DOJ Threatens To Seize iOS Source Code

An anonymous reader writes from an article posted on iDownloadBlog: The DoJ is demanding that Apple create a special version of iOS with removed security features that would permit the FBI to run brute-force passcode attempts on the San Bernardino shooter's iPhone 5c. Meanwhile, President Barack Obama has made public where he stands on the Apple vs. FBI case, which has quickly become a heated national debate. In the court papers, DoJ calls Apple's rhetoric in the San Bernardino standoff as "false" and "corrosive" because the Cupertino firm dared suggest that the FBI's court order could lead to a "police state." Footnote Nine of DoJ's filing reads:

"For the reasons discussed above, the FBI cannot itself modify the software on the San Bernardino shooter's iPhone without access to the source code and Apple's private electronic signature. The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."

As Fortune's Philip-Elmer DeWitt rightfully pointed out, that's a classic police threat. "We can do this [the] easy way or the hard way. Give us the little thing we're asking for -- a way to bypass your security software -- or we'll take [the] whole thing: your crown jewels and the royal seal too," DeWitt wrote. "With Apple's source code, the FBI could, in theory, create its own version of iOS with the security features stripped out. Stamped with Apple's electronic signature, the Bureau's versions of iOS could pass for the real thing," he added.

Persuasion is outside of their role

[Tablizer]

It shouldn't be the FBI's job to lobby for or against policies with such wide political implications. It's conflict of interest, and outside of their role as part of the Executive Branch. They are to carry out of the orders of the other branches and formal political process, NOT to make or pressure policy.

They can state their preference on political issues as they relate to crime fighting and prevention, but to aggressively push for a stance or policy is another thing.

Government overreach! Ain't it FUN!

[Chas]

You know that "oppressive government" people are always talking about?

Here's the baby pictures kids!

"We won't abuse it, trust us", Round 74

[Impy+the+Impiuos+Imp]

In the court papers, DoJ calls Apple's rhetoric in the San Bernardino standoff as "false" and "corrosive" because the Cupertino firm dared suggest that the FBI's court order could lead to a "police state."

Of course it could lead to a police state. That's what this is all about, abuse of spying capabilities.

We just found out this week that your giant US-to-foreign email conversations database the NSA shares with you allows warrantless reading of the to: and other fields, not only without a warrant, but without even any tracking and logging .

This is the core of the Constitutional issues the Constitution is supposed to prevent -- people in power having the ability to spy on political opponents, using government powers.

What is to stop, or even notice, a rogue agent working for a politician spying on opponents on their behalf? Nothing, and not even a secret court nor the elected congressmen who are on a national security committee, and are nominally supposed to make sure it isn't abused, can even detect the abuse.

How are we to know this software won't be copied and abused to crack some stolen politician's phone? Of course this assumes you are stuffed looking at who they call, anyway, to feel out their political support networks, the meta info, that itself could be abused, and is warrantless.

Re:A bad as this is...

[tlhIngan]

What's to stop Apple immediately releasing an update which 1. installs new keys, and 2. revokes the keys in possession of the FBI? i.e. before the FBI has enough time to modify and release their own version?

"Install this update NOW before law enforcement gets access to your phone?"

Or am I missing something?

If that's a feasible option, they're probably working on it right now.

The problem is the keys CAN'T be updated. They're burned into real ROM (as opposed to OTP), the reason being the boot ROM will verify a signature using the key it has. If the key was stored in alterable (e.g., flash) memory, then it would be possible to erase the key, program your own and jailbreak your device that way.

Of course, that also means third parties like the government can do so as well to have it run custom bootloaders and OS and not have to go through the process to get Apple's key which is the only way to create code that will run on the SoC.

Of course, I'm not entirely sure if the source code would have the key in it - it's possible after having the final IPSW file, Apple takes it on a USB key to a special Mac and has that Mac sign the IPSW. That Mac is airgapped and everything so to create an OS update requires physically going to the Mac and doing the signing there. For development, Apple most certainly has dev boards that don't require a signed image (it won't help the FBI to have these boards).

I suppose the bigger question is - don't the FBI realize what kind of stink they're making? So they acquire the iOS source code. But that immediately casts a huge shadow over the US's prime industry - IP. Because sooner or later, that iOS source code WILL leak from a hack of the FBI, which means any IP industry in the US (i.e., the only sectors making money - movies, music, books, TV, software, etc) is suddenly threatened - the government can seize your content and while they promise to keep it secure, it won't be (see IRS and other hacks) and it'll be a field day - get your Hollywood new theatrical releases the day of, courtesy of the FBI.

It seems like the FBI wants to win the battle, but lose the war. We used to mock China for their poor IP protection policies and state-sanctioned piracy, but it appears the US is going to do worse. At least the Chinese government protects Chinese IP while disregarding foreign IP.

Anyone who deals with IP should pay a lot of attention to this case - if you can be forced to give up your IP, and you know the entity forcing you can't protect it, well, all the copyrights of the world won't protect you.

Seriously - the level of silliness is getting absurd. Forcing Apple to give up their source code means the content industry and IP industry have a shot across the bow - the government will take what they want. And then hackers will have it too. Way to destroy one of the biggest industries in the US.

