Endpoint

2/23/2016
09:38 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FAQ: Heres What You Need To Know About The Apple, FBI Dispute

The case marks a watershed moment in the debate over national security interests and privacy rights.

The dispute over Apple’s refusal to help the FBI unlock an iPhone recovered from San Bernardino terror suspect Syed Farook marks a watershed moment in the heated debate over national security interests and data privacy rights.

Regardless of whether it is Apple that prevails in the matter or the US government, the one thing that has already become clear is the case will be precedent-setting.

Those who side with Apple in the dispute see it as a test of the industry’s ability to resist persistent government efforts to weaken security and enable backdoors in technology products under the aegis of national security. Those sympathetic to the government’s view see Apple’s arguments as grandstanding by the world’s most valuable company over an issue with legitimate national security implications.

Here is a quick primer on what the issue is all about:

What does the FBI want?

The FBI wants Apple to help it unlock an iPhone 5C recovered from Farook, who was killed in a shootout with police shortly after he and his wife Tashfeen Malik allegedly shot dead 14 people in a terror attack last Dec 2 in San Bernardino. The FBI wants to know if the phone holds information pertinent to the terror attack, particularly about potential co-conspirators.

Following Apple’s refusal to help, the Department of Justice filed a motion with the US District Court for the Central District of California asking for its intervention in forcing Apple’s compliance. On Feb 16, the court issued a motion ordering Apple to accede to the FBI’s request for help.

Why can’t the FBI unlock the phone?

The phone is encrypted and protected with a passcode. It has a feature that automatically deletes all data on the device after 10 failed login attempts, and a feature that forces a lengthening delay between login attempts with each failed login attempt. What that means is if the FBI fails to crack the passcode in 10 attempts, it runs the risk of irretrievably losing the data on the device.

What does the Court want Apple to do?

Magistrate Judge Sheri Pym wants Apple to write a recovery bundle or software image file (SIF) that will essentially override the auto-erase feature and the enforced delay between passcode retry attempts. The goal is to give the government a way to try and brute force its way into the device through automated password guessing without fear of losing the data, or having to contend with lengthy delays between each try.

So why isn’t Apple helping them?

Apple CEO Tim Cook has argued that providing the FBI with the help it wants is akin to giving the government a master key for unlocking encryption protection on all iPhones. He, like many other technology leaders, contends that strong encryption is critical to protecting sensitive data against cyber criminals and nation-state actors.

Cook has argued that complying with the court’s request would essentially mean having to write a new version of the iOS that circumvents many of the security features that Apple has built into the technology over the years. Such software would allow anyone with access to it the ability to unlock any iPhone, he has noted.

Apple is right correct?

Not entirely. Despite Cook’s claims about the government wanting a master key, the specific software the court wants Apple to write would work only on the iPhone 5C, and that, too, with some effort. That’s bad, certainly. But not quite as bad as giving the government a way key to unlock all iPhones, which is what Cook has said the government wants. The FBI insists that what it wants is very narrow: to recover data from just the recovered phone.

Why is it not a master key?

Though the iPhone 5C offers robust encryption, it has one major weakness: the encryption and the password delay can be disabled via a firmware upgrade of the sort the court wants. Anyone with the right resources, including the FBI, can probably build such firmware, but they would need for it to be digitally signed by Apple in order to install and run it on an iPhone.

Alone, the SIF the Court wants Apple to develop would not be enough on newer iPhones featuring Touch ID technology and the A7 processor or later, according to security experts. These models feature a technology called Secure Enclave (SE), which basically is a co-processor that is not controlled by the iOS.

The user-generated passcode in such devices is inextricably tied to a unique key that is stored in the SE. In order to unlock a newer iPhone, the FBI would require a firmware update for iOS and a separate firmware update to recover the key stored in the SE, which is not something that the Court has asked for. A firmware update of the sort the Court is asking Apple to deliver would be of little use by itself on a newer iPhone without some way to recover the key stored in the SE.

So Apple technically has a way to comply with the FBI’s request without jeopardizing encryption on all iPhones?

Technically speaking, yes, as Dan Guido co-founder of Trail of Bits explains in wonderful detail in this blog.

Is FBI director James Comey right when he says the SIF would work only on the specific iPhone recovered from Farook?

Not quite. Comey has insisted that the FBI only wants something that will override the protections on Farook’s phone. But Cook and numerous security researchers have noted that there is no such thing as developing software for unlocking just one iPhone. A firmware update developed for Farook’s phone could most likely be used to unlock any other iPhone 5C in the government’s possession as well.

Even if Apple could somehow lock it so it works only on one phone, the Court wants the company to install the SIF at a government facility or give the government remote access to the phone after the software is installed.

Either way, the government would have access to firmware that it could use to try and crack the encryption protections on other similar iPhones. Cook has warned that once the information on how to bypass the passcode protection is known, the encryption can be defeated. “The government suggests this tool could only be used once, on one phone. But that’s simply not true,” Cook has said.

What is this I keep hearing about the FBI blowing its chance to recover data from Farook’s phone?

In the days following Farook’s death, the FBI with the help of San Bernardino county officials reset the password to his iCloud account to recover data backed up from the phone. (Farook worked for the county government, and the phone that was recovered from him was county-issued). The FBI has said the last data backup of Farook’s iPhone 5C happened on October 19, or well more than a month before the shooting.

Apple contends that the government might have gotten a more recent backup if they had simply connected the phone to a known Wi-Fi network such as the one in Farook’s house. That’s because the phone most likely would have automatically backed up data when it was connected to a power source and a known wireless network.

The FBI's response is that even if that were indeed the case, there still could be a lot of data on the device that is not backed up and which could prove vital to their investigation. According to the FBI, its previous experience has shown that direct data extraction from the device provides a lot more data than can be gathered from an automatic backup.

What support does Apple have for its position?

A lot. Several technology leaders, cryptographers, and technology vendors like Google and Facebook have expressed support for Apple’s position. They agree that complying with the government’s demand would seriously weaken encryption protections, result in more such demands from government, and set a bad precedent for other governments around the world.

But many are sympathetic to the government’s position as well. In fact, 51% of those polled in a national survey of 1,002 US adults by the Pew Research Center, support the FBI and want Apple to unlock the phone. A smaller proportion (38%) said the company should not do so, while 11% are undecided. Relatives of some of the victims of the terror attack have said they will file a motion supporting the government’s request to get Apple to unlock the device.

What happens now?

Apple has until Feb 26 to file a motion appealing the court’s order. It’s unclear what legal basis the company will use to justify its decision not to comply. The court could throw out Apple’s objections and order it to unlock the device. If Apple still refuses, it could be held in contempt of court and ordered to pay fines -- and theoretically at least, send an Apple executive to jail.

Related content: 

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe_Shmoe
50%
50%
Joe_Shmoe,
User Rank: Apprentice
2/24/2016 | 11:38:56 AM
It is not about Apple or FBI's position. It is about voting
This is a mind trick. It is not about Apple not wanting to unlock the device. It is about involving the general public and having the public vote with their opinions. Once that is done, there is no way you can oppose it because that is how democracy works in the USA. 51% vote pro and the rest does not matter because 51% said yes. 

So what I make of the whole sh%# show they are putting up, is that from now on, anyone's device will be accessible regardless of security measures you put in place. 
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
2/23/2016 | 2:18:31 PM
10 Login Attempts?
Is that true? 10 failed login attempts will delete data sounds ridiculous. If this is true what data in particular is deleted? Is it some of it, or all of it?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.