A federal court on Feb. 16 ordered technology company Apple to help the Federal Bureau of Investigation gain access to an iPhone used by Syed Farook, one of the shooters in the attack in San Bernardino, California, in December 2015. Apple has resisted the order, saying the phone’s operating system does not have a “back door” to allow access without the user’s password. In an interview with News Bureau physical sciences editor Liz Ahlberg, University of Illinois computer science professor Roy H. Campbell, an expert in data encryption and security, discussed the technical issues involved in the case and why the phone has proved so challenging for investigators.
Why has the FBI not been able to access the data on the iPhone in question? What kinds of security or encryption protocols are they trying to circumvent?
The iPhone data content is stored using encryption. The encryption key is used in combination with a password lock to make it difficult for hackers to steal the encryption key and access the contents of an iPhone. This is a best-practices approach for privacy and security, and is a response to the millions of dollars and information that have been stolen by hackers in recent years. To make the security even more hackerproof, only a few attempts at inputting a password are allowed before the cell phone permanently locks. This permanent lock is what the FBI is trying to work around.
What kind of software would Apple need to create to override these security measures?
Apple says it would need to create a new operating system. Basically, if the iPhone is set up for automatic downloads of updates, it could be given an OS update that allows the FBI to use a common password-cracking program to rapidly enter a large number of passwords. With a password of limited length, the password could be guessed in a short time period, from hours to months.
The documents from Apple seem to suggest that the FBI also wants to be able to enter a password electronically to make the password cracker more efficient. This would allow hackers trying to break into an iPhone easy automation that would also help reduce the time needed.
Would such a tool be able to unlock any iPhone? Is it possible to make a tool to unlock only one specific iPhone, as the FBI claims?
All iPhones of a particular generation are essentially built from identical components, so if it is possible to circumvent the limit on password attempts on one phone, the software could be modified easily to work with any other phone of that generation – perhaps all generations. Password cracking works well on any passwords of limited length and is a classical hacking tool. Entering the password electronically might allow the password to be entered by network, Bluetooth or Apple iPhone connector.
Keeping a hack like this secret is a very difficult problem and Apple feels it is clearly impractical. Hackers can use extremely sophisticated measures – including bribery and corruption – to acquire software code. Foreign governments and crime syndicates can have powerful security IT expertise. In general, this is not a solvable problem. If there is a leak, Apple might be liable for having created the codes in the first place. In addition, whatever Apple provides the U.S. government would need to be made available to foreign governments to prevent possible boycotting of iPhone products.
Why does the FBI need to get into the phone itself? Could they access the data in other ways – phone records, social media and email accounts, iCloud or others?
Yes, they could have. According to Apple, after the FBI acquired the phone, the iCloud backup mechanism for the phone was defeated by changing the iCloud password. Had the FBI not done so, Apple would have access to the backup files for the phone stored on the iCloud, which would have allowed it – and the FBI via warrant – to eventually access most of the data on the phone.
Phones store pictures, documents, encryption keys, calendars, videos, music, books, bank account URLs and account information, and also permit access to banking, social networks and valuable personal information. The phone keeps a log of activities and would possibly have a log of location coordinates. Stolen phone data can be used for theft of money or information, for intimidation, blackmail or many other illegal activities.
Could the agency providing the phone to the user provide contingency access to the phone, should the user not be available? Yes, there is software to do this, but it wasn’t installed on the phone in question.