The FBI hack of an iPhone has potential implications for all Apple users, according to experts.
On Tuesday, the agency revealed it had broken into an encrypted device and thus would withdraw an ongoing legal case against Apple.
The iPhone belonged to Syed Rizwan Farook, who along with his wife Tashfeen Malik allegedly killed 14 people in San Bernardino, California in December 2015.
Farook and Malik were shot dead by police.
“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc,” the US Justice Department said in a court document.
Apple fought a legal battle with the FBI in February and March to avoid the agency’s demand to unlock the phone. The company responded to the FBI’s breakthrough by promising to increase security.
“We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated,” Apple said in a statement.
The exact method and the identity of the hacker(s) is unknown. The Justice Department told US media outlets that it was an outside party. Some experts suspect Israeli company Cellebrite.
Also unknown is what the FBI and its mysterious contractor will do with their newfound power.
Many in the tech industry are adamant that the creation of security bypasses, even by law enforcement agencies, undermines security for all users, as these methods may fall into the wrong hands.
Dr Christopher Soghoian, tech expert at the American Civil Liberties Union, took to social media after the announcement to warn of the possible consequences.
“Will the FBI share their new iOS exploit with the Manhattan DA’s office and other state/local agencies who have iPhones they want to unlock?” he posted on Twitter.
A US-based iOS security expert, Jonathan Zdziarski, predicted that if a software hack (as opposed to a hardware hack) was used, it could be used again, even on newer iPhones fitted with the stronger ‘Security Enclave’ protections.
How to protect yourself
The fact that a third party was able to access a password-protected iPhone has implications for all phone users.
Mr Zdziarski said it was “certain” that the phone’s number-only passcode enabled the hack. In fact, he went so far as to describe this “weak” form of security as the “only reason” it occurred.
The default passcode for all iPhones is four or six numbers, depending on the model. As Mr Zdziarski noted, these codes can be guessed by sophisticated computer programs, given enough time. He advised users to beef up their passcodes because “the rules of math cannot be broken”.
“To protect your device against both a hardware and software attack, use an alphanumeric passcode. Apple claims, in their iOS Security guide, that a six digit alphanumeric passcode would take up to 5 1/2 years to brute force. A 16 digit alphanumeric passcode is believed to take over 100 years to brute force. No matter how exploited the operating system is, brute forcing must take place on the hardware, and the rules of math cannot be broken.”
To create a more complex password, go to your iPhone Settings, select Passcode (or Touch ID & Passcode in newer models) and turn off the option Simple Passcode. Then follow the prompts to change your code to something more complex, preferably with both letters and numbers.
iPhone users may (or may not) also want to enable the Erase Data passcode setting, which wipes the phone after 10 failed passcode attempts.