Slashdot Mirror
FBI Unlocks iPhone Without Apple's Help In San Bernadino Case (recode.net)
New submitter A_Mang writes: After asking for a delay last week, today the FBI revealed that a third party has succeeded in unlocking the iPhone used by a shooter in the San Bernadino attack. They've asked the court to vacate their request for an injunction forcing Apple to provide tools for unlocking the phone.
"The government has now successfully accessed the data stored on Farook's iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court's Order," the filing reads. The report doesn't elaborate on how they've gained access, nor does it reveal any of the information stored on the phone. What we do know is that last week the FBI contracted Israeli software provider, Cellebrite, to help break into the phone.
...was there ever any doubt?
Is it fascism yet?
It was an old phone without the secure enclave, they can just say that they probably already closed that hole, particularly if it was the attack of rewriting the flash.
So, how does this now play for Apple, who banked on their phones being secure as a selling point?
This was an iPhone 5c... it lacks Secure Enclave...
The iPhone 5s and newer do not have this problem...
The game does not need to be "upped". The only reason the encryption is so easily crackable is because it only had a 4 digit PIN. If the person had used a 16 character alphanumeric passcode, the encryption would be for all intents and purposes "uncrackable" as even with Apple's assistance, the FBI would never be able to brute-force the lock.
From my understanding the County had an MDM system, and it was managing some settings but that they had not yet started putting an "enterprise" password setting yet. The password change that is in the link you posted was on the iCloud account, not on the phone. They probably just used Apple's automated system and asked it to send the password reset verification to his (work) email, which they already had control of.
That did not solve anything, but rather meant that there was now no way that the phone could be induced to backup to iCloud, where a parent could have produced the data (Apple had already given them older backups that were there). To this point I have not heard anyone in the position to know comment on whether this was a hair-brained scheme by someone who didn't know what they were doing, or a more cynical attempt by the FBI to setup a situation where they could fish for new powers. Generally I would tend to the incompetence explanation (especially since this was very shortly after the event), but the FBI directors sliminess in this episode makes me eye the other possibility more.
Public opinion and some big players were lined up against them. The FBI was expecting everyone to turn on Apple as being unpatriotic when the case came to light. That didn't happen. I think they realized that this would likely end up in the Supreme Court and not go the way they want, barring them from future action. If they weren't able to break into the phone, this at least let's them back out cleanly while neither appearing to back off and not going down the road to the Supreme Court.
It's also possible they found a way into the phone that doesn't generalize, but provides the same way to back out without changing their position.
The history of cryptography has shown that almost any cyrptosystem can be broken with enough time and effort.
The FBI chose to use this case as a pretext to demand that Apple provide them which what is effectively a master key to break into any iphone with negligible time or effort.
Apple's contention was that the master key solution was not warranted and they have been proven correct.
The bold face lie by the FBI wouldn't be for no reason. The discussion around this case has largely been around privacy, encryption and what the government should have access to. But there's a much bigger issue in play that hasn't gotten a lot of coverage.
There's no law that says Apple must provide decryption of the phone. And since they're not in possession of the data (it's on the phone), they're not required to hand it over based on a warrant as they would be under the Telecommunications act. So what to do?
Enter the All Writs Act of 1789. Basically it says courts can issue writs (judicial orders) for anything necessary within their jurisdiction. This is what was being used to order Apple to develop a version of iOS that would not erase the phone no matter how many PINs were typed in, effectively allowing the bypassing of the encryption.
Now the All Wits Act hasn't been used that way historically. And there's a huge question as to whether you can order a company or a person to do work like that for free. Normally decrypting a phone would be a service the government would pay a contractor to do or have an in house capability for. Here there trying to compel an unwilling party to work for them for free.
It's a fair bet that's unconstitutional. (4th amendment). The government has used the All Writs Act a couple times this way in the past few years in relation to mobile devices. It's pretty clear they don't want that shaky legal ground tested in the Supreme Court with public opinion against them.
Everyone knew. it is 5 c. no secure enclave. the wipe is in sw. if you have bootloader hacked or bl certs it is easy. why seemingly nobody on slashdot understands this i cannot nderstand.
world was created 5 seconds before this post as it is.
Nope, they've not been compensated. At least according to the court transcripts:
THE COURT: Look, your language doesn't invoke the All Writs Act, I get that, but in terms of the burden, first, you haven't challenged it and you still haven't explained why not. Second, you provided language for reasons I understand about consistency, but you also did not say anything about burdens beyond the immediate expense.
If you are saying we want to craft language that is going to say here's exactly what we have to do, you require, if I'm not mistaken -- I don't have the language in front of me. Do you require compensation?
MR. ZWILLINGER: No, we've never required compensation.
THE COURT: But you can, and you don't do anything about that.
I mean, the point is well taken that Apple is a pretty darn big company, maybe they don't care so much about the costs of these 70 things in the big picture. It just seems to me that there's a dog that didn't bark here.
MR. ZWILLINGER: I think the way to address this, Your Honor, is the following.
Right now, Apple is aware that customer data is under siege from a variety of different directions. Never has the privacy and security of customer data been as important as it is now. And, in fact, Apple built an operating system which is why we're only talking here about IOS 7 systems, operating systems IOS 8 and IOS 9, that puts Apple in a position where it cannot do this, that is, going forward with 390 percent of the devices involved, Apple cannot perform these services. So, Apple has taken itself out of the middle of being in a position where it can be used as an attack vector or in any way to compromise the security and privacy of customer devices.
So, when the court asks Apple today does the All Writs Act provide authority to force it to do this, Apple says no, it does not, because what we are being forced to do is expert forensic services, we're being forced to become an agent of law enforcement and we cannot be forced to do that with our old devices or with our new devices.
The 390 percent thing is weird, but that's what's in the transcript.
Full Transcript: http://www.scribd.com/doc/296323783/102615-Apple