Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

ACLU: You can kiss trust in software updates goodbye if Apple's forced to help the FBI

Gregg Keizer | March 3, 2016
American Civil Liberties Union files amicus brief with federal court in support of Apple.

"What the government seeks here is an authority that would undermine American and global trust in software security updates, with catastrophic consequences for digital security and privacy," the ACLU said.

The organization has made that claim before.

Earlier this week, Christopher Soghoian, a prominent privacy researcher and activist who currently works for the ACLU as the principal technologist with its Speech, Privacy, and Technology Project, wrote a piece for the Washington Post in which he made the same case about software updates.

"If consumers fear that the software updates they receive from technology companies might secretly contain surveillance software from the FBI, many of them are likely to disable those automatic updates," Soghoian said.

Distrust of software updates waxes and wanes all on its own, particularly when a company's new code earns a reputation for crippling working devices. But the idea that the update process itself could be perverted has long been seen as the Holy Grail by hackers.

In 2012, security researchers discovered that Flame, sophisticated nation-state-grade cyber-espionage malware, had spoofed Microsoft's Windows Update service, and so could trick a PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.

Flame's creators were able to do that after leveraging a bug in a Microsoft service to generate digital signatures that were "signed" by the Redmond, Wash. company.

At the root of the government's demands on Apple is the fact that no one but Apple can convince a device that an incoming update is legitimate; only updates cryptographically "signed" by Apple are allowed. If the FBI, for instance, had Apple's signing certificate, it could write the software itself and put it on Farook's iPhone.

Because of the seriousness of Flame's ability to masquerade as Windows Update, Microsoft rushed out a fix to customers within days.

Others are expected to file amicus briefs this week, including the Electronic Frontier Foundation and Microsoft on behalf of Apple's position, and law enforcement agencies supporting the government's stance.

The ACLU's brief can be found on its website.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.