iOS 6 granted FIPS 140-2, approved for U.S. government use

iOS 6 granted FIPS 140-2, approved for U.S. government use

Summary: Move over, BlackBerry. iPhones and iPads running iOS 6 are now certified for low-level secure government use.

SHARE:
archimedes_iphone5_lifestyle_outside_35438535_10
iOS 6 granted FIPS 140-2 certification. (Image: CNET)

Apple's iOS 6 mobile operating system is now secure enough for low-level work in the U.S. government after it passed security certification.

The National Institute of Standards and Technology (NIST), which examines and tests mobile devices for security and validation purposes, granted the Apple mobile platform FIPS 140-2 certification (Level 1) last Friday. At this level, devices running the platform can be used in conjunction with the lowest level of security clearance.

It comes just days after the U.S. Department of Defense was reportedly in talks with Apple and Samsung in a bid to approve the two firms' devices for government use. It follows the dropping of an exclusive contract the Dept. of Defense's had with BlackBerry — then named Research in Motion — late last year.

The U.S. government's approval follows seven months after its U.K. counterpart first approved iOS 6-based iPhones and iPads. U.K. government workers are only allowed to use the devices for data deemed "restricted" or below.

The agency said in a validation document it tested iOS 6.0 running on an iPhone 4, 4S, and an iPad (in single-user mode.)

It's not clear, however, if devices running iOS 6.1, or any subsequent update, is covered under the certification. 

iOS 6.1 contained a lock screen bug that allowed any potential hacker with access to an affected device to unlock the phone or tablet without knowing the passcode. iOS 6.1.3 fixed the lock screen bug, but also contained yet another flaw that allowed access to some areas of the iPhone while locked.

The validation document states: "The Apple iOS CoreCrypto Kernel Module is a software cryptographic module running on a multi-chip standalone mobile device and provides services intended to protect data in transit and at rest." CoreCrypto uses FIPS-approved algorithms, such as 3DES, AES, SHS, and around a dozen other algorithms.

Allowing iOS 6-powered iPhones and iPads into the government workspace could considerably change the landscape of market and usage share, as well as where tax-funded IT models shift towards. 

Up until now, only BlackBerry devices had been widely used for U.S. government use. The latest BlackBerry 10 devices were given the government go-ahead with FIPS 140-2 certification by both the U.S. and Canadian government, two months before the next-generation devices were even released.

But with the decline in BlackBerry popularity and a slower-than-expected release schedule for the latest BlackBerry 10 smartphones, many government departments were preparing — and already have — jumped ship to rival platforms.

U.S. Immigration and Customs Enforcement (ICE), a division of U.S. Homeland Security, said it would pull the plug on its 17,600 employee BlackBerrys and favor iPhones instead. The deal, according to a "solicitation" document, would be worth $2.1 million — to the U.S. taxpayer, at least.

The National Transportation Safety Board (NTSB) followed suit, but not without a public flogging. The NTSB slammed the BlackBerry maker's devices for "failing both at inopportune times and at an unacceptable rate," and named the iPhone as the prime contender to replace the agency's 400 employee devices.

Topics: iOS, Government US, iPhone, iPad, Mobile OS, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • iOS 6 granted FIPS 140-2, approved for U.S. government use

    Kudos Apple…
    daikon
    • Are you literate?

      Your vocabulary seems to contain only 5 words.
      OwlllllNet
      • Are YOU literate Owlnet?

        Or are you simply upset that your precious Windows Phone Device wasn't even a blip on the government's radar?
        athynz
    • Clue

      Write something to defend your case...
      OwlllllNet
      • No need to defend anything, the approval speaks volumes

        iOS 6 granted FIPS 140-2, approved for U.S. government use;

        Overall Level: 1
        -Operational Environment: Tested as meeting Level 1 with iOS 6.0 running on an iPhone4; iOS 6.0 running on an iPhone4S; iOS 6.0 running on an iPad

        Kudos Apple…
        daikon
        • The Approval means nothing!

          This FIPS standard is rubbish standard made by the US government.
          It ignores the glaring basic flaw in iOS: icloud security.

          It doesn't matter how secure the phone is if it defaults to backing up all it's information to the cloud. It boils down to the security of the cloud service.

          only 2 weeks ago, Apple had to shutdown the iForgot system because it allowed hackers to submit forms to reset passwords. Apple initially replaced the page that was used to submit the Apple ID resets, but that didn't stop hackers submitting form data to the servers which continued to reset Apple IDs. Apple didn't understand this and had to shutdown the iforgot service altogether.

          Has Apple ever had its icloud security be auditted under any security standard? NO
          which is probably why they continue to label it as a BETA trail service so they have an out in the event of security collapses.

