Slashdot Mirror


Judge Tells Apple To Help FBI Access San Bernardino Shooters' iPhone (engadget.com)

An anonymous reader writes: After a couple shot 14 people in San Bernardino, CA before being killed themselves on December 2nd, the authorities recovered a locked iPhone. Since then, the FBI has complained it is unable to break the device's encryption, in a case that it has implied supports its desire for tech companies to make sure it can always have a way in. Today the Associated Press reports that a US magistrate judge has directed Apple to help the FBI find a way in. According to NBC News, the model in question is an iPhone 5c, but Apple has said that at least as of iOS 8 it does not have a way to bypass the passcode on a locked phone.

16 of 610 comments (clear)

  1. I can see it now... by ZorinLynx · · Score: 5, Insightful

    "Judge orders arsonist to unburn-down house"

    Good luck with that.

    1. Re:I can see it now... by mattventura · · Score: 4, Insightful

      Presumably, the decryption key is stored somewhere on the device, but it in turn is encrypted with the phone's passcode. The security system deletes the key if you enter too many incorrect passcodes, but if they were able to extract the encrypted key from the phone, they could brute force it easily since there's only 10^n codes for a numeric passcode.

    2. Re:I can see it now... by TsuruchiBrian · · Score: 4, Insightful

      You can crack encryption the same way, except instead of taking a few hours with cutting torches, it takes hundreds of billions of years of computer computing clusters working well after the human race is extinct. Neither solution gives the inventor of the security mechanism much more of an advantage.

    3. Re:I can see it now... by basecastula+ · · Score: 4, Insightful

      What more does the FBI want? The suspects are dead. Stop spending money on diminishing returns.

    4. Re:I can see it now... by ShaunC · · Score: 5, Insightful

      Presumably they want info on who they where talking to. If the shooters had accomplices, the FBI wants to know who they are.

      If only we had an agency who is (lawfully or otherwise) intercepting every electronic signal known to mankind, who could be consulted when national security concerns arise...

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    5. Re:I can see it now... by TechyImmigrant · · Score: 4, Insightful

      Isn't this the exact attack that physical anti-tamper is meant to defeat?

      It is one attack model that an anti tamper system might be designed to resist. However it is also an attack model that some systems choose not to defend against in a simple cost/benefit analysis. If the secret on the chip has a commercial cost less that the cost of the attack, then why defend against it? The gear to mount a FIBing attack is millions of dollars. Paying a reverse engineering company is less, but > $10E6. This is related to whether or not your system has BORE properties (Break One, Reuse Everwhere).

      This does not apply here. The perception of the worth of product like a smartphone can be very tied up with perceptions of how secure it is, and being required to pull the rabbit out of the hat by a court and then you actually unlock a phone you claimed you can't unlock, then that might well destroy those perceptions of security and cost a lot in lost sales. So designing it so you can't yourself defeat the security you put in is the only sane option.

      The court order presumes that the auto erase functionality can be bypassed with software to be provided by Apple. This is likely be unbypassable either because the key management system is enforcing the retry limit in hardware or protected firmware, away from the main application code, or the software that does it simply doesn't have a back door.

      The company I work for is in the same position. We can't and won't put in back doors because being found to have lied about the security of the devices would be an existential threat to the company. That doesn't stop people who don't know lying on the internet, claiming we put in back doors, but it's not a rational thing to do.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Where's my tinfoil hat? by ptaff · · Score: 4, Insightful

    I wouldn't be surprised if this was nothing more than a joint PR stunt to mislead people into assuming privacy on their cellphone so they wouldn't be afraid to use it for sensitive information. Government has nothing to win by disclosing they have a backdoor, neither does the cellphone manufacturer. Even thinking lo-fi decryption, how long must the passcode be before brute-forcing gets more inconvenient for the government than for the user?

    1. Re:Where's my tinfoil hat? by TsuruchiBrian · · Score: 5, Insightful

      Apple has nothing to gain (and everything to lose) by actually having a back door. Apple doesn't make money by spying on people.

