Apple will oppose court order rather than hack customers

Tim Cook says Apple will oppose court order rather than hack customers


Credit: Blair Hanley Frank
A court in California ordered Apple to assist the FBI to crack an iPhone seized from one of the terrorists in the San Bernardino attack

• 
  By John Ribeiro
  
  Follow
  IDG News Service | Feb 17, 2016
  
  RELATED TOPICS
  • Security
  • Privacy
  • Encryption
  • Government
  • Apple
  Comments
  Apple's CEO Tim Cook has reacted sharply to a federal court order in the U.S. that would require the company to help the FBI search the contents of an iPhone 5c seized from Syed Rizwan Farook, one of the terrorists in the San Bernardino, California, attack on Dec. 2.
  
  The U.S. government "has demanded that Apple take an unprecedented step which threatens the security of our customers," Cook wrote in an open letter to customers posted on Apple's website on Wednesday. He added that the moment called for a public discussion and he wanted customers and people around the country "to understand what is at stake."
  
  
  Encryption Deep Dive PDF expert guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security newsletter. ]
  The tech industry has been increasingly using encryption in its products and services. The move has been criticized by U.S. government officials, including FBI Director James Comey, who say that it makes it more difficult for them to track terrorists who take cover under the encryption. The industry has taken the stand that encryption protects individual privacy and it opposes any mandatory backdoors.
  
  After the government told the court they were stymied by an auto-erasure feature in the iPhone that could erase data after 10 unsuccessful tries to crack the iPhone passcode, U.S. Magistrate Judge Sheri Pym of the U.S. District Court for the Central District of California on Tuesday ordered Apple to offer its technical assistance, including if required by providing signed software, to bypass or disable the auto-erase function whether or not it has been turned on in the device. That would enable FBI investigators to try different combinations to break the passcode and get to the data.
  
  "Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ( "SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory ( "RAM") and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory," Judge Pym added in her order. "The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE."
  
  The government is asking Apple to build a backdoor to the iPhone, said Cook who added that what the government was asking it to provide was something that the company did not have and also considered too dangerous to create.
  
  "Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation," Cook said. "In the wrong hands, this software -- which does not exist today -- would have the potential to unlock any iPhone in someone’s physical possession."
  
  Apple has five business days to appeal against the order on grounds that it would be unreasonably burdensome for it to follow the ruling. The government has argued that the phone used by Farook runs iOS 9 and the company has the ability to assist the government despite its claims that it has written the software differently in the newer versions of the software, it added.
  
  Although it has helped the government in some cases, the company has recently fought against helping the government to unlock phones, when asked to under instructions under the All Writs Act. A similar case is pending in a New York federal court where the government wants to access the passcode-protected phone of a defendant in a criminal suit.
  
  John Ribeiro — Bangalore Correspondent
  
  Follow John on Twitter at @Johnribeiro or email at john_ribeiro@idg.com
  ttps://www.helpnetsecurity.com/2016/02/19/irs-warns-of-400-percent-surge-in-tax-related-phishing-emails/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+(Help+Net+Security)
  

 

Another good read on this

UPGRADE YOUR IPHONE PASSCODE TO DEFEAT THE FBI’S BACKDOOR STRATEGY

YESTERDAY, APPLE CEO TIM COOK published an open letter opposing a court order to build the FBI a “backdoor” for the iPhone.

Cook wrote that the backdoor, which removes limitations on how often an attacker can incorrectly guess an iPhone passcode, would set a dangerous precedent and “would have the potential to unlock any iPhone in someone’s physical possession,” even though in this instance, the FBI is seeking to unlock a single iPhone belonging to one of the killers in a 14-victim mass shooting spree in San Bernardino, California, in December.

It’s true that ordering Apple to develop the backdoor will fundamentally undermine iPhone security, as Cook and other digital security advocates have argued. But it’s possible for individual iPhone users to protect themselves from government snooping by setting strong passcodes on their phones — passcodes the FBI would not be able to unlock even if it gets its iPhone backdoor.

