apple engineers have begun developing new security measures that would make it impossible for the government to break into a locked iPhone using methods similar to those now at the center of a court fight in California, according to people close to the company and security experts.
If Apple succeeds in upgrading its security — and experts say it almost surely will — the company will create a significant technical challenge for law enforcement agencies, even if the Obama administration wins its fight over access to data stored on an iPhone used by one of the killers in last year’s San Bernardino, Calif., rampage. If the Federal Bureau of Investigation wanted to get into a phone in the future, it would need a new way to do so. That would most likely prompt a new cycle of court fights and, yet again, more technical fixes by Apple.
The only way out of this scenario, experts say, is for Congress to get involved. Federal wiretapping laws require traditional phone carriers to make their data accessible to law enforcement agencies. But tech companies like Apple and Google are not covered, and they have strongly resisted legislation that would place similar requirements on them.
“We are in for an arms race unless and until Congress decides to clarify who has what obligations in situations like this,” said Benjamin Wittes, a senior fellow at the Brookings Institution.
“我们这是在展开一场军备竞赛，唯有等国会出来明确，像这样的情况下，各方应该尽何种义务，”布鲁金斯学会(Brookings Institution)高级研究员本杰明·维茨(Benjamin Wittes)说。
Companies have always searched for software bugs and patched holes to keep their code secure from hackers. But since the revelations of government surveillance made by Edward J. Snowden, companies have been retooling their products to protect against government intrusion.
企业从来都会搜寻软件臭虫(bug)，修补漏洞，以让自己的代码免遭黑客侵扰。但自爱德华·J·斯诺登(Edward J. Snowden)披露政府的监控措施以来，各公司便开始更新其产品，防御政府的侵入。
For Apple, security is also a global marketing strategy. New security measures would not only help the company in its fight with the government, but also reassure investors and customers.
“For all of those people who want to have a voice but they’re afraid, we are standing up, and we are standing up for our customers because protecting them we view as our job,” Apple’s chief executive, Timothy D. Cook, said on Wednesday in an interview with ABC News.
“为了那些出于恐惧不敢发声的人，我们决定挺身上前，我们要为用户而战，因为保护他们是我们的职责，”苹果首席执行官蒂莫西·D·库克(Timothy D. Cook)周三在ABC新闻频道(ABC News)接受采访时说。
The company first raised the prospect of a security update last week in a phone call with reporters, who asked why the company would allow firmware — the software at the heart of the iPhone — to be modified without requiring a user password.
One senior executive, speaking on the condition of anonymity, replied that it was safe to bet that security would continue to improve. Separately, a person close to the company, who also spoke on the condition of anonymity, confirmed this week that Apple engineers had begun work on a solution even before the San Bernardino attack. A company spokeswoman declined to comment on what she called rumors and speculation.
Independent experts say they have held informal conversations with Apple engineers over the last week about the vulnerability. Exactly how Apple will address the issue is unclear. Security experts who have been studying Apple’s phone security say it is technically possible to fix.
“There are probably 50 different ideas we have all sent to Apple,” said Jonathan Zdziarski, a security researcher.
Apple built its recent operating systems to protect customer information. As Mr. Cook wrote in a recent letter to customers, “We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”
But there is a catch. Each iPhone has a built-in troubleshooting system that lets the company update the system software without the need for a user to enter a passcode. Apple designed that feature to make it easier to repair malfunctioning phones.
In the San Bernardino case, the F.B.I. wants to exploit that troubleshooting system by forcing Apple to write and install new software that strips away several security features, making it much easier for the government to hack into the phone. The phone in that case is an old model, but experts and former Apple employees say that a similar approach could also be used to alter software on newer phones. That is the vulnerability Apple is working to fix.
Apple regularly publishes security updates and gives credit to researchers who hunt for bugs in the company’s software. “Usually, bug reports come in an email saying, ‘Dear Apple Security, we’ve discovered a flaw in your product,’ ” said Chris Soghoian, a technology analyst with the American Civil Liberties Union. “This bug report has come in the form of a court order.”
苹果定期发布安全升级，并在公司的软件中明确那些找到臭虫的研究人员的贡献。“通常来说，臭虫报告就是一封邮件，说‘亲爱的苹果安全部门，我们在你们的产品里发现了一个缺陷，’”美国公民自由联盟(American Civil Liberties Union)技术分析师克里斯托弗·索戈延(Christopher Soghoian)说。“这次的臭虫报告是一纸法庭判令。”
The court order to which Mr. Soghoian referred was issued last week by a federal judge magistrate, and tells Apple to write and install the code sought by the F.B.I. Apple has promised to challenge that order. Its lawyers have until Friday to file its opposition in court.
In many ways, Apple’s response continues a trend that has persisted in Silicon Valley since Mr. Snowden’s revelations. Yahoo, for instance, left its email service unencrypted for years. After Mr. Snowden revealed the National Security Agency surveillance, the company quickly announced plans to encrypt email. Google similarly moved to fix a vulnerability that the government was using to hack into company data centers.
从许多方面看，苹果的反应延续了硅谷自斯诺登披露以来的一种趋势。比如，雅虎(Yahoo)的邮件服务多年来一直是不加密的。在斯诺登披露国家安全局(National Security Agency)的监控后，该公司很快宣布了对电子邮件进行加密的计划。谷歌也同样采取行动，修补了一个政府用来潜入公司数据中心的安全薄弱环节。
Apple’s showdown with the Justice Department is different in one important way. Now that the government has tried to force Apple to hack its own code, security officials say, the company must view itself as the vulnerability.
“This is the first time that Apple has been included in their own threat model,” Mr. Zdziarski said. “I don’t think Apple ever considered becoming a compelled arm of the government.”
The F.B.I. director, James B. Comey Jr., signaled this week that he expected Apple to change its security, saying that the phone-cracking tool the government sought in the San Bernardino case was “increasingly obsolete.” He said that supported the government’s argument that it was not seeking a skeleton key to hack into all iPhones.
FBI局长小詹姆斯·B·科米(James B. Comey Jr.)本周表示，他希望苹果改变其安全策略，并称政府在圣贝纳迪诺案中寻求获取的手机破解工具已经“越来越过时了”。他的言论支持了政府的主张，即它并不打算得到一把能破解所有iPhone的万能钥匙。
Apple, though, says the case could set a precedent for forcing company engineers to write code to help the government break into any iPhone. “The U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create,” Mr. Cook said in his letter.
The heated back-and-forth between the government and technology companies is, at least in part, a function of the Obama administration’s strategy. The White House has said it will not ask Congress to pass a law requiring tech companies to give the F.B.I. a way to gain access to customer data. That has left the Justice Department to fight for access one phone at a time, in court cases that often go unnoticed.
While it is generally accepted that Silicon Valley’s tech giants can outgun the government in a technical fight, the companies do face one important limitation. Security features often come at the expense of making products slower or clunkier.
Apple’s brand is built around creating products that are sleek and intuitive. A security solution that defeats the F.B.I. is unworkable if it frustrates consumers. One of the impediments to encrypting all the data in Apple’s iCloud servers, for instance, has been finding a way to ensure that customers can easily retrieve and recover photos and other information stored there.
“Telling a member of the public that they’re going to lose all the family photos they’ve ever taken because they forgot their password is a really tough sell,” Mr. Soghoian said. “A company wants to sell products to the public.”