Feb 23 2016

Apple Faces Daunting Request from FBI to Hack into Its Own Technology

The request, bolstered by a federal court order, is raising questions in the private and public sectors about the roles of encryption technology and national responsibility.

The continuing struggle between tech companies and the government over digital privacy has taken a new turn: On February 17, a federal court ordered Apple to assist the FBI in accessing encrypted data on an iPhone 5C that belonged to one of the two shooters who killed 14 people in San Bernardino, Calif., in December 2015.

Dan Guido, co-founder and CEO of Trail of Bits, a leading IT security research firm, held a press conference to go over the technical challenges that the FBI faces in accessing the private information on the iPhone, and Apple’s potential role in recovering it.

Guido explained in his comments and in a blog post that the FBI is requesting that Apple create a special version of the device’s iOS that would bypass two key security barriers: password entry delays and erasure of the device’s content after a set number of incorrect password attempts.

“If you issue a software update, you eliminate password delay and auto erase,” Guido said in an interview with BizTech. “Then you can query password attempts much quicker, at 80 milliseconds.”

Should National Security Trump User Privacy?

Although being able to enter a password every 80 milliseconds seems lightning fast, it is slow by brute-force attack standards, which often involve hundreds of thousands of password attempts per second, according to Guido.

But iPhones will not accept new firmware without an accompanying valid signature from Apple — hence, the FBI’s need for Apple’s assistance in cracking into this device. With a customized iOS pushed onto the device, the FBI can then use brute-force attacks to determine the device’s six-digit passcode.  

Guido went on to say that this court order may have implications for security designs of future Apple phones.

“This court order caught Apple flatfooted. They did everything they needed to do to protect against attacks. But they probably didn’t consider that they’d be hacking their own device — the situation Apple now finds itself in,” he said. “This is a vulnerability they may try to address in future updates.”

The importance of security has repeatedly come into conflict with law enforcement’s need for access to data on locked devices. For Apple, as with many tech companies, the ability to maintain the security and privacy of customer data is an essential quality of the company’s products. To that end, Apple is pushing back on the federal court order.

Guido believes Apple will have a difficult time fighting this court order. “This case brings the issue of encryption to a head. Apple has an uphill battle. The FBI has a compelling case for backdooring this phone. But [Apple is] going to attack this order on all fronts.”