One of the San Bernadino shooters in last December’s attack had a work iPhone that, apparently, was locked. Also, apparently, the organization that the shooter worked for was not using device management software, which would allow them to control the device.
The FBI wants to unlock the phone but doesn’t know how to do it.
They have asked and a Federal District Court Magistrate Judge has granted an order to require Apple to create a special version of iOS which doesn’t have security features, install that on this phone after the fact and let the FBI then extract the data from the phone.
Apple CEO Tim Cook says that, while he respects the FBI and justice system, he is not going to do it. The judge has told Apple to tell the FBI how much it will cost and she expect the FBI to write a check.
As best I can tell, a Federal Magistrate Judge is an assistant judge appointed by the District Court judges to help them in certain, limited matters. That means that this ruling can be appealed, at least, to the Appeals Court and the Supreme Court. It also may be reviewed by the District Court itself.
Some people say this is not a risky proposition – that all Apple has to do is create a new version of the firmware that allows the FBI to try every possible combination of passwords without the phone bricking itself. Assuming he used a 4 digit PIN, that would likely take a matter of seconds since there are only 10,000 combinations.
If, however, the user chose a relatively weak 8 letter password, then instead of 10,000 possibilities there would be a few more (depending on which characters are allowed, I am thinking there are around 722,204,136,308,736 possibilities) which would take considerably longer. Experts, by the way, now say that an 8 character password is no longer secure.
If instead, you chose, say, a 12 character password, we are talking a lot of possible passwords.
Tim Cook, CEO of Apple, in a letter on the company’s web site said that this is a much bigger issue than a magistrate judge in a district court should decide. Apparently, Apple was not allowed to participate in the hearing that created this opinion.
The odds of being able to keep this version of the software secret is almost zero. It just won’t happen. If it exists, it would be a prized target for hackers.
The version that the FBI is asking for would require physical access to the phone, but a cell phone gets stolen in the U.S. about once every 3 seconds, so that doesn’t seem like much of a bar.
Once the hacker has your phone, he or she would have access to your online banking and maybe even your ability to unlock your front door, along with everything else on your phone.
Of course, any terrorist who has more than a third grade education would not rely on the screen lock to protect his or her information. Unlocking the phone is merely the first step in a very complicated mess.
But it all hinges on security vs. convenience. We have seen that even the Paris terrorists chose convenience – using unencrypted phones and unencrypted messaging.
Is someone who is on a Jihad – a mission from God – going to choose convenience or security? So far, it appears that the answer is, for the most part, convenience.
And in the San Bernadino case, we don’t even know if there is anything relevant on the phone. The phone was left at home and belongs to San Bernadino County. It may have zero information on it related to the crime.
This does bring up one more point. Businesses that give employees phones (or, worse yet, allow employees to use their own phones) and then do not have a device management system to manage them may be out of luck when it comes to retrieving data off the phone. Depending on the situation, that may or may not be important, but if it is important, then your company consider that and come up with a plan. Even if you come up with a stupid plan – asking the employee to give you the password – doesn’t stop a nefarious employee from changing it. If the employee died in a car wreck, they cannot give you the password and if they are out to get the company, they could say in all the stress, they forgot the password. Prove that they didn’t.
If the employee is out to get the company, they could change it to a 50 character random password and then, even if Apple were to give the FBI what it wants, we will all be old and gray before that gets hacked.
The story continues to get stranger.
According to Quartz, Apple has agreed to let the Chinese audit any device they sell on the Chinese Mainland. Apple is avoiding answering the question as to what they agreed to let the Chinese do.
Right now, for every 1 iPhone that is sold, there are 9 Android phones sold. If people don’t trust Apple, that ratio could get worse.
What is not clear is what Google is doing. The media might ought to investigate that.
And, of course, there is nothing to stop the terrorist from using encrypted software on the phone so that once the FBI figures out the one password out of 400 trillion to unlock the phone, they would have to start over with each and every application that uses Apple’s security philosophy.
The San Bernadino attackers took great pains to crush two personally owned cell phones and the hard disk from their computer has not been found, so what is the likelihood that there is sensitive information on his work phone and he just forgot about it?
Or use software that comes from Russia or Tehran.