Security Experts Back Apple vs FBI: ‘GovtOS’ Could Mean Dire Consequences


The legal saga between the FBI and Apple continues with another chapter in favour of Apple: although the 40 tech companies the New York Times mentioned in an earlier report didn’t file the amicus brief so far, seven security experts did (via The Verge)

iphone passcode

The authors say “GovtOS” (the name Apple gave to the software demanded by the FBI) would harm customers, as it would weaken lockscreen protections for iPhone users not just in the US, but worldwide.

You may already be familiar with some of the names: iOS specialist Jonathan Zdziarski, cryptographer Bruce Schneier, and Charlie Miller, known for uncovering vulnerabilities in Chrysler automotive systems.

If this software gets into the wrong hands, it could have dire consequences, the experts say:

“If [GovtOS escapes Apple’s control], the custom code could be used by criminals and governments to extract sensitive personal and business data from seized, lost, or stolen iPhones,” the brief reads, “or it could be reverse engineered, giving attackers a stepping stone on the path towards their goal of defeating Apple’s passcode security.” As a result, the authors conclude that “in commanding Apple to create forensic software that would bypass iPhone security features, the Order endangers public safety.”

The security features of the iPhone protect customers from crimes and attacks, the experts say, mentioning a few scenarios including a competitor stealing trade secrets and an identify thief stealing financial information such as card numbers, PINs, social security numbers, and the like.

Apple Security Brief


  • Aron Feuer

    Listen, the same statements are as true about Apple’s code signing key. If GovtOS is ever created, it should be held and protected by Apple the same way they protect the key to sign their firmware. Releasing GovtOS to law enforcement or 3rd parties is a real risk.

  • Do mean the code signing key for OS X apps? I think the security risks for someone being able to fake Apple’s code signing and someone being able to crack iOS Passcode Security are very different in scale and risk.

    The Mac was not super-secure from malicious app installs to begin with, and Apple added code signing as a way to help protect novice users from installing bad apps. It was covering an already existing security risk. Also, if it were compromised and someone were able to create a malicious app is code-signed, it would only affect those who install it, would likely be noticed quickly and other Mac owners could be instructed to avoid it.

    iOS, on the contrary, already has secure passcode protection, and creating GovtOS would create a NEW potential security risk in EVERY iOS device. Not only are there more iOS devices than Macs, it wouldn’t just be people who install a malicious app that are compromised, it would be everyone.

    In short: Code signing may have similar risks, but it was added security that did not exist before, and the potential risk would affect a small percentage of Macs that were already at risk before code signing. GovtOS is weakening security that already exists, and the potential risk would affect every iOS device, devices that are currently not at risk.