U.S. Markets closed

Apple-FBI iPhone battle shows users remain the weakest link in security

Aaron Pressman
Technology Reporter

While Apple (AAPL) and the FBI fight a high-stakes legal battle over a locked iPhone, the dispute also highlights once again that even the most well-designed smartphone security can be undercut by the bad habits of users.

The FBI wants Apple to develop special software to make it easier to guess the passcode on an iPhone 5C used by Syed Rizwan Farook, one of the deceased San Bernardino terrorists. Apple says doing so would open a Pandora's box and weaken the security of all iPhones. Ultimately, it will be up to the courts or Congress to decide.

Yet there is also a lesson for all ordinary iPhone users. IPhones -- and most other brands of smartphones -- can be locked with a PIN code of four to six numbers or more complicated and longer passwords that have both letters and numbers.

It's believed that the iPhone in possession of the FBI is locked only with a simple four-digit code. That was the default setting of Farook's employer, the San Bernardino County Department of Public Health, which assigned him the phone. If that's the case, and Apple wrote the special software the FBI wants to disable several of the security safeguards on the phone, the FBI could guess the PIN code in under an hour. But even with Apple weakening an iPhone's security, guessing a longer passcode that had a mix of letters and numbers could take decades or even longer.

"The only reason we’re having this discussion about Farook’s phone at all is because he chose to use a weak, numeric pin," says security researcher Jonathan Zdziarski. "If he had used an alpha-numeric passcode of reasonable length, all of Apple’s encryption would still hold together and it would be unfeasible to try and attack it."

Recent models of the iPhone running newer software can be protected from the kind of PIN code guessing the FBI wants to do. That's because the owner can set the iPhone to erase its contents after 10 wrong guesses (the FBI wants Apple to disable that feature on Farook's iPhone). But hackers had come up with a variety ways around the anti-guessing safeguards on earlier models, so most owners should rely on more secure passcodes, experts say.

Apple and Google (GOOGL), with its Android software for phones made by Samsung, LG and others, have taken many steps over the years to improve security. Apple recently switched its default for iPhones from a four-digit PIN to a six-digit PIN. And both Google and Apple have begun encrypting personal data stored on phones.

Still, users are vulnerable to hacker scams that try to fool people into disclosing their own passwords. Two years ago, hackers stole hundreds of personal, nude photos from the iClouds accounts of celebrities and posted them online. Much of the hacking was done by sending phony emails purporting to be from Apple to trick the account owners into giving away their own passwords.

Experts say there are some steps Apple and other smartphone makers could take to improve security. One vulnerability is in the app stores, where hackers have occasionally managed to place malicious software. Thousands of malware-infected apps were sneaked into Apple's Chinese app store last year after hackers tricked app developers into using a counterfeit version of Apple's XCode software, though the fake apps were quickly deleted. Android, which allows downloading apps onto phones from third-party app stores, has had even more problems with hacked apps.

"To make the iPhone or iOS more secure a quality control of the app should be performed more strictly to ensure no compromised applications are inside," says Benjamin Kunz Mejri, a security analyst at Vulnerability Lab who has uncovered numerous security bugs in Apple software.