Apple Fights FBI Over Disabling Security In San Bernadino Case - InformationWeek
IoT
IoT
Mobile // Mobile Devices
News
2/18/2016
06:06 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Fights FBI Over Disabling Security In San Bernadino Case

The FBI wants Apple to help it crack the passcode of an iPhone owned by one of the shooters in the December San Bernardino attack that killed 14 people. But CEO Tim Cook says this demand would "undermine the very freedoms and liberty our government is meant to protect."

8 Ways To Secure Data During US-EU Privacy Fight
8 Ways To Secure Data During US-EU Privacy Fight
(Click image for larger view and slideshow.)

In an open letter to Apple customers published Tuesday evening, CEO Tim Cook said the company is challenging a court order directing it to assist the Federal Bureau of Investigation. The company was reportedly asked to help the FBI bypass security measures that protect data stored on a locked iPhone.

The FBI is trying to access the data on the iPhone of Syed Farook who, with wife Tashfeen Malik, killed 14 people in San Bernardino, Calif., in December 2015. The agency believes that data on the phone may provide useful information about other potential threats or co-conspirators. But investigators have been unable to examine the phone's data because the device is protected by a numeric passcode, according to a Department of Justice legal filing. And the FBI has not tried to guess the passcode because Apple's iPhone software includes a security feature that deletes data after 10 incorrect passcode entries.

The device, an iPhone 5c, belongs to the San Bernardino County Department of Public Health, which provided it to Farook as an employee and has consented to the government's search. The FBI has already obtained some data from Apple's iCloud service, with Apple's cooperation. But the government contends that Farook disabled the automatic iCloud backup of his iPhone data at some point, thereby preventing more recent data from being stored on Apple's servers.

[ What will the next US President do with tech? Read Where 2016 US Presidential Contenders Stand On Tech Issues. ]

"We have great respect for the professionals at the FBI, and we believe their intentions are good," Cook said in his letter. "Up to this point, we have done everything that is both within our power and within the law to help them. But now the US government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone."

For years, law enforcement officials have sought government-mandated backdoors to bypass encryption. FBI Director James Comey last year testified before the Senate Judiciary Committee about the way that encryption can hinder investigations. Security experts and academic researchers have countered that backdoors cannot be controlled and will inevitably be misused. Comey has warned that encryption allows criminals to "go dark." At the same time, Peter Swire, professor of law and ethics at Georgia Institute of Technology, has argued that surveillance and data gathering have never been easier. The debate remains ongoing.

However, the Obama administration has opted not to mandate backdoors to bypass digital security measures. And Sen. Ron Wyden (D-OR) has introduced a bill that seeks to prohibit the government from requiring weak security.

Apple, in its privacy statement about government information requests, acknowledges that it complies with lawful legal demands for information that it possesses. But the company maintains it "has never worked with any government agency from any country to create a 'backdoor' in any of our products or services."

(Image: Apple)

(Image: Apple)

This case has the potential to determine whether Apple can continue to make that claim. Citing precedent in a legal filing, the Department of Justice asserts that the All Writs Act of 1789 authorizes the court "to order a third party to provide nonburdensome technical assistance to law enforcement officers."

The Department of Justice also notes that there are multiple pending unpublished orders to compel Apple's technical assistance in similar cases. However, DoJ acknowledges that a magistrate judge in the Eastern District of New York, handling one such case, has questioned the court's authority to issue a compliance order under the All Writs Act.

On Tuesday, a magistrate judge in Riverside, Calif., ordered Apple to help the FBI. The order directs Apple to provide technical assistance:

  • to bypass or disable the auto-erase function that deletes data after 10 successive attempts to enter an incorrect passcode;
  • to provide a way to automate passcode entry (thereby enabling the possibility of brute force passcode attacks); and
  • to remove any software-based mechanism that delays password entry as a method of limiting brute force attacks.

The government is asking Apple to create a custom firmware for the iPhone in question that disables security measures. Security experts Jonathan Zdziarski and Dan Guido claim that Apple has the ability to comply with this order.

