Apple Hackers, Crypto Experts Ask Courts to Vacate Order

An amicus brief filed on behalf of well known past and present Apple hackers asks the government to vacate its order asking Apple to unlock a terrorist’s phone.

SAN FRANCISCO—A laundry list of past and present iPhone experts and cryptography experts today filed an amicus brief asking the courts to vacate their order mandating Apple assist the FBI in unlocking a phone belonging to San Bernardino shooter Syed Farook.

Filed by Jennifer Granick and Riana Pfefferkorn of the Stanford Law School Center for Internet and Society, the brief argues that the order endangers public safety and sets a precedent where the government and law enforcement could request similar access to other phones, and not just the one phone as is stated in the order.

“As experts, it is amici’s opinion that the dangers of forcing companies to denigrate the security of their products and of allowing law enforcement to commandeer consumer devices for surveillance purposes are too great,” the brief said.

The experts involved include Charlie Miller, the first researcher to hack and control and iPhone, current iOS researchers and forensics experts Dino Dai Zovi and Jonathan Zdziarski, crypto experts Hovav Shacham, Dan Boneh and Bruce Schneier.

They are arguing that the custom version of iOS the FBI is after would be used on other iPhones in the future; it’s been uncovered that Apple has already received a dozen similar requests from law enforcement, and that New York State district attorney Cyrus Vance said his offices have 175 devices it would like unlocked.

“This spread increases the risk that the forensic software will escape Apple’s control either through theft, embezzlement, or order of another court, including a foreign government,” the brief says. “If that happens, the custom code could be used by criminals and governments to extract sensitive personal and business data from seized, lost, or stolen iPhones, or it could be reverse engineered, giving attackers a stepping stone on the path towards their goal of defeating Apple’s passcode security. Compelling Apple to create forensic software for the government is also dangerous due to any bugs the software might contain.”

The brief also notes that nothing in the All Writs Act or the court order would make similar updates to smart TVs or laptop cameras off limits, and that bypasses in those realms pose worse security and privacy repercussions, and could put personal safety at risk.

From a technical perspective, the experts warn that should the order be upheld, it would undermine the trust and reliability consumers have in automatic software update mechanisms.

“The belief that such an update could be spyware that a company was forced by the government to sign and distribute might lead people to turn off automatic updates,” the brief says. “This would render software patches less effective and the general public less secure.”

The FBI request essentially boils down to it having the ability to have a computer guess the phone’s passcode. Currently, security on the device requires manually entered guesses and inserts an escalating time lag between incorrect guesses before eventually wiping the phone after 10 failed tries. The court order asked Apple to build new firmware that would disable those protections, and insists this is a one-time request.

The brief concedes that while Apple has complied with some data extraction requests in the past, it did so on older phones running iOS 8.0 or older. On these devices, it was able to extract data because it was not encrypted using a key generated from the user’s passcode as is the case with newer phones.

Also worrisome from the experts’ point of view is that the requisite firmware update would have to be cryptographically signed by Apple. This mechanism, the brief says, is an implied assurance to customers that Apple will not manipulate their devices and that the software is safe to run and cannot be turned into a FBI surveillance device.

“The Order would compel Apple to create new software that does not currently exist, to carry out a capability Apple does not presently have,” the brief says. “This is the first time any Court has ever publicly ordered a vendor to do something like this.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.