“Unlike our competitors, Apple cannot bypass your pass code and therefore cannot access this data,” the Cupertino company bragged on its website. “It's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
Eighteen months later, it’s still true that Apple doesn’t possess the ability to actually bypass those pass codes. But by asking a federal court to force Apple to provide access to data on the iPhone of San Bernardino shooter Syed Rizwan Farook, the FBI has shown that technically, Apple could get past some of its own protections — just not, perhaps, in the way Apple might have originally envisioned.
The episode could force Apple to re-evaluate how it approaches security on its devices.
Already, the company reportedly is developing safeguards that would make the debate over whether it can comply in the manner the FBI is requesting moot.
An email sent to an Apple spokesperson requesting comment was not returned.
Last month, a federal magistrate in Riverside ordered Apple to write software that would allow law enforcement to unlock Farook’s iPhone 5c. Such software would appear to the smartphone’s operating system as a valid update from Apple, but serve as a kind of malware that, among other functions, would allow a computer to guess the phone’s pass code an unlimited number of times without the risk of erasing its data.
That effort would take place in a forensics lab housed on Apple’s campus. Apple argues that it would be unduly burdensome and unreasonable to be forced to create such software.
Creating the software would not be the same as bypassing the phone’s encryption, something that even the FBI appears to concede is impractical.
Way to unlock iPhone
Instead, by using a combination of switching the phone on and off and pressing the home and power buttons, firmware updates can be made to a locked iPhone that is connected to a computer with a USB cable, explains Andrew Blaich, Bluebox Security’s lead security analyst.The FBI could hire its own programmers to write the update. But the agency and anyone it might hire would not have legitimate access to the cryptographic code-signing key that underlies authentic Apple software. This key helps iPhones recognize software in the same way your friends recognize you from day to day.
In practice, this process tells a computer, such as an iPhone, that the update is coming from Apple and not, say, the New York Police Department. Without access to that code-signing key, the FBI wouldn’t be able to update Farook’s phone and guess at his possible pass code until they inevitably crack it.
The need for such keys is not unique to Apple software, said Blaich. It’s how software updates generally work, he said.
“As long as you control the signing keys to the firmware, and that software is signed by that key, that code can load on any phone, any tablet, any device,” he said.
“Apple still can’t go in and bypass that pass code themselves,” Blaich said, implying that if a pass code is long enough no manner of attack would be practical enough to crack it in a reasonable amount of time. “Even with the FBI case, they still need to guess the password to get in.”
But, said Anna Lysyanskaya, a computer science professor at Brown, that’s the dilemma Apple faces. The fact that Apple itself can potentially force its way into an iPhone means — in a sense — it can technically comply with the FBI’s request.
“This is not something that should be surprising to them,” said Lysyanskaya. “I think they made the choice to make everything updatable,” even the safeguards protecting pass codes “so that life would be easier for them, for debugging purposes.”
In order to call something secure, she stated in a recent social media post, a company has to ensure that no one can break into it — and that means “no one, not even Apple.”
“I think they were aware of the choices that they made, but because they never intended to update their operating system in the way that would bypass the password, they said: ‘OK, it’s secure because we are never going to create this version of the iOS,’” Lysyanskaya said.
Ultimately, she said, that was a mistake.
Apple’s powerful allies
No matter the motives behind Apple’s resistance to the court order to aid the FBI, the stakes are high. High enough that Microsoft, Google, Facebook and others soon are expected to file legal briefs either separately or jointly in support of the company’s cause.“Compelling Apple to create software in this case will set a dangerous precedent for conscripting Apple and other technology companies to develop technology to do the government’s bidding in untold future criminal investigations,” the company wrote in a motion to vacate the federal magistrate’s order, filed last week.
“If the government can invoke the All Writs Act to compel Apple to create a special operating system that undermines important security measures on the iPhone, it could argue in future cases that the courts should compel Apple to create a version to track the location of suspects, or secretly use the iPhone’s microphone and camera to record sound and video.”
In a strong statement on a page about privacy on Apple’s website, chief executive Tim Cook has made his position clear.
“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” he wrote, in a public letter. “We have also never allowed access to our servers.
“And we never will.”
©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.