(Image: AleksandarNakic/iStockphoto)

(Image: AleksandarNakic/iStockphoto)

But as Cook's letter indicates, Apple opposes being required to do so. "[W]e fear that this demand would undermine the very freedoms and liberty our government is meant to protect," Cook says.

If the iPhone were a newer model, an iPhone 6 or later, Apple might not be able to comply fully with the order. According to Zdziarski, Apple moved the passcode entry delay code from software into a hardware element called the Secure Enclave in recent model iPhones. The feature that deletes data after 10 incorrect passcode guesses, however, can still be disabled in newer iPhones, Zdziarski maintains.

Newer iPhones with TouchID are arguably less secure than older models, however. US courts allow authorities to compel a person to use his or her fingerprint to unlock a biometrically protected phone. Passwords, because they're considered to be testimonial, cannot be compelled.

Chris Eng, VP of research at security firm Veracode, said in an emailed statement that the FBI isn't asking for a generic backdoor or decryption, but a software update that applies to one specific phone. He argues that Apple has bypassed lock screens for investigators in the past and is making a stand primarily as a matter of competitive differentiation.

Yet Eng's assertion implies there's a difference between a backdoor and a software update. A backdoor is simply an abstract term for something that bypasses a security measure. And a backdoor becomes generic if it can be applied repeatedly via legal process.

The Department of Justice contends that what Apple has been directed to do is not overly burdensome. But Apple may not consider its assigned task a trivial use of engineering resources. And there's also the burden of brand damage: Any company promising data security will no longer be able to do so if authorities can require businesses to create skeleton keys on demand.

Does your company offer the most rewarding place to work in IT? Do you know of an organization that stands out from the pack when it comes to how IT workers are treated? Make your voice heard. Submit your entry now for InformationWeek's People's Choice Award. Full details and a submission form can be found here.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
theb0x
100%
0%
theb0x,
User Rank: Strategist
2/20/2016 | 11:52:52 AM
Backdoor iOS
The concept of backdooring iOS on this particular iphone may pose to be more difficult than described for several reasons.

1) Built by design, all of Apple's iphones require a WiFi connection for the firmware to be pushed due to the nature of it's large file size.

2) WiFi must be enabled on this phone, and the broadcast of existing wireless APs connected to must be sniffed with a utility such as Airodump-ng or Kismet. Upon obtaining this list of these APs, a rogue AP must be crafted to fool the phone to connect and authenticate to this rogue AP.  Unless this is accompished, this phone cannot be backdoored.

3) In order to leave all other consumers iphones to remain unaffected by this firmware update, this may also require a specially crafted cell tower simulator to notify the target phone of this update containing a digitally forged sig and push it.

 

 
vnewman2
0%
100%
vnewman2,
User Rank: Ninja
2/19/2016 | 5:34:34 PM
Re: Apple takes a page out of Ayn Rand's books
"What makes this hard is it is in response to terriost incident. 100% of Americans would like to see inside that phone in this particular case."

True.

"The problem is setting this precedent then opens it up to any activity the government wants to apply it to"

Also true.

"What do they think is on that SIM that would help us stop the next radical lunatic like this?"

I'm guessing they want to see who else they were talking to and get contact information.

But this is starting to become a made-for-TV movie now - with the Justice Department calling it a marketing ploy by Apple and Trump calling for a Boycott.  Next we will see a hologram of Jobs calling for a goverment coup.
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/19/2016 | 2:16:37 PM
Re: Apple takes a page out of Ayn Rand's books
Well, they certainly won't be able to sell them in Iraq and Syria, that's for sure. :-)  Seriously, that's a huge part of issue. Europe takes their privacy much more seriously than we seem to anymore, much less rivals like China and Iran for security reasons.

What makes this hard is it is in response to terriost incident. 100% of Americans would like to see inside that phone in this particular case. Same would true if this was child porn, slave trading, or any number of crimes all people agree are despicable.