The technical details of how the iPhone encrypts data, and how the FBI might circumvent this protection, are complex and convoluted, and are being thoroughly explored elsewhere on the internet. What I’m going to focus on here is how ordinary iPhone users can protect themselves.

The short version: If you’re worried about governments trying to access your phone, set your iPhone up with a random, 11-digit numeric passcode. What follows is an explanation of why that will protect you and how to actually do it.

If it sounds outlandish to worry about government agents trying to crack into your phone, consider that when you travel internationally, agents at the airport or other border crossings can seize, search, and temporarily retain your digital devices — even without any grounds for suspicion. And while a local police officer can’t search your iPhone without a warrant, cops have used their own digital devices to get search warrants within 15 minutes, as a Supreme Court opinion recently noted.

The most obvious way to try and crack into your iPhone, and what the FBI is trying to do in the San Bernardino case, is to simply run through every possible passcode until the correct one is discovered and the phone is unlocked. This is known as a “brute force” attack.

For example, let’s say you set a six-digit passcode on your iPhone. There are 10 possibilities for each digit in a numbers-based passcode, and so there are 106, or 1 million, possible combinations for a six-digit passcode as a whole. It is trivial for a computer to generate all of these possible codes. The difficulty comes in trying to test them.

One obstacle to testing all possible passcodes is that the iPhone intentionally slows down after you guess wrong a few times. An attacker can try four incorrect passcodes before she’s forced to wait one minute. If she continues to guess wrong, the time delay increases to five minutes, 15 minutes, and finally one hour. There’s even a setting to erase all data on the iPhone after 10 wrong guesses.

This is where the FBI’s requested backdoor comes into play. The FBI is demanding that Apple create a special version of the iPhone’s operating system, iOS, that removes the time delays and ignores the data erasure setting. The FBI could install this malicious software on the San Bernardino killer’s iPhone, brute force the passcode, unlock the phone, and access all of its data. And that process could hypothetically be repeated on anyone else’s iPhone.

(There’s also speculation that the government could make Apple alter the operation of a piece of iPhone hardware known as the Secure Enclave; for the purposes of this article, I assume the protections offered by this hardware, which would slow an attacker down even more, are not in place.)

Even if the FBI gets its way and can clear away iPhone safeguards against passcode guessing, it faces another obstacle, one that should help keep it from cracking passcodes of, say, 11 digits: It can only test potential passcodes for your iPhone using the iPhone itself; the FBI can’t use a supercomputer or a cluster of iPhones to speed up the guessing process. That’s because iPhone models, at least as far back as May 2012, have come with a Unique ID (UID) embedded in the device hardware. Each iPhone has a different UID fused to the phone, and, by design, no one can read it and copy it to another computer. The iPhone can only be unlocked when the owner’s passcode is combined with the the UID to derive an encryption key.

So the FBI is stuck using your iPhone to test passcodes. And it turns out that your iPhone is kind of slow at that: iPhones intentionally encrypt data in such a way that they must spend about 80 milliseconds doing the math needed to test a passcode, according to Apple. That limits them to testing 12.5 passcode guesses per second, which means that guessing a six-digit passcode would take, at most, just over 22 hours.

You can calculate the time for that task simply by dividing the 1 million possible six-digit passcodes by 12.5 per seconds. That’s 80,000 seconds, or 1,333 minutes, or 22 hours. But the attacker doesn’t have to try each passcode; she can stop when she finds one that successfully unlocks the device. On average, it will only take 11 hours for that to happen.