Re:After reading this, i started wondering...

[Kardos]

> And seriously, who the hell is gonna hack your mobile phone?

I really hope you're never put in charge of anything important.

Re:After reading this, i started wondering...

[Ultra64]

You know those TSA approved luggage locks? The Washington Post did a story on them, and included pictures of the master keys.

Someone saw this and used the photos to make a functional 3D-printed set of keys. All of those TSA approved locks are useless now.

It is impossible to make a backdoor that only the "good guys" can use. It *will* get leaked, stolen, or cracked.

"Please present your papers"

[surfdaddy]

I remember seeing movies about life in Germany under Hitler. Whether accurate or not, random people were walking on the street and officers would mutter that command to people, and if they didn't have what was wanted - bang! You might disappear. It strikes me that where we're going in the US (land of the free!) is this direction. The government HAS to be able to see ALL of your papers - only they are now electronic records. And there CANNOT be anywhere that you can put things that the government shouldn't be able to get in. I wonder how we justify being able to take a walk of two people in the woods, without the government being able to "know", upon warrant, what was said? Should we also have microphones recording at all times so that *everything* is discoverable? And what about the government that starts bending the rules of court-issued warrants, to Hoovering up of ALL records on the phone, or the internet? "It's all for your protection, and for the children....".

Scary is a good word

[s.petry]

I keep hearing people claim that there is a debate, but that is complete bullshit. The Feds are making demands, and people keep providing the same reasons over and over on why the Feds demands are wrong. There is no debate because the authoritarians in power don't care about right and wrong, or rights beyond their own. (They have them, you don't.)

I personally have no trust that if this went to the Supreme Court there would be a favorable outcome. Remember, Corporations are people, and the Feds can re-distribute _YOUR_ wealth however they see fit.

how the keys work

[supernova87a]

It is amazing to even try to conceive that the ham-handed FBI, with politically appointed leaders (aka morons who have no idea about building hardware/software and who are trained and incentivized to kick doors down, not pick locks) would be remotely qualified to even understand the ramifications of creating/modifying source code, signing it, and pushing it to carefully designed hardware. Much less qualified to execute on that task with a few government programmers, when it took an organization of 100s of people years to develop what is now the iPhone hardware+software encryption infrastructure.

Just for your reference, the reason the encryption keys are so important / secret is that:
-- All recent (>4 year) Apple hardware has built-in encryption-dedicated processing hardware
-- This hardware has firmware burned-in with Apple public encryption keys that validate that any code has come directly from Apple without modification, on startup
-- This key validation structure is designed to ensure that only code signed by Apple's private key can run on the phone
-- Every iPhone has the same public keys burned on it, because that's how public keys work.

So if Apple is forced to give its private keys to the FBI (assuming the remote likelihood they even knew what to do with it), the FBI would have the ability to encrypt and sign software for any of these iPhones. The idea (legal argument-wise or technically) that "this is about one phone" is laughable.

Forcing someone to disclose encryption keys would be a huge violation of the First Amendment. If there is anything that qualifies as speech and knowledge, it is an encryption key / secret. Then on top of this, there is the question of whether the people at Apple who are in charge of the encryption keys (yes, individuals) would even voluntarily turn it over if given such a blatantly unconstitutional order.

I'm sure that even people within the FBI laugh at the notion that they could develop such code without fucking it up, deploy it, and maintain the secrecy of the keys and source code from outsiders.

And final note by the way, this legal filing was written so poorly as to be a joke. It reads like a summer intern wrote the brief after being dictated it by the paralegal to the Assistant US Attorney dashing out of a meeting.

Re:Sadly not viable.

[__aaclcg7560]

That would constitute contempt of court - which is a bad idea.

That didn't stop Microsoft. When the court told Microsoft to remove Internet Explorer from Windows, they did so by leaving Windows in a broken state. The judge was astonished by this response. Microsoft was arguing that Windows and IE were one and the same, and presented the logical conclusion of removing IE. Many years of court litigation later, Microsoft eventually complied. By then, it was a moot decision as the marketplace had moved on to leave Microsoft in the dust.

Re:A bad as this is...

[Sloppy]

If FBI can force Apple to create the custom iOS version and sign it, then it can start asking the courts to force Apple to change the Security Enclave hardware so that it has a backdoor.

They can ask but the precedent wouldn't have anything in common with such a thing, so there wouldn't be any judicial power behind the request. Whose phone (exactly) are you talking about? Because when the FBI goes crawling on their hands and knees to a judge, they're going to need some names, probable cause, and a particular crime.

I'm not saying they don't want this power. (We already gave it to them (in a certain form) 22 years ago with CALEA!) But this campaign doesn't give them any advantage on that one. If anything, it gives advantage to We The People, since this case is helping us to wake up to the obvious fact that it's pretty fucking stupid to have a third party (e.g. Apple, Samsung, Sony, whatever) be in charge of your PC's keys. And once we know that and stop pretending that it's too hard or doesn't matter who is in charge of our PCs, we'll take care of things.

People are worried that the FBI might be empowered to take over your phone?!? You should be worried that YOU AREN'T empowered take over your own phone. You will always be vulnerable to a third party being coerced (and possibly without your knowledge!) until you fix that.