clock menu more-arrow no yes

Filed under:

Apple is facing its biggest test of iPhone security

New, 149 comments

Apple can comply with the FBI, but should it?

Apple is facing a big test of its commitment to iPhone security this week. A federal judge ordered Apple to assist the FBI with breaking into an iPhone owned by one of the San Bernardino shooters. It's now a high-profile case in the ongoing encryption debate, and Apple has responded by strongly opposing what CEO Tim Cook describes as a "dangerous" backdoor that could allow law enforcement to bypass the security code on an iPhone.

The case at hand centers on the security code on an iPhone 5C. Apple's latest versions of iOS allow an iPhone to completely wipe data after too many incorrect PIN entries, as well as the ability to delay attempts to guess a PIN every time an incorrect PIN entry is detected. Both of these security features prevent the FBI from reliably brute forcing the iPhone 5C by trying to guess the code. It needs help, and it has turned to Apple. Can Apple really help? It certainly looks like it.

Dan Guido, co-founder and CEO of independent information security firm Trail of Bits, believes Apple can comply with the FBI's order. "I believe all of the FBI's requests are technically feasible," writes Guido, in a blog post detailing his knowledge of the iOS platform. The key reason Apple may be able to comply is the fact that this is an iPhone 5C device, and not an iPhone 5S or a more modern iPhone 6 or 6S.

Touch ID is the key to more secure passcode protection

Apple has been gradually improving the security of its iOS software over the years, and pairing software features with advancements in hardware security. Apple's iPhone 5S introduced Touch ID for the first time, and alongside it a special security feature: Secure Enclave. It's a separate piece of hardware that acts as an extra security lock that's paired to a passcode, and it will slow down attempts to guess PIN codes. Apple's iPhone 5C does not include Touch ID or a Security Enclave.

The FBI wants to make an unlimited number of PIN guesses on this particular iPhone 5C as fast as it can. Guido argues that, technically (because of the lack of Touch ID and Security Enclave), this could allow Apple to create a special version of iOS to load onto the iPhone 5C and allow the FBI to guess one passcode every 80ms. Apple's objection is that this creates a dangerous backdoor that could allow hackers to bypass iPhone security, despite the FBI request to restrict solely this device. Even if Apple complied, there's no guarantee that the FBI's tools will be able to guess the security code. Apple could also restrict any software it provides to this one device, but it could set a legal precedent for the future.

Has Apple helped in the past?

It's not clear whether Apple has assisted law enforcement officials in a similar scenario in the past. Due to the changing nature of iOS, it's likely that the FBI and others have been able to use software flaws and other tools to gather information from devices. iOS has consistently suffered lock screen security flaws, even in the latest iOS 9 release. Prior to iOS 8, Apple didn't encrypt data like text messages or photos using a passcode. Cryptographer Matthew Green speculates that Apple could have provided a passcode bypass in the past without breaking the passcode-encrypted data, simply because most of the data wasn't secured using the passcode.

Apple can also comply with court orders to supply data from iCloud that would probably satisfy law enforcement officials in most cases, but it's clear the FBI needs something specific from this iPhone 5C. With improved encryption tied to hardware, it's getting increasingly more difficult for Apple to comply with these types of requests, and many in the security community widely believe it's impossible for Apple to comply on devices with Touch ID.

This case could be fundamental to the security of the iPhone

This case may set a precedent for how Apple and others are forced to handle these queries in future FBI investigations, and that's what is clearly troubling Apple. It's not about this single iPhone 5C, but whether Apple should be forced to weaken its encryption and allow law enforcement officials to gather the data they need on modern devices, but at the same time keep all iPhone users secure and protected against malicious attackers. It's a balance that tech companies and government officials around the world are battling over, even as President Obama receives his daily intelligence briefings on an iPad. The results of the battle could be fundamental to the security of your iPhone in the future.