The proliferation of the WannaCry ransomware last week unequivocally justifies Apple’s steadfast refusal to help the FBI break into an iPhone 5c used by one of the San Bernardino terrorists. As a quick refresher, the FBI last year wanted Apple engineers to create a brand new version of iOS that would allow them to skirt around iOS security measures. As a precaution, a security setting in iOS wipes a device clean after 10 erroneous passcode entry attempts. The FBI, as a result, tried to force Apple to release a specialized version of iOS that would not include this security limitation.
Apple abhorred the very idea from the get-go, with Tim Cook going so far as to say that the FBI wanted Apple to create something that it viewed as “the software equivalent of cancer.” From Apple’s vantage point, creating software capable of circumventing important iOS security mechanisms was a monumental risk as there is no way to guarantee that the customized software wouldn’t eventually fall into the wrong hands.
So while Cook’s cancer analogy might have struck some as being extreme, the WannaCry ransomware saga last week proves that once a piece of malicious software is created, it’s impossible to keep it out of the hands of malicious actors. According to reports, the WannaCry ransomware — which infected more than 200,000 computers across 150 different countries in less than 24 hours — was based on an NSA exploit released by a hacking collective known as the Shadow Brokers. In fact, WannaCry began infecting computers worldwide just about 4 weeks after the Shadow Brokers released a treasure trove of NSA hacking tools and exploits for anyone in the world to explore and use.
Today shows exactly what’s at stake when government hackers can’t keep their virtual weapons locked up. As security researcher Matthew Hickey, who tracked the leaked NSA tools last month, put it, “I am actually surprised that a weaponized malware of this nature didn’t spread sooner.”
So while former FBI director James Comey promised Apple that they would be able to keep a customized version of iOS from falling into the wrong hands, there’s really no way for anyone to make such a promise with 100% certainty. If it’s possible for top-secret NSA exploits to eventually see the light of day, it’s also possible for the FBI’s own arsenal of hacking tools to eventually fall into the wrong hands.
In light of the WannaCry attack, Tim Cook’s words during an interview with ABC last year ring truer than ever before: “If we knew a way to do this without exposing hundreds of millions of other people’s issues we would obviously do it. We need to stand tall and stand tall on principle. There’s probably more information about you on your phone than there is in your house… they’re also loaded with the location of our kids in many cases, and so it’s not just about privacy but it’s also about public safety.”
And speaking of public safety, one of the reasons why the WannaCry malware first started generating headlines was because it began infecting scores of computers at a number of hospitals all across the UK.
Incidentally, Microsoft on Sunday issued a statement blasting government agencies for hoarding dangerous exploits. The entire piece is worth a read, but one of the most pertinent excerpts reads:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The full statement, penned by Microsoft Chief Legal Officer Brad Smith, can be viewed over here.