But the FBI would be happy to spend mere hours cracking your iPhone. What if you use a longer passcode? Here’s how long the FBI would need:

• seven-digit passcodes will take up to 9.2 days, and on average 4.6 days, to crack
• eight-digit passcodes will take up to three months, and on average 46 days, to crack
• nine-digit passcodes will take up to 2.5 years, and on average 1.2 years, to crack
• 10-digit passcodes will take up to 25 years, and on average 12.6 years, to crack
• 11-digit passcodes will take up to 253 years, and on average 127 years, to crack
• 12-digit passcodes will take up to 2,536 years, and on average 1,268 years, to crack
• 13-digit passcodes will take up to 25,367 years, and on average 12,683 years, to crack

It’s important to note that these estimates only apply to truly random passcodes. If you choose a passcode by stringing together dates, phone numbers, social security numbers, or anything else that’s at all predictable, the attacker might try guessing those first, and might crack your 11-digit passcode in a very short amount of time. So make sure your passcode is random, even if this means it takes extra time to memorize it. (Memorizing that many digits might seem daunting, but if you’re older than, say, 29, there was probably a time when you memorized several phone numbers that you dialed on a regular basis.)

Nerd tip: If you’re using a Mac or Linux, you can securely generate a random 11-digit passcode by opening the Terminal app and typing this command:

python -c 'from random import SystemRandom as r; print(r().randint(0,10**11-1))'

It’s also important to note that we’re assuming the FBI, or some other government agency, has not found a flaw in Apple’s security architecture that would allow them to test passcodes on their own computers or at a rate faster than 80 milliseconds per passcode.

Once you’ve created a new 11-digit passcode, you can start using it by opening the Settings app, selecting “Touch ID & Passcode,” and entering your old passcode if prompted. Then, if you have an existing passcode, select “Change passcode” and enter your old passcode. If you do not have an existing passcode, and are setting one for the first time, click “Turn passcode on.”

Then, in all cases, click “Passcode options,” select “Custom numeric code,” and then enter your new passcode.

Here are a few final tips to make this long-passcode thing work better:

• Within the “Touch ID & Passcode” settings screen, make sure to turn on the Erase Data setting to erase all data on your iPhone after 10 failed passcode attempts.
• Make sure you don’t forget your passcode, or you’ll lose access to all of the data on your iPhone.
• Don’t use Touch ID to unlock your phone. Your attacker doesn’t need to guess your passcode if she can push your finger onto the home button to unlock it instead. (At least one court has ruled that while the police cannot compel you to disclose your passcode, they can compel you to use your fingerprint to unlock your smartphone.)
• Don’t use iCloud backups. Your attacker doesn’t need to guess your passcode if she can get a copy of all the same data from Apple’s server, where it’s no longer protected by your passcode.
• Do make local backups to your computer using iTunes, especially if you are worried about forgetting your iPhone passcode. You can encrypt the backups, too.

By choosing a strong passcode, the FBI shouldn’t be able to unlock your encrypted phone, even if it installs a backdoored version of iOS on it. Not unless it has hundreds of years to spare.

https://theintercept.com/2016/02/18/passcodes-that-can-defeat-fbi-ios-backdoor/

 

Appears the FBI wants the backdoor info more than the iPhone itself.

 

I could see Apple actually switching from am American based company to something else over this.

 

It would not take much. The business climate for large companies is not great here though change may well be in the wind and Apple is basically right here. If the FBI wants help with one phone that's fine but building in a backdoor to every phone is not in everyone's best interest.

 

I agree Rich! The FBI knows Android phones are a open source, but iPhones are not. The Gov wants access source code to Apple's mobile operating system. Apple, Facebook to name a few,gives the Gov a lot of information! But they want the keys to door with Apple.

 

So Apple is above the law? Supports ways for criminals and terrorists to hide from justice?

Privacy does NOT trump law. There is no Constitutional Right to hide criminal activities

LEOs, in hot pursuit of a criminal, can legally enter any home they see a criminal enter. A warrant is only needed to search the home once entered while in hot pursuit. But in this case there IS a warrant and Apple says no?

Apple is guilty of Obstruction of Justice

 

https://www.apple.com/customer-letter/answers/

 

It is a dangerous precedent. Cracking one phone from someone in the San Bernadino massacre should be done but used as an excuse to open backdoors to everyone's iPhone, no that is above and beyond.