Apple’s dispute with the FBI over providing access to a mass shooter’s smartphone could lead device makers to require stronger passwords in future.
Much of the debate around the issue has suggested that the FBI is asking Apple to break its encryption in order to gain access to the contents of a smartphone used by one of the perpetrators of the December shootings in San Bernardino.
But the case is as much about passwords as it is about encryption. The FBI wants Apple to override a mechanism on the iPhone that could erase the data on the device after 10 failed password attempts. Using a computer program, investigators can try out thousands of passwords until they hit on the one that works, in what’s known as a brute force attack.
If Apple is forced to comply, the agency would be able to crack a four-digit PIN in a matter of minutes, said Robert Graham, owner of security research firm Errata Security.
Regardless of how strong the underlying encryption is, the security protections are only as strong as the password. It’s a clever move by the FBI, which would gain access the phone without tackling the much more challenging task of breaking the encryption.
It’s also a situation Apple might have avoided, by requiring stronger passwords sooner. But users still have the option to use a four-digit passcode that contains only numbers.
A six-digit PIN implemented in iOS 9 could take the FBI about 22 hours to crack, Graham wrote in a blog post. But if phone makers required users to create stronger passwords of six letters, or a combination of numbers and letters, they could take more than 300 years to crack.
Apple is fighting the request because, like many other tech firms, it doesn’t want to be in the business of deciding whether to hand its users’ data over to law enforcement. If smartphone makers require users to implement stronger passwords in future, they will make the FBI’s current strategy much harder.
The FBI’s request for Apple to help break the password protection on the iPhone 5C in question is “relatively straightforward,” said Amit Sethi, senior principal consultant for Cigital, a security-as-a-service vendor.
The 5C doesn’t come with Apple’s Secure Enclave chip-based encryption included with newer models, making it easier to defeat the password security, Sethi said by email.
“In this case, Apple can probably create a modified version of iOS that will only run on that particular device that will allow law enforcement to brute force the PIN/password used to protect the device,” he said. “Even if that version of iOS gets in the wrong hands, it should not be usable on any other devices.”
Without Secure Enclave, Apple could implement the password workaround through a “single firmware update,” added Dan Guido, co-founder of the Trail of Bits security blog.
“In plain English, the FBI wants Apple to create a special version of iOS that only works on the one iPhone they have recovered,” wrote Guido, a veteran security consultant. “The FBI will send Apple the recovered iPhone so that this customized version of iOS never physically leaves the Apple campus.”
Magistrate Judge Sheri Pym originally gave Apple five days from Tuesday to respond to her order, but that deadline may be extended until next Friday. The U.S. Department of Justice weighed in on the case on Friday, filing a brief in support of the FBI’s request.
This fight between Apple and the FBI is shaping up to be a major test case in a year-and-a-half-old argument over whether law enforcement agencies can require device and OS makers to help them defeat encryption and other security measures. Some legal experts predict the case could go all the way to the U.S. Supreme Court.
The judge’s ruling, if it stands, opens the door to law enforcement agencies inside and outside the U.S. demanding technology companies help them break security measures in wide range of scenarios, some unrelated to major police investigations.
The problem with the ruling is “the precedent that this sets,” said Cigital’s Sethi. “Will the U.S. government require Apple to build a backdoor into all Apple devices that takes away this protection and makes all users’ devices less secure?”
The contents of the iPhone used by Syed Rizwan Farook, who killed 14 people in a mass shooting in San Bernardino, California, on Dec. 2, are key to an ongoing terrorism investigation, U.S. Attorney Eileen Decker of the Central District of California said this week.