  3. It's easy Mr Judge by penguinoid · · Score: 4, Insightful

    All you gotta do is put the password here and it opens right up. What's that? You don't know the password? Neither do we.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  4. Re:The deed is done by wickerprints · · Score: 4, Insightful

    It stands to reason that the purpose of trying to decrypt the phone after the event, and after the death of the perpetrators, is to see if there might be any information that might implicate other individuals as accomplices or sympathizers, so that those individuals can be investigated. But if it is not possible for Apple to decrypt the phone, then other avenues of investigation will need to be considered.

    Of course, mathematics being what it is, and lawyers and judges being who they are, it is not the least bit surprising that the latter should be ignorant of the former. It's a unique form of hubris to think that one can somehow circumvent a secure cryptographic system by the mere force of law, as if jurisprudence supersedes mathematical truth.

  5. Re:The deed is done by Lumpy · · Score: 4, Insightful

    Or you know the FBI can look through all the phone records and use their other sources of information. These people had twitter, they know that, they can also easily find their email accounts.

    It's the FBI being whiney.

    --
    Do not look at laser with remaining good eye.
  6. Re:The deed is done by KitFox · · Score: 4, Insightful

    The problem is that cryptography is mathematics and doesn't know the difference between criminals and innocent people.

    It also doesn't know the difference between law enforcement requests to unlock the phone and criminal requests.

    If they can get into a criminal's phone, they can get into anybody's phone. If they can get into anybody's phone, any criminal who gets the key can get into anybody's phone. As to "how likely is it for the criminals to get the keys?"... well, pretty much every system (FBI, DHS, Apple, etc) that could theoretically hold the keys has been breached at some point. Holding that capability also makes a huge target. So "Very Likely", even to the point that when things were previously unlockable, hackers were doing so already.

    Thus it comes down to "Do you want to allow criminals to access your iPhone so that law enforcement can also access a criminal's iPhone?" at that level. And in the event that a smart criminal had an indication that Apple could defeat the encryption and lockout, they'd just store the important data in a place that no company controlled or had access to.

    --

    @Whee

  7. Re:The deed is done by jedidiah · · Score: 4, Insightful

    > Except for the Criminal Rights crowd

    You mean like the Son's of Liberty? THAT "criminal rights" crowd.

    You're such an ignorant moron.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  8. read the Ex Parte DOJ filing for the correct story by supernova87a · · Score: 4, Insightful

    Just so that the debate here is a little more well-informed:

    The government is not asking that Apple give out the user's password, or decrypt the phone, both of which they cannot just do (i.e. are incapable of performing). The request is that Apple produce a piece of iOS software or boot image (as I understand it), that would:
    1) Disable the auto-erase feature
    2) Allow the FBI to brute force submit password guesses to the phone, and
    3) Disable or reduce the increasing-delay-between-guesses feature of the passcode lock.

    I would be curious to know whether for this iPhone 5c (with iOS 9) this is even possible for Apple to do.

    You can see why Apple wanted to get very far away from the business of being in a position to be asked constantly by law enforcement to help decrypt its phones, just for the sheer volume of requests that will be coming if they do....

  9. Re:On-device key useful for secure deletion by bill_mcgonigle · · Score: 4, Insightful

    Apple devices from the iPhone 5s and onward use a "Secure Enclave" which is basically tamper-proof hardware key management.

    This phone in question is the 5c, so Apple might actually be able to attack it. Unfortunately, this will make the judge think any iPhone can be attacked by Apple.

    Although, I'm really not clear under what authority the Judge believes he has the power to compel Apple to do all this work against their business interests. It used to be they'd have to threaten, in secret, to put the CEO in prison to get this kind of cooperation. Now a judge just commands it? #ussa

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. Re: What if Apple cannot access the info? by MachineShedFred · · Score: 4, Insightful

    This is why you pay a team of lawyers to show what extravagant actions were done in order to comply with the court order, and convince the judge.

    You act like a Federal Judge is a fucking moron or something. They may not understand technology, but they aren't stupid by any means.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.