Despite early reports, experts agree that the leak of the iPhone Secure Enclave Processor firmware encryption key should not pose a security risk and may even ultimately improve user security.

When a hacker/researcher going by the handle "xerub" released the firmware encryption key, the initial reaction was one of panic because the iPhone Secure Enclave is responsible for storing and processing highly sensitive data, as described by Mike Ash, software engineer and fellow at Plausible Labs, in response to the debate around the FBI wanting backdoor access to Apple's encryption:

"The Secure Enclave contains its own [unique ID] and hardware AES engine. The passcode verification process takes place here, separated from the rest of the system. The Secure Enclave also handles Touch ID fingerprint processing and matching, and authorizing payments for Apple Pay," Ash wrote in a blog post about iPhone Secure Enclave last year. "The Secure Enclave performs all key management for encrypted files. File encryption applies to nearly all user data."

While most iPhone system apps use Secure Enclave, and all third-party apps use it by default since iOS 7, Ash wrote, "The main CPU can't read encrypted files on its own. It must request the file's keys from the Secure Enclave, which in turn is unable to provide them without the user's passcode."

While this sounds bad, David Schuetz, senior security consultant at NCC Group, said in his own analysis that the encryption key xerub released was specific to the GSM model of the iPhone 5S -- the first Apple device with the Secure Enclave Processor -- running iOS 10.3.3.

Apple reportedly told TechRepublic that decrypting the iPhone Secure Enclave firmware "in no way provides access" to user data and that Apple does not have plans to patch affected devices.

Xerub also told TechRepublic the encryption key would not impact user security but said the "public scrutiny" around the release could improve the security of the iPhone Secure Enclave.

Schuetz added that modifying the iPhone Secure Enclave firmware would not be possible because "the firmware is also signed by Apple, and the attacker would need to be able to forge the signature to get the phone to install the hacked firmware."

"I think this is a good thing, in the long run. This should have very little practical effect on the security of individual iOS devices, unless a very significant flaw is uncovered. Even then, the potential scope of the finding may be limited to only older devices," Schuetz wrote. "If the security of the Secure Enclave is in any way directly reduced by the disclosure of the firmware, then it wasn't truly secure in the first place."

Learn whether or not Apple's Touch ID is ready for enterprise adoption.

Find out why IT pros are confident in Apple's Apple's data protection and encryption.

Get info on undetectable encryption backdoors in crypto keys demoed by researchers.

See the article here:
iPhone Secure Enclave firmware encryption key leaked - TechTarget

Ambulance organizations are worried that the pending encryption of police radio transmissions in Lancaster County will compromise the safety of medics racing to dangerous calls, LNP reported last Wednesday. Emergency medical service leaders asked the county commissioners to revise their June approval of police radio encryption to allow their crews to listen to police calls. The commissioners have not made a decision on the request.

Encryption is a bad idea. Words like transparency and accountability should mean something. Their significance diminishes every time we erect another barrier between government and the public.

We want our police officers to be as safe as they can possibly be. We also believe in the importance of public access to information. These values are not mutually exclusive.

Practically speaking, theres no evidence that encrypting police transmissions will make policing safer or easier. Part of the rationale for encryption is to prevent an ambush or to keep the media from reaching a crime scene before law enforcement, which, by the way, is very rare.

We know police officers would rather not have to deal with media at a crime scene. But the media has a job to do. Weather events, fires, gas leaks the media monitors police transmissions to help keep the public informed. Thats the medias job. Weve asked for proof that media or public access to police transmissions has ever compromised a crime scene or an investigation, or violated the privacy of a victim. Were still waiting.

Weve also asked the county commissioners to reconsider. Now, were not alone.

As LNPs Jeff Hawkes reported, medics need to hear what the first officers on the scene are saying to each other and dispatchers about the nature of a crash, shooting or other emergency requiring an ambulance. They can start to prepare before they arrive if they have more information. Is the crime scene secure? Are flood waters too deep? Are there downed wires?

These are legitimate concerns and questions. And how were the EMS officials received when they spoke up at a meeting with the commissioners last week? Not well.

Police departments, I dont think, would ever come in here and ask you to put some regulation on the fire departments, said Chief Kevin McCarthy of East Earl Township, representing a county police chiefs group. We actually thought the matter was finished.

Its not. Nor should it be. And McCarthys comment misses the point by a wide margin.

The entities that rely on police transmissions should be working together to keep the public safe and informed. Radio transmissions help the media communicate to the public. EMTs use the information to get to people who need help. This is a debate about openness in government and access to information. Once it degenerates into an argument over stepping on toes or whos dictating policy to whom, were in real trouble.

As we wrote when the decision to encrypt was announced, if a lack of public trust and faith in government institutions is a real problem, this law only serves to exacerbate mistrust.

And now you have a group of first responders saying it makes no practical sense either and will make their jobs more difficult.

To lose that ability to communicate or at least monitor (police transmissions) is a real danger to people in EMS, Dr. Michael Reihart, the medical director of a regional emergency health services federation, told LNP.

This should be more than enough for the commissioners to reconsider.

It should be, but apparently, it isnt.

Commissioners Chairman Dennis Stuckey, after hearing from EMS officials, said that hes not inclined to change anything.

Darrell Fisher, president of the Lancaster County EMS Council, told LNP that he will continue to push this issue, and we commend him for doing so.

Its pretty clear that the commissioners and everyone else who favors encryption want Reihart and Fisher to lose interest and go away. We hope they dont.

Commissioner Craig Lehman may represent the last hope for preserving transparency and public accessibility. Lehman opposed blocking media access to police radio, and told LNP that hes sensitive to the medics request and worries about other unintended consequences of encryption that could put police at risk.

We hope the police who requested encryption and the commissioners who voted for it will reopen this discussion. We still believe a compromise can be reached. As LNP Executive Editor Barbara Hough Roda wrote in July, we seek a compromise that will allow law enforcement to do its work, and enable those of us in the news media to do ours.

That doesnt seem like too much to ask. And its the least the public has a right to expect.

Follow this link:
Additional proof that Lancaster County Commissioners should reconsider encrypting police transmissions - LancasterOnline