The Department of Justice has withdrawn its suit against Apple seeking to compel the company to assist it in breaking the encryption of one of an iPhone that had belonged to one of the San Bernardino terrorists. Here’s what ABC News had to say:
Federal officials announced Monday night they successfully cracked into an iPhone belonging to one of the San Bernardino shooters and no longer needed Apple’s help in unlocking the device.
In doing so, authorities succeeded in their goal of breaking into an iPhone used by Syed Farook but did not set any sort of legal precedent that could be used in a future case, making it a sort of lukewarm win for both Apple and federal authorities.
Superficially, that looks like a win-win solution. Both parties got what they said they wanted. The FBI has decrypted the phone. Apple wasn’t forced to help. However, I think this particular outcome is a significant loss for Apple and I’ll try to explain why.
While both parties accomplished their stated objectives they each had unstated objectives which might have been more important to them than the stated objectives. The FBI clearly wanted a test case for compelling a technology company to assist them in this way and it didn’t get it. But that wasn’t something they didn’t already have. Failing to achieve an unstated objective isn’t a loss. It’s just a missed opportunity and there will be other bites at the apple, so to speak, in the future.
But the phone has been decrypted. Now Apple does not know if that feat was accomplished by brute force, whether it employed some exploit in the particular model of that one iPhone, or if it exploited some more general flaw. If it employed an exploit in that particular model, it reveals that Apple was lying in its claim that assisting the FBI could put all smartphones at risk. If decrypting the iPhone exploited a more general flaw that Apple doesn’t know about, Apple’s worst fears will be realized, all smartphones are at risk, and Apple’s marketing strategy is in a shambles.
The company’s reputation has been injured. Either for probity or technical superiority or both. In other words Apple no longer has something it used to possess. It should have helped decrypt the iPhone.
No question: Apple lost this round badly. They come off as self-righteous, unpatriotic, indifferent to the nefarious uses of their products, and then they have their entire marketing approach utterly annihilated.
“How”
Indeed. Just so.
…
I have to say, even if Snowden weren’t out there stating that the NSA can already do this, I have to believe that the NSA can already do this. Whether or not they want to share that with the FBI, or risk the procedure being outed in a court case, is another matter. (Is that the kind of thing that can be exposed in legal proceedings?) But I find it hard to believe that Apple would have encryption beyond the capabilities of the NSA to decode. Or have they found some insanely large (by the standards of mathematicians, that it) primes that no one else knows about?
For what it’s worth, my kid’s take:
“Everyone already knew iPhones could be hacked, it’s just a very difficult and tedious process. Basically they take an image of the NAND flash memory before trying any passcodes, quickly do five attempts, then carefully swap out that NAND chip with a newly flashed one before the phone can reboot. It’s tough and takes ages, but it can be done. It’s been known for ages.
The win for Apple is twofold – they don’t have to fight this in court, and under Obama admin responsible disclosure laws, they have to tell Apple how they did the hack.”
Yeah, that’s what Darrell Issa said. It’s what I referred to as the “brute force” method.
Anytime you have physical control of a device, you can hack it. @michael reynolds’ son described the process, but they should have more sophisticated equipment to speed up the process. It is a vulnerability of the physical world. Any door can be opened, and any lock can be picked.
This is why you do not allow your secure machines onto an unsecure network, and you keep them locked behind sturdy doors. (no Hillary comments)
(By the way, your physical lock may not be as secure as you think.)
The speed with which the iPhone was unlocked suggests that they didn’t use brute force or else they were very, very lucky.
I don’t really think it makes Apple look or, necessarily like they were lying. Given the amount of time it took it was clearly somewhat difficult. Personally, I would have just given the phone to a couple of 15 y/o’s and told them that the best ever pics of naked women were in there and let them figure out how to get in. Figure it take 2-3 days tops and done of basically free.
Steve
A lot of the advertized brute force strength can be eliminated by using psychology. Most passwords are not totally random, and they may not be based upon the entire allowed character set.
I suspect they were able to virtualize it, and it is really a hardware issue. At some point in the process, a certain set of memory addresses and logic circuits will be in a certain configuration. Clone it, and keep repeating it. (Like saving right before a certain point, and you can repeatedly retry a move without restarting the entire sequence.)
It could even be that they are capturing the hashing portion. In the hardware, it is all just 0’s & 1’s, and contrary to what many software developers believe, binary does not work the same as decimal.