I-phone banner image

On February 16th, Apple received a California’s court judge order to forcefully unlock an iPhone that was used by the culprits involved in the San Bernardino shooting incident.

The Apple device in question, the iPhone 5C had a screen lock passcode enabled. This security prompt automatically encrypts the device data with an encryption key that even Apple itself does not possess. Only the valid passcode can be used to decrypt and recover the device data.

1. What is FBI request to Apple?

  • FBI has requested Apple to facilitate the following measures to perform a brute-force security attack that would unlock the device.
  • Disable the feature that auto-erases the data following ten invalid passcode attempts.
  • Develop a way to submit the passcode electronically either via physical ports or remotely via WiFi, Bluetooth or other available protocols.
  • Remove the delay between invalid passcode attempts.
  • Provide a signed iPhone software file.

Apple court order

2. Why bypassing a passcode is so hard?

The Apple iPhone Operating System utilizes the following built-in hardening techniques around passcode.

  • A maximum of ten invalid passcode entry are allowed, after which the device will automatically delete encryption keys by making a data recovery impossible.
  • The passcode entry screen pauses for a while if an invalid passcode is entered.
  • The passcode must be physically entered on the same device.

iPhone data protection screen

3. What is iPhone passcode?

iPhone OS supports four and six digit numeric passcodes, as well as arbitrary length alphanumeric passcodes. The passcode is used to unlock the device and is also used as an encryption key. The FBI cannot extract the data stored in the device without knowledge of the passcode – unless a backdoor is created to bypass the encryption. In order to mitigate the brute-force attack, there will be delay after every invalid passcode attempts. Delay increases up-to an hour for 9th attempt. After the 10th attempt device will erase itself.

passcode-delay-table

4. How encryption works?

By enabling passcode in the iPhone, the contents in the iPhone such as photos and files are encrypted. Each file content is encrypted with a per-file key, which is wrapped with a class key and stored in a file’s metadata, which is in turn encrypted with the file system key. The class is protected with hardware unique id and user entered passcode. So knowing only user passcode will not be enough to decrypt the file contents. The unique hardware id (UID) key is also needed for decryption, which is stored separately into the application processor and Secure Enclave during manufacturing. No software or firmware can read it directly according to Apple. So passcode unlock and data decryption has to be done from the same hardware. More information can be found on Apple website here

A diagram showing how encryption works

5. What iPhone data FBI received so far?

The FBI already collected the iCloud backup data everything from iMessages to email drafts. This backup contains data upto October 19th. But on October 19th, those backups stopped, and the last six weeks of activity are only found on the phone itself, which is exactly why the FBI has been so intent on getting the phone unlocked. In theory, another backup could have automatically pulled that data back to iCloud, but a forensic error reset the account, making further retrieval impossible.

Each application in the device may have its own encryption protocol to encrypt the data. It’s not clear whether FBI will be able to get this information from App developers. Some of the phone specific information including location & CDR data can be collected from telephone carrier as well.

6. Is there any other way to unlock iPhone?

Apple built a Mobile Device Management (MDM) protocol in the iPhone iOS software. Using a MDM software, IT administrator can remotely remove the passcode from the iPhone. The San Bernardino County purchased MobileIron MDM software but they did not setup the software on Farook’s iPhone.

7. What is Apple’s response?

In a letter to Apple customers, Apple CEO Tim Cook said following:

We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.We are challenging the FBI’s demands with the deepest respect for American democracy and a love of our country. We believe it would be in the best interest of everyone to step back and consider the implications.While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.

Again on Feb 22nd Apple CEO Tim Cook sent out a memo to Apple employees. He said following:

Our country has always been strongest when we come together. We feel the best way forward would be for the government to withdraw its demands under the All Writs Act and, as some in Congress have proposed, form a commission or other panel of experts on intelligence, technology and civil liberties to discuss the implications for law enforcement, national security, privacy and personal freedoms. Apple would gladly participate in such an effort.People trust Apple to keep their data safe, and that data is an increasingly important part of everyone’s lives. You do an incredible job protecting them with the features we design into our products. Thank you.

It appears that the entire tech community is with Apple on this issue. Though the intentions of FBI are positive, having a one-time by pass will create a backdoor that undermines the data security every iPhone device in the planet. This may also provide other countries reasons demand for a similar security bypass tools from Apple. Control over the use of security bypass capabilities is also all but guaranteed. And in the hands of the modern cybercriminal, a backdoor to Apple devices can do more harm in the long run.

Update: Finally, The FBI has managed to unlock the iPhone without Apple’s help. FBI did not provide any details about how they got access to the locked iPhone. FBI has acknowledged that they could not find any useful information from the iPhone.

About the Author: Satish Shetty has more than 20 years of experience in working at Microsoft and McAfee on data security and currently CEO of “Codeproof Technologies” – specializes in cloud based enterprise mobile security. Follow him on Twitter  @satish_shetty