DeepSec 2021 Press Release: Organized Espionage on Digital Devices. DeepSec Conference Warns: Searching for “Forbidden” Data on Clients Compromises Information Security.
A basic principle of information security is access control. We are all used to the fact that data is only available to people and systems with the right authorizations. The discussion about the search for prohibited image files on Apple systems sparked the discussion about the so-called Client-Side Scanning (CSS) technology. Searching for specific content past access restrictions has always been an appealing shortcut. It is now clear that CSS leads to serious problems that endanger the basis of information security and do not bring the hoped-for benefits. Instead, there are additional security loopholes.
Search of end devices
Lately, the EU Commission and law enforcement authorities have repeatedly addressed the issue of circumventing secure encryption. In mathematical terms, we cannot carry strong encryption out without stored duplicate keys or deliberately weakening the technologies used. One has therefore switched to forcing access to the data sought either on the platform itself, i.e. on the operator’s servers, or directly on the end devices. Messenger platform providers are the first choice. Some try to protect access to customer data through additional encryption with keys on the client. This shifts the focus back to the end devices.
A few months ago, Apple announced that the operating system would search for prohibited images on iPhone and iPad devices. The system creates checksums of digital image files and uses an algorithm to compare them with a database that contains the characteristics of the files searched for. The algorithm should also be able to recognize slightly changed images, which has already been refuted by experiments by security experts. Microsoft’s PhotoDNA works similarly for online services that work with images. The big criticism of Apple is that the search is anchored in the operating system itself. This provides a search function for content that can search for any data. The restriction on the image database used can be changed at any time by instructing the software by Apple or third parties. This also applies to any updates that can revoke the deactivation of the function at any time or make it impossible.
CSS contradicts security principles
The effects of client-side scanning (CSS) on information security and privacy have now been evaluated by renowned researchers in the form of a publication (available at the link https://arxiv.org/pdf/2110.07450.pdf). Related approaches in the past and the effects of security gaps on working with CSS-enabled devices were examined. The result contradicts the promises of all supposedly safe filters and search technologies. Shifting the capabilities for a search from the servers of a platform to the client enables serious attacks. It renders the protective mechanisms on the end device effectively ineffective. In addition, we can find any data with the search infrastructure, as they based the search on configurable comparisons. Thanks to the deep integration into the operating system, the search can be continuously adapted and carried out. CSS is thus a de facto invasion of privacy across the board. When used on company systems, the effects are much worse, since access to sensitive data is given – regardless of company policy. In the event of possible weak points in the CSS implementation, industrial espionage goes unchecked. For example, you only need to look for contact details instead of images. A graph then automatically results that show who is in contact with whom. That would be the raster search by operating system feature across all branches of the economy of all countries.
In addition, the lack of disclosure of the search infrastructure and the associated algorithms is a serious problem. Content on social media platforms is already subjected to automated filters. The criteria are not published. Reports of blocked accounts without justification have been criticized in the past. Even with a complaint about wrong decisions, there is no insight into the internal structure of the cause. If this behavior is transferred to CSS, then this problem is also transferred to the daily use of smartphones or tablets.
Philosophy of security
The last 50 years of experience with information security have brought a large pool of experience and tested concepts with them. Secure communication protocols and secure systems have very clear technical specifications that must be met. There is no room for negotiation with mathematical concepts. Fundamental building blocks for security are completely controllable platforms for your own software and strong encryption algorithms without intentionally built-in weaknesses or back doors. Misuse of digital infrastructure cannot be prevented by CSS. The opposite is the case, as any complexity that is artificially introduced through client-side scanning (CSS) can harbor further security risks. CSS was introduced in order to not abolish end-to-end encryption but to allow to search for prohibited content. This squaring of the circle is not possible, since numerous weaknesses in the design have been found since Apple’s plans became known.
If digitization is to be taken seriously, information security is not negotiable. Business, government agencies and civil society must be able to rely on protecting their data. Many components are already built into current systems that are poorly documented and contain potential weak points. CSS is another building block to build new threats.
Security intelligence platform
The DeepINTEL Security Intelligence Conference, which takes place annually in Vienna, focuses on the analysis and strategic discussion of information security. The attackers’ methods, incidents, connections between attacks and approaches for reconnaissance and investigation are discussed. Planning for an effective defense of digital infrastructure requires very good preparation and knowledge of many contexts. Current topics discussed at DeepINTEL are the capabilities of new ransomware, the structure of cyber crime syndicates, state-supported groups and investigations into current attacks.
Programs and booking
The DeepSec 2021 conference days are on November 18th and 19th. The DeepSec trainings will take place on the two preceding days, November 16 and 17. All trainings (with exceptions) and lectures are intended as face-to-face events, but because of possible future COVID-19 measures, they can take place partially or completely virtually. There will be a stream of lectures for registered participants.
The DeepINTEL Security Intelligence Conference will take place on November 17th. Since this is a closed event, we ask for direct inquiries about the program. We provide strong end-to-end encryption for communication: https://deepsec.net/contact.html
You can order tickets for the DeepSec conference and training courses online at any time under the link https://deepsec.net/register.html. Sponsor discount codes are available. If you are interested, please contact firstname.lastname@example.org. Please note that we depend on timely ticket orders because of the security of planning.