Apple v. FBI

Skeleton Keys.

This is today’s hot story.  Let me summarize the problem.  A married couple in San Bernadino killed 14 people, seriously injured 22, and were subsequently killed by police in a shoot out, and their cell phone was captured. The FBI wants Apple to modify the operating system (iOS 8) on the phone to bypass security features, and  Apple refused.  The FBI is currently attempting to force Apple to comply through a court order.  Apple filed a motion to suppress the order.  Just about everyone thinks this case will end up in the Supreme Court maybe in 2017.  Nobody knows how important the contents of the phone might be, but the central issue is whether the government has the power, with a search warrant, to force Apple to create the bypass.

If an  older version Apple cellphone is stolen,  hackers can break in  using computer equipment  which will try millions of passwords. Brute force hacking has been around for decades.  The only thing that has really changed is how fast these programs can make  trial and error iterations because this information is electronically fed into the device.

In developing security protection, what Apple did not want, is to have a security system which would completely lockout the user who accidentally  enters a wrong password, multiple times.   So, the smart detection system must not inconvenience users in thwarting hackers.  So, here is how Apple implemented the security system based on their court filing:

“Cyber-attackers intent on gaining unauthorized access to a device could break a
user-created passcode, if given enough chances to guess and the ability to test
passwords rapidly by automated means. To prevent such “brute-force” attempts to
determine the passcode, iPhones running iOS 8 and higher include a variety of
safeguards. Id. ¶ 10. For one, Apple uses a “large iteration count” to slow attempts to
access an iPhone, ensuring that it would take years to try all combinations of a six character
alphanumeric passcode. Id. ¶ 11. In addition, Apple imposes escalating time
delays after the entry of each invalid passcode. Id. ¶ 12. Finally, Apple also includes a
setting that—if activated—automatically deletes encrypted data after ten consecutive
incorrect attempts to enter the passcode. Id. This combination of security features
protects users from attackers or if, for example, the user loses the device. ”

So, the FBI wants Apple to create up to 3 bypasses into the iOS 8 system. The optional automatic deletion of encrypted data is the most interesting,  as there must be some safeguards so users don’t accidentally  trigger this feature.  But, this feature allows the user to access a “sanitized” phone after forgetting a password.

Apple claims that these bypasses are significant code modifications.  From their description, I have my doubts. The “if activated” option of automatic sanitizing  the phone, is triggered after 10 failed attempts.  Suppose this is altered to a billion or 100 billion attempts, then the code remains but a parameter is changed.  Similarly,  embedded in the slowdown feature is a delay factor,  which could be set to zero to negate its effect. Or the large iteration count, could be reset to some huge number like a trillion, before it would be triggered.   Thus, it isn’t code changes per se, but values or parameters  within the code which would be changed.

All this is interesting, even to people like me, who are decades behind technology.  The appropriate analogy is the Apple phone includes a smart lock, which recognizes someone trying to pick the lock  and takes defensive measures.

The government’s case rests on the premise that Apple is the owner of all cell phones it sells,  as it is sold under a lease contract to its customer.   So, just as an apartment owner must open up a door when police come with a search warrant,  Apple has the same responsibilities.

If it takes additional tools to open up the door of an apartment, such as a crowbar, the owner still has responsibility to pry the door open.  Apple’s reply is  that any bypass code that it  created,  would not only allow access to the captured phone, but to any other Apple phone.  However,  it is likely that this part of the cellphone operating system which the FBI wants modified, is very well protected, so others outside of Apple can not access it.

Before iOS 8 deterrents, law enforcement agents were benefiting from the ability to open cellphones through brute force methods. This can occurs today only under when a search warrant has been.

The FBI could lose the case in the Supreme Court, because the “crow bar” analogy, doesn’t hold true.  The FBI  is telling Apple what it wants, but doesn’t really know what Apple by-pass procedures they have to write.   So, they aren’t saying “break in with a crow bar” but invent a crow bar so you can break in.” And amazingly, this is where First Amendment rights come in, as the government is demanding that Apple writes software.

The security features in the iPhone are like the Volkswagen software which detected when their cars were undergoing emissions testing and took (illegal) defensive measures.  Volkswagen got caught when university students were measuring emissions while driving.

If the FBI loses the case, it seems possible that  laws could be passed that would force  any company selling phones under a lease contract,  to make the contents of the phone accessible to law enforcement if a search warrant is issued.  I know this is likely to raise the ire of civil libertarians, but I think there are ways to ensure privacy and let law enforcement agencies do their job at capturing criminals.

But, this could end up a “cat and mouse” game, where only the amateurs get caught with incriminating cellphone  information.  The San Bernadino case will put other criminals  on high alert that their cellphone can and will be used against them or their cohorts in a court of law.  Drug dealers are probably very keen on improving their cellphone security.   Ways to quickly sanitize phones in case of arrest and  to avoid iCloud backups, are likely to be the next “security” precautions.

I don’t know how all this will eventually play out in the Supreme Court. I am kind of hoping that something can be worked out so the FBI can complete its investigation.

Apple’s Court Filing 

Stay tuned,

Dave

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s