We can make our phones harder to hack, but complete security is a pipe dream | John Naughton

Apple caused a stir a few weeks ago when it announced that the next update to its mobile and laptop operating systems would contain an optional high security mode that would give users an unprecedented level of protection against powerful software. spies” who surreptitiously take control of their devices.

It’s called lockdown mode and, according to Apple, “provides an extreme, optional level of security for those very few users who, because of who they are or what they do, may be personally targeted by some of the sophisticated digital threats, such as those from the NSO Group and other private companies developing state-sponsored mercenary spyware.”

Lockdown is actually an alternate operating system mode. To enable it, go to settings, choose it and restart your device. When you do, you end up with a rather different iPhone. Web browsing is clumsier, for example, because Lockdown blocks many of the speed and efficiency tricks Safari uses to render web pages. Some complex but widely used web technologies, such as just-in-time JavaScript compilation, which allow websites to run programs in your browser, are disabled unless you specifically exclude a website from the restriction. Still, more people may be persuaded to turn to greater security after vulnerabilities were revealed in Apple devices.

The lockdown also restricts all sorts of incoming invitations and requests (e.g. from FaceTime) unless you have specifically requested them. In messages, the phone will not show link previews and will block all attachments except for a few standard image formats. It also won’t allow access to anything physically plugged into it. Etc.

The result of Lockdown’s commitment is that you have a more secure but less convenient iPhone to use. And, in a way, that’s the most important thing in Apple’s decision. As security guru Bruce Schneier says, “It’s common to sacrifice security for usability, and the results are everywhere in Apple’s operating systems — and everywhere else on the Internet. What they do with lockdown mode is the opposite: they trade usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they don’t just cut out random features; they remove features that are common attack vectors.

Ever since people started worrying about computer security, the issue has been presented as a balance between security and convenience. So far, convenience has won hands down. Take passwords. Everyone knows that long and complex passwords are more secure than simple passwords, but they are also difficult to remember. So, being human, we don’t use them: in 2021, the five most commonly used passwords were: 123456, 123456789, 12345, qwerty and password.

In the age of mainframes and standalone PCs, that kind of laxity didn’t matter too much. But as the world has become networked, the consequences of neglect have become more ominous. Why? Because there is no such thing as a completely secure networked device and we have added such devices to the so called Internet of Things (IoT) on a manic scale. There are something like 13 billion right now; by 2030, the tech industry thinks there could be 30 billion.

The conventional adjective for these gadgets is “smart”. These can be ‘hi-tech’ items such as smart speakers, fitness trackers and security cameras, but also standard household items such as refrigerators, light bulbs and plugs, doorbells , thermostats, etc. From a marketing perspective, their USPs are flexibility, utility, and responsiveness – in other words, convenience.

But smart is an understatement that tactfully disguises the fact that these are tiny internet-connected computers that can be controlled remotely from a smartphone or computer. Some are made by reputable companies, but many are products of smaller companies in China and elsewhere. They come with default usernames and passwords (such as “admin” and “password”) that buyers can change (but usually don’t). Because they are networked, they can be accessed remotely by their owners and, more importantly, by others. And there are billions of them in our homes, offices and factories.

Security researchers use the term “attack surface” to describe the number of possible points where an unauthorized user can access a system, extract data, and/or inflict damage. The smaller the surface, the easier it is to protect. Unfortunately, the corollary also holds. In our rush to the Internet of Things, we are creating an attack surface of near infinite dimensions.

What is strange is that we already know what the consequences are and yet we do not seem disturbed by them. In 2016, the security community was overwhelmed by a number of massive distributed denial of service attacks that caused outages, internet congestion and, in one case, overwhelmed the website of a prominent security guru. Security.

Such attacks were carried out by botnets of thousands of infected PCs, but those in 2016 were carried out by a botnet that included perhaps half a million infected “smart” gadgets. The Mirai malware that assembled the botnet scoured the web for IoT devices protected by little more than default usernames and passwords, then enlisted them in attacks that launched unwanted traffic to an online target until it can no longer function.

Mirai is still around, so you might not be the only entity benefiting from these fancy new networked bulbs. The cost of convenience will be higher than we think. So update those passwords.

John Naughton chairs the advisory board of the Minderoo Center for Technology and Democracy in Cambridge

Comments are closed.