Background.
On February 16, the United States District Court for the Central District of California served Apple, Inc. with an order compelling Apple to assist agents in executing a search warrant. Specifically, the FBI had in its possession an iPhone 5c that was used by a person implicated in the San Bernardino shooting, and that was now deceased.
The order specifically calls for 1) bypassing the auto-erase function that will delete the contents of an iPhone after a certain number of incorrect passwords are entered; 2) enabling the FBI to electronically submit passcodes to the device; and 3) prevent a delay between entering passcodes - all three of which are intentional design decisions by Apple to prevent a malicious attacker from carrying out precisely the activity the FBI wishes to perform.
This particular case goes a step farther, and this is where this crosses from a reasonable request for assistance, to a very dangerous precedent. The order states that Apple is to provide the FBI with a software update for the iPhone, which implements the above-ordered features. The order repeatedly states that the software would only run on the subject device; unlike a physical key however, software will run on any compatible device. Once the genie is released from the bottle, it cannot be put back.
It's not just one phone.
- Apple's lawyers release list of other iOS devices waiting for backdoors (Steve Ragan)
At present, there are at least 12 iOS devices which the Department of Justice has gone to court to request Apple unlock. As Steve says, "if Apple does as the court demands, the FBI would then go to the courts and force Apple to render reasonable technical assistance from now until such time as Apple goes out of business." In other words, once a court precedent exists, every future phone is fair game.
- If the FBI is successful with Apple backdoor, should you ever update your computer again? (Jacob "MalwareJake" Williams)
Manufacturer updates are trusted by the system, and run with system-level privileges. In other words, a manufacturer update can do absolutely anything the developer wishes to the system - which is why the security and trust in update procedures is important. "If the vendor can exploit our machines at will to give a third party access, do you really own the machine? Do you really own the data?"
- On Ribbons and Ribbon Cutters (Jonathan Zdziarski)
The FBI presents this as a case of "cut the ribbon surrounding a device," when in fact they are ordering Apple to invent a forensic ribbon-cutting tool capable of unlocking any iOS device, but promising to only use it on this one iPhone. This is particularly troublesome, because Apple has specifically designed their products so that not even they could break into a customer's device.
It's not just the FBI.
- Louisiana police can't unlock woman's iPhone that could reveal her killer (CBS News)
A 29-year-old woman was shot and killed when she answered her door in Baton Rouge. Police believe that she knew her assailant, and that clues from her locked iPhone could reveal the identity of her killer.
- On Ribbons and Ribbon Cutters (Jonathan Zdziarski)
According to this article, New York City has some 175 iPhones related to cases they are investigating, that they hope to have unlocked.
It's not just the United States.
- What Apple Versus FBI Means for India (The Hindu)
- Everything You Need to Know About the Apple Versus FBI Case (Troy Hunt)
Troy makes the point that the US, UK, Australia, New Zealand, and Canadian governments cooperate with one another, and that any precedent set here by the FBI will be a precedent for the other participating nations. China is watching this case, and could demand the same treatment or ban Apple from selling in China. Likewise with the Russian FSB.
- Apple, Americans, and Security vs. FBI (The Electronic Frontier Foundation)
Some technical background
- iPhone Forensics - A Technical Autopsy of the Apple - FBI Debate (Heather Mahalik, SANS DFIR)
- Down the Security Rabbithole (podcast)
- Fox News interview with David Kennedy (video)
The court order mandates that Apple violate the security of every iOS device by introducing an intentional software vulnerability that could be exploited by law enforcement, oppressive nation states, and malicious hackers alike. - The FBI wants to roll back safeguards that keep us a step ahead of criminals (Craig Federighi, VP of software engineering at Apple)
Statements from the key players
I personally feel upholding this demand sets a dangerous precedent - as Apple CEO Tim Cook stated, the tool the Bi is asking for is one Apple believes too dangerous to create - but it's not my choice to make.
In the end, this will almost certainly be decided in the Supreme Court (and potentially Congress). My hope is that those ultimately making the decisions recognize that it's not just one phone, it's not just the FBI, and it's not just the United States. Upholding a mandate that a US-based company intentionally weaken the security of its customers is a slippery slope, one that weakens the security and privacy of people worldwide, and one that may encourage similar arrangements in other countries.
One final thought: think for a moment about where your iPhone, or Samsung Galaxy, or [insert favorite brand here] is manufactured. It's not in the United States. Let that sink in for a bit.
Updated March 28:
The Department of justice today dropped the case after they were able to break into the iPhone through an undisclosed method.
What does this mean for you? If the government could break in, so could a hacker. The phone was secured by a 4-digit PIN, so the government needed only a way to get around Apple's password attempt limit, and then could crack the code very quickly. Protect yourself from a malicious hacker by using an alphanumeric passphrase for your device lockscreen.
Updated March 28:
The Department of justice today dropped the case after they were able to break into the iPhone through an undisclosed method.
What does this mean for you? If the government could break in, so could a hacker. The phone was secured by a 4-digit PIN, so the government needed only a way to get around Apple's password attempt limit, and then could crack the code very quickly. Protect yourself from a malicious hacker by using an alphanumeric passphrase for your device lockscreen.
