Now that the Apple-FBI story has gone mainstream with rallies supporting CEO Tim Cook scheduled for Apple stores nationwide, presidential candidates weighing in, and a cute hashtag (#FBiOS) affixed, it appears that Apple can technically comply with the judge’s order if must.
Security company Trail of Bits founder Dan Guido wrote a detailed explanation of the crypto mechanisms protecting iOS and how they apply to the older iPhone 5c belonging to dead San Bernardino shooter Syed Farook.
Farook’s phone was issued to him by the San Bernardino County Department of Public Health where he was an employee. It was found in the aftermath of last December’s shooting when Farook and Tashfeen Malik gunned down 14 people and wounded 22 others. The FBI, since, has been unable to unlock the phone and learn of any other contacts or data pertinent to the investigation.
On Tuesday, U.S. Federal Magistrate Judge Sheri Pym ruled that Apple must assist the FBI in cracking the phone by providing a firmware update that would bypass built-in passcode protections that introduce a lag between incorrect guesses and eventually wipe the phone.
PIN guesses must be entered manually, preventing any automated means of guessing via a port on the device, Bluetooth or Wi-Fi. The FBI wants the update to disable or bypass the auto-erase capability, eliminate delays between incorrect guesses and allow for the electronic entry of PINs.
“In plain English, the FBI wants to ensure that it can make an unlimited number of PIN guesses, that it can make them as fast as the hardware will allow, and that they won’t have to pay an intern to hunch over the phone and type PIN codes one at a time for the next 20 years — they want to guess passcodes from an external device like a laptop or other peripheral,” Guido wrote, adding that he believes this is possible.
The iPhone 5c is not protected by Apple’s Secure Enclave, which Guido describes as a separate computer inside iOS that brokers access to encryption keys for services such as file encryption, Apple Pay, Keychain and more. Secure Enclave was introduced in 2014 with iOS 8, about a year after the 5c was released.
“Think of this like the 2-key system used to launch a nuclear weapon: the passcode alone gets you nowhere. Therefore, you must cooperate with the SE to break the encryption,” Guido said. “The SE keeps its own counter of incorrect passcode attempts and gets slower and slower at responding with each failed attempt, all the way up to 1 hour between requests.
“There is nothing that iOS can do about the SE: it is a separate computer outside of the iOS operating system that shares the same hardware enclosure as your phone,” Guido added.
Guido said that with devices equipped with Secure Enclave—any iPhone with TouchID—separate firmware updates for Secure Enclave and iOS would enable a bypass. For the 5c, a single update to iOS would do the trick, Guido said.
“I believe it is technically feasible for Apple to comply with all of the FBI’s requests in this case,” Guido said. “On the iPhone 5C, the passcode delay and device erasure are implemented in software and Apple can add support for peripheral devices that facilitate PIN code entry. In order to limit the risk of abuse, Apple can lock the customized version of iOS to only work on the specific recovered iPhone and perform all recovery on their own, without sharing the firmware image with the FBI.”
Guido said that with the bypass, one could fire off one passcode every 80 milliseconds, a big leap form one passcode per hour after enough lags.
“After the elimination of passcode delays, it will take a half hour to recover a 4-digit PIN, hours to recover a 6-digit PIN, or years to recover a 6-character alphanumeric password. It has not been reported whether the recovered iPhone uses a 4-digit PIN or a longer, more complicated alphanumeric passcode,” Guido said.
Since it’s technically feasible, the tug of war between Cook and the FBI expects to get messy. The court order mandates only a one-time firmware update for this one device, but as Cooks and privacy advocates at the Electronic Frontier Foundation and elsewhere said, it would set a precedent.
“The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data,” Cook said in a public letter published yesterday. “The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.
“Opposing this order is not something we take lightly,” Cook said. “We feel we must speak up in the face of what we see as an overreach by the U.S. government.”