The problem is setting this precedent then opens it up to any activity the government wants to apply it to. If this crime was illegal bookmaking on the Super Bowl, would FBI be asking to crack the phone? Would everyone still feel same way about it then when maybe they were one of millions who placed a bet? It's a very slippery slope here.

Personally, I'm not sure what they think they'll find anyway. Does it really matter at this point if their next stop was the YMCA to shoot people working out? We already know they were freaking crazy. They can already get phone call records or anything else traveling thru servers. What do they think is on that SIM that would help us stop the next radical lunatic like this?
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
2/19/2016 | 1:55:00 PM
Re: Apple takes a page out of Ayn Rand's books
Not to be a consirpacy theorist here, but playing Devil's Advocate:

Don't you think that some of this may have to do with the fact that Apple won't be able to sell iPhones in China if they comply with this request and they will lose mega bucks from it?  Think about it - the Chinese goverment certainly doesn't trust the US goverment and if China knows we can backdoor phones they could easily ban their sale?   Thoughts?
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/19/2016 | 1:11:54 PM
Re: Apple takes a page out of Ayn Rand's books
McAfee is good but issue for 3rd party is any o/s update must have a valid digital signature from Apple. That is awesome approach, if Win and Linux had something like that then malware would not be nearly as effective.

If McAfee can truly spoof this digital signature, God help us all.
Ariella
50%
50%
Ariella,
User Rank: Author
2/19/2016 | 9:43:46 AM
Re: Apple takes a page out of Ayn Rand's books
@vnewman I think that writing instructors couldn't ask for a better real life topic to assign students working on writing arguments or preparing debates. I really can see merit for both sides. Sometimes, though, the position publicly taken for or against is somewhat surprising. I didin't expect the Financial Times to come out against Apple, but it did so here: http://www.ft.com/cms/s/2/58dd0688-d63c-11e5-829b-8564e7528e54.html?ftcamp=social/free_to_read/FT_view_Apple_/awareness/editorial&segid=0100320#axzz40cnz1xPs:

 

 
hewenthatway
50%
50%
hewenthatway,
User Rank: Apprentice
2/19/2016 | 1:49:18 AM
Re: Apple takes a page out of Ayn Rand's books
You should always restrict data transfer within the hardware.  Sure, you can always bypass software, but as far as the brute forcing a device that expires after 10 attempts...ther FBI had to call for help on this one.  It will set a precedent if apple has their engineers work on this.  It's a rare feeling, taking up for apple, but they are doing the right thing here.
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
2/19/2016 | 1:03:59 AM
Re: Apple takes a page out of Ayn Rand's books
I don't disagree with your assessment. As a matter of fact, Steve Wozniak just commented that 'Steve Jobs would have fought for privacy' and would have defied court order to hack terrorists' iPhone. Tim and Steve are cut from the same cloth so it's not really surprising to me. But also, if you read Cook's statement, he basically said the Feds want Apple to build an entirely new iOS to accomplish this, which is a little hard to believe. John McAfee is definitely a loose cannon but I personally believe him when he says his team could do it.
Ariella
50%
50%
Ariella,
User Rank: Author
2/18/2016 | 9:41:04 PM
Re: Apple takes a page out of Ayn Rand's books
@vnewman in Cook's eyes, it's different if they have the data in their possession and agree to hand it over when warranted. 

BTW I came across this: an offer from Mcafee to hack the phone for the FBI and a promise that his team could get it done in 3 weeks From http://www.businessinsider.com/john-mcafee-ill-decrypt-san-bernardino-phone-for-free-2016-2:

So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.

If you doubt my credentials, Google "cybersecurity legend" and see whose name is the only name that appears in the first 10 results out of more than a quarter of a million.
jastroff
50%
50%
jastroff,
User Rank: Ninja
2/18/2016 | 6:56:18 PM
Re: Apple takes a page out of Ayn Rand's books
thanks. It was an easy pot shot, but sadly, also true.
Page 1 / 3   >   >>
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll