NSA's Stealing Keys To Mobile Phone Encryption Shows Why Mandatory Backdoors To Encryption Is A Horrible Idea
from the let's end this now dept
Over the last few months, ever since both Apple and Google announced plans to encrypt data on iOS and Android devices by default, there’s been a ridiculous amount of hand-wringing from the law enforcement community about requiring backdoors, golden keys and magic fairy dust that will allow law enforcement to decrypt the information on your phone… or children will die, even though they actually won’t.
And, of course, yesterday, the Intercept had its big story about how the NSA (with an assist from GCHQ) hacked its way to get access to the encryption keys used on SIM cards on basically all the mobile phones out there, giving those intelligence agencies easy (warrant-free!) access to conversations that most people thought had at least some encryption. These two stories may not seem to be directly connected (we’re talking about different kinds of encryption for different things), but in writing about the SIM card story, Julian Sanchez at Cato makes a really good point about why the Gemalto hack underscores why backdoors are a horrendously bad idea: they create a central point of attack to undermine all the security that people rely on.
Finally, this is one more demonstration that proposals to require telecommunications providers and device manufacturers to build law enforcement backdoors in their products are a terrible, terrible idea. As security experts have rightly insisted all along, requiring companies to keep a repository of keys to unlock those backdoors makes the key repository itself a prime target for the most sophisticated attackersâ€”like NSA and GCHQ. It would be both arrogant and foolhardy in the extreme to suppose that only â€œgoodâ€ attackers will be successful in these efforts.
It would be nice to see that the revelation of the NSA undermining one use of encryption led people to realize the stupidity of undermining other forms of encryption, but somehow, it seems likely that our law enforcement community won’t quite comprehend that message.