Skeleton Keys.
This is today’s hot story. Let me summarize the problem. A married couple in San Bernadino killed 14 people, seriously injured 22, and were subsequently killed by police in a shoot out, and their cell phone was captured. The FBI wants Apple to modify the operating system (iOS 8) on the phone to bypass security features, and Apple refused. The FBI is currently attempting to force Apple to comply through a court order. Apple filed a motion to suppress the order. Just about everyone thinks this case will end up in the Supreme Court maybe in 2017. Nobody knows how important the contents of the phone might be, but the central issue is whether the government has the power, with a search warrant, to force Apple to create the bypass.
If an older version Apple cellphone is stolen, hackers can break in using computer equipment which will try millions of passwords. Brute force hacking has been around for decades. The only thing that has really changed is how fast these programs can make trial and error iterations because this information is electronically fed into the device.
In developing security protection, what Apple did not want, is to have a security system which would completely lockout the user who accidentally enters a wrong password, multiple times. So, the smart detection system must not inconvenience users in thwarting hackers. So, here is how Apple implemented the security system based on their court filing:
“Cyber-attackers intent on gaining unauthorized access to a device could break a
user-created passcode, if given enough chances to guess and the ability to test
passwords rapidly by automated means. To prevent such “brute-force” attempts to
determine the passcode, iPhones running iOS 8 and higher include a variety of
safeguards. Id. ¶ 10. For one, Apple uses a “large iteration count” to slow attempts to
access an iPhone, ensuring that it would take years to try all combinations of a six character
alphanumeric passcode. Id. ¶ 11. In addition, Apple imposes escalating time
delays after the entry of each invalid passcode. Id. ¶ 12. Finally, Apple also includes a
setting that—if activated—automatically deletes encrypted data after ten consecutive
incorrect attempts to enter the passcode. Id. This combination of security features
protects users from attackers or if, for example, the user loses the device. ”
So, the FBI wants Apple to create up to 3 bypasses into the iOS 8 system. The optional automatic deletion of encrypted data is the most interesting, as there must be some safeguards so users don’t accidentally trigger this feature. But, this feature allows the user to access a “sanitized” phone after forgetting a password.
Apple claims that these bypasses are significant code modifications. From their description, I have my doubts. The “if activated” option of automatic sanitizing the phone, is triggered after 10 failed attempts. Suppose this is altered to a billion or 100 billion attempts, then the code remains but a parameter is changed. Similarly, embedded in the slowdown feature is a delay factor, which could be set to zero to negate its effect. Or the large iteration count, could be reset to some huge number like a trillion, before it would be triggered. Thus, it isn’t code changes per se, but values or parameters within the code which would be changed.
All this is interesting, even to people like me, who are decades behind technology. The appropriate analogy is the Apple phone includes a smart lock, which recognizes someone trying to pick the lock and takes defensive measures.
The government’s case rests on the premise that Apple is the owner of all cell phones it sells, as it is sold under a lease contract to its customer. So, just as an apartment owner must open up a door when police come with a search warrant, Apple has the same responsibilities.
If it takes additional tools to open up the door of an apartment, such as a crowbar, the owner still has responsibility to pry the door open. Apple’s reply is that any bypass code that it created, would not only allow access to the captured phone, but to any other Apple phone. However, it is likely that this part of the cellphone operating system which the FBI wants modified, is very well protected, so others outside of Apple can not access it.
Before iOS 8 deterrents, law enforcement agents were benefiting from the ability to open cellphones through brute force methods. This can occurs today only under when a search warrant has been.
The FBI could lose the case in the Supreme Court, because the “crow bar” analogy, doesn’t hold true. The FBI is telling Apple what it wants, but doesn’t really know what Apple by-pass procedures they have to write. So, they aren’t saying “break in with a crow bar” but invent a crow bar so you can break in.” And amazingly, this is where First Amendment rights come in, as the government is demanding that Apple writes software.
The security features in the iPhone are like the Volkswagen software which detected when their cars were undergoing emissions testing and took (illegal) defensive measures. Volkswagen got caught when university students were measuring emissions while driving.
If the FBI loses the case, it seems possible that laws could be passed that would force any company selling phones under a lease contract, to make the contents of the phone accessible to law enforcement if a search warrant is issued. I know this is likely to raise the ire of civil libertarians, but I think there are ways to ensure privacy and let law enforcement agencies do their job at capturing criminals.
But, this could end up a “cat and mouse” game, where only the amateurs get caught with incriminating cellphone information. The San Bernadino case will put other criminals on high alert that their cellphone can and will be used against them or their cohorts in a court of law. Drug dealers are probably very keen on improving their cellphone security. Ways to quickly sanitize phones in case of arrest and to avoid iCloud backups, are likely to be the next “security” precautions.
I don’t know how all this will eventually play out in the Supreme Court. I am kind of hoping that something can be worked out so the FBI can complete its investigation.
Stay tuned,
Dave
news and views 