Thursday, July 16, 2009

iPhone in China Gets Wi-Fi-ectomy?

iPhone in China Gets Wi-Fi-ectomy?

Widespread rumors say that Apple's release of an iPhone in China will strip out Wi-Fi. Why? I've already received emails from colleagues and reporters on this, and was even cited in a Slashdot story that I had nothing to do with because of my previous comments about WAPI, a Chinese-controlled proprietary security standard.

Why would Apple strip out Wi-Fi, which is the heart of the ubiquitous-access iPhone, which seamlessly moves among 2G, 2.5G, 3G, and Wi-Fi? It can't be cost. The Wi-Fi components are a few bucks of the total, and the engineering is already done. Removing Wi-Fi could cost more initially than including it. (For all I know, Apple will include the chip and disable functionality in firmware.)

The overt explanation appears to be that the Chinese government, which has highly intertwined interests with major corporations, wants to protect call revenue from VoIP. An iPhone with Wi-Fi could be used with a VoIP app like Skype, or, if restricted, could be jailbroken and used with VoIP programs over both Wi-Fi and 2G/3G systems. (China is far behind on 3G deployment due to years of conflict over homegrown standards and those used internationally.)

What's likely another contributing factor is that there's no way in the lord's little green valley that Steve Jobs and Apple will incorporate the WAPI spec into an iPhone. China tried to get WAPI made into an ISO standard, but was rejected because of the fundamental problem that the China Broadband Wireless IP Standard Group (the representative at ISO at the time) won't actually publish the full standard, and none of the cryptographic part. (You can read more that I've written about WAPI over the years.)

As long-time readers of this site know, I don't buy into security through obscurity. Nor do any credible security researchers that I know or follow. There's a good reason for this. Working in isolation is a great way to leave vectors for exploitation that exposure to light finds. But that's not really what's at work with WAPI.

WAPI is controlled by a number of companies that are controlled by and/or have investments in them by the military and government. This is typical in China, in which private firms aren't quite private. The military have extensive, separate investments and ownership separate from the main government, too.

A closed spec tied to firms tied to the government and military means only one thing: WAPI has backdoors designed to allow authorities to tap into datastreams when they please. The 802.11i spec as labeled WPA and WPA2 have no known backdoors nor vulnerabilities that would allow this. (There's one TKIP vulnerability for inserting a small number of short packets in particular circumstances that doesn't allow key recovery.)

The reason Apple won't buy into this, is that any company outside China that wants to conform to WAPI in order to release products with Wi-Fi--I'm unclear whether it's a strict requirement now, as that's come and gone--must partner with a Chinese firm which maintains control. As all firms outside China know, if you reveal your intellectual property to a Chinese firm, a few months or a year later, that firm now makes your product or incorporates your IP, and IP rights in China are extremely poorly enforced. Especially when a government or military controlled firm has just lifted your property.

By removing Wi-Fi, Apple gets to avoid a whole army of mess. The Chinese government gets to snoop on its easily monitored cell networks and maintain additional control--and preserve profit margins, too.



Canadian Spectrum for In-Flight Internet Awarded