          It just works, for the hackers.
          warboat
          • You state the standard is in question

            You do have some reliability source to this correct?
            Why does one always think the US Government uses the same technology that consumers use.
            RickLively
          • special issue iphones and ipads?

            are you suggesting they get special issue iPhone 4/4s and iPads with older iOS revisions without current security patches, but with modded firmware/hardware?
            How is a security standard established before the icloud and siri proxies, sufficient for measuring the security of an idevice TODAY?
            these are ancient security standards in the mobile computing world and it only passes level 1 ( the lowest level) of 4 with regards to this standard.
            The Apple PR machine pushed out this one right after their icloud security got hacked 2 weeks ago to try and fool everyone that iOS is top notch security.
            warboat
          • FIPS 140-2

            FIPS 140-2 deals with cryptographic modules ONLY.
            Not the whole OS, or the platform, or the whole device.

            http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm

            Cert#1944 relates to "Apple iOS CoreCrypto Kernel Module v3.0"
            It was TESTED on iphone4 and 4S with iOS6.0, and iPad with iOS6.0 (doesn't specify which ipad).
            It is only testing a specific software module in the kernel, not the whole OS.
            The doesn't mean the iphone5 is not secure, nor does it mean the 4 and 4S is more secure. All it means is a portion of the software complies with the standards criteria for Level 1.
            It does not specify anything else about the phone's security and certainly doesn't specify operational criteria like cloud services, siri, etc. It does not define how the device is used.
            Basically this validation means nothing.
            Nothing to see here, move along.
            warboat
          • You really think the guberment is going to use a consumer cloud?

            If you believe this, I know of a rather large bridge I can sell you...
            Champ_Kind
          • sounds like you bought the bridge

            so you are implying that somehow they can get all their users to change defaults settings and avoid using icloud totally?
            you are going to rely entirely on users to get security right?
            yeh sounds like infallible security.
            warboat
          • Your first problem, Warboat, is that you missed one item...

            or rather, misrepresented it. Cloud backup of the devices is NOT turned on by default. It is also possible to lock that down through group policy software so that the user cannot turn it on manually. Or didn't you realize that group policy software was available for iOS devices?
            Vulpinemac
          • So how else do you suggest they backup iphone?

            itunes locally?
            Without jailbreaking, there is no other way to comprehensively backup data on the phone.
            Suirely, you are not suggesting they skip backup and just pray the phones don't get damaged or go missing.
            you are right that backup is not set by default but when you setup the phone and enter your Apple ID, iCloud option is selected by default.
            If the ability to wipe a lost iphone is needed for security, then icloud is required to use Find My iPhone.
            2 weeks ago, hackers were able to reset Apple ID passwords and had the ability to wipe phones or restore icloud information, or even just sync everything to their device and just keep getting everything from your phone.
            warboat
          • @Warboat: The same group policy software provides backup

            Hardware backup. And since they're already locked down AND encrypted, they're going to be more secure than the typical consumer phone simply because they can't arbitrarily download consumer software.
            Vulpinemac
          • Consumer Cloud Govt Use

            Sure, it is immaterial as long as the data is secured.

            Are you a government person? Did you type your message here? Guess what… You contradicted yourself.

            FaceBook collaboration cloud service, no, the government would never use that…

            The Twitter microblogging cloud service, no government person would ever consider…

            And lets not forget usa.gov link shortner, a nifty but limited cloud service supplied from the "dot gov" domain but uses bit.ly as it's implementation.

            The government would never have a "Cloud First" policy stipulating that agencies should go to existing cloud solutions before considering building the $500 screw driver style internal mismanaged and badly designed IT system. No, our government proudly insists on overpriced last century IT solutions because they are more secure! (badly designed means harder to understand. Fewer people using them means less who understand, voila! Secure!)

            Then again, maybe we have launched past the crusty old IT weenies… Who knows!

            http://www.govtech.com/blogs/lohrmann-on-infrastructure/Cloud-First-Policy--121910.html
            AnthonyOndre
          • What makes you think

            the US Government is going to use or allow to be used the consumer iCloud?
            athynz
          • there's a government icloud?

            are you suggesting they have a special icloud using special iphones that's not run by Apple?
            If you are suggesting they use 3rd party cloud solutions then that restricts what they can and can't backup.
            If you are suggesting they use the iphone without logging in with an Apple ID, then what the hell do they need an iphone for?
            warboat
          • ha, a knowledgeable fanboy?

            So, you believe iOS devices by default backup everything to iCloud? How you learned that revelation?

            Did you consider that offer to buy an bridge? Once you own it, come back, I have few more to sell you! Microsoft bridges, premium quality. Very secure!

            You might want to try an iOS device before making such absurd claims.
            danbi
          • iCloud Concern

            So if the data that travels through the iCloud is fully encrypted using the same certified encryption that is used in the storage system of the iOS device, how is there an issue @warboat?

            It is like saying "well, the data is encrypted safely if it is on a green hard disk but no no no, not on a blue one!".

            As long as the same cryptographic module is used to encrypt and decrypt the data and as long as the data only ever hits Apple's iCloud system encrypted (and it does), the concern is invalid.

            Consider that PKI is used for email. If it is NIST certified FIPS compliant 140-2 encryption it does not matter what router, what switch, what email server or what storage system that encrypted email sits upon, it is safe to government standards. (AES 128 minimum).

            Your iCloud point is somewhat "cloudy" .
            AnthonyOndre
          • iCloud

            So you configure the phone to not allow iCloud interoperability and not allow the user to modify the configuration.
            Stacy Delgado