DOJ To Court: We Got Into The iPhone, So Please Drop Our Demand To Force Apple To Help Us... This Time
from the moving-on dept
So it appears that the mainstage event over the DOJ's ability to force Apple to help it get around the security features of an iPhone is ending with a whimper, rather than a bang. The DOJ has just filed an early status report saying basically that it got into Syed Farook's work iPhone and it no longer needs the court to order Apple to help it comply by writing a modified version of iOS that disables security features.The government has now successfully accessed the data stored on Farook's iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court's Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016.There's also an associated one line proposed order that magistrate Judge Sheri Pym will almost certainly sign off on shortly.
And thus... the big showdown between the tech industry and the Justice Department goes nowhere. Just a little over a month after the DOJ swore to a court that it had exhausted all possibilities that didn't involve co-opting Apple to hack its own phones, the DOJ is admitting that the FBI has found a way in. Still, this was just one fight in a war that is still ongoing. It seems fairly clear that the DOJ and FBI expected their side of things to get a lot more support, which is why they chose the Syed Farook case to make a big public stand, rather than one of the many other cases where similar issues are at stake.
However, the overall issue is not over. There are still plenty of questions: What method did the DOJ use to get into Farook's iPhone? And what will happen in the other cases involving iPhones or involving other companies such as Whatsapp? And what will happen as Apple and other companies increasingly strengthen their encryption and security, making it more and more difficult for the FBI to get in?
In short, this is far from over. However, in the short term, the DOJ has learned that it isn't easy to win over public opinion on this issue, which suggests that future battles may play out under the cover of a bit more darkness, as the DOJ seeks to seal various filings and orders off from the public. My guess is that perhaps the next big fight will be in revealing what kinds of orders come through under the cover of darkness.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: all writs act, doj, encryption, fbi, going dark, iphone, syed farook
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hmmm...
Of course, the DOJ might be bullshitting and this is just their 'out'.
[ link to this | view in chronology ]
Re: Hmmm...
I would say, that's a foregone conclusion.
[ link to this | view in chronology ]
Re: Hmmm...
[ link to this | view in chronology ]
Nice security
[ link to this | view in chronology ]
Re: Nice security
Gödel's Incompleteness Theorem, my friend. You can't close all the gaps.
[ link to this | view in chronology ]
Re: Nice security
Note that the twits at the FBI have yet to reveal how it was done, if it was the suggested NAND copy that is a hardware attack. So even if the software was perfect, taking the hardware partially apart while not ruining it provides yet another attack vector.
So, yes their security is such the FBI went to court to try to get a free get out of doing their job card.
[ link to this | view in chronology ]
Re: Re: Nice security
I thought the whole paperwork was based on premise that apple themselves can't even open the phone since their nice security features prevent it. People were horrified that phones would have backdoors which allowed access to the punter's email messages. Now someone broke their security in 2 weeks using whatever trick necessary. If it was hardware attack, it just means that the data in the storage space wasnt encrypted and you cannot talk about any security whatsoever. If it was software attack, it means they have necessary backdoors or even pin codes that always open the device. But either way, the security just sucks like hell. Maybe it wasn't designed to protect people's email messages?
[ link to this | view in chronology ]
Re: Re: Re: Nice security
Wrong. If I understand the attack correctly then they copied the encrypted data, brute-forced it on a 2nd chip/box and repeated once they got locked out. And you cant do much about that. You can't disable the read function because the user kind of wants to read the messages too.
"If it was software attack, it means they have necessary backdoors or even pin codes that always open the device. But either way, the security just sucks like hell."
Wrong again. Software attacks don't need a backdoor or universal pin to succeed. There's always a way to get into a system via software. Not because the security is bad but because those things are too complex to find all bugs or exploits. Why do you think there is a 0day market?
[ link to this | view in chronology ]
Re: Re: Re: Re: Nice security
Yes, but they had like 2 weeks to do it. Noone is going to start looking for 0day stuff to open some phone with 2 weeks schedule.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Nice security
Not sure where you get the 2-week number from? The attacks happened in December. That means the firmware will be at least that old so any 0days could have been around for at least 4 months by now.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Nice security
The two weeks is coming from submission of first paperwork to the court forcing apple to open the phone. At that point, the phone was not yet opened. Then they managed to open it before submitting the current paperwork. We heard about this story about 2 weeks ago, and now it's already resolved. Assumption is that internet is real-time.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Nice security
[ link to this | view in chronology ]
Re: Re: Re: Nice security
It's long been a fundamental truth in computer security that if someone has access to the hardware then all security bets are off.
[ link to this | view in chronology ]
Re: Re: Re: Re: Nice security
Even if that was true, you still don't need to give keys to the kingdom to anyone who asks for them.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Nice security
Just because the lock on your front door can be bypassed using trivial methods (and it can) doesn't mean you should leave your key under the mat.
[ link to this | view in chronology ]
Re: Re: Nice security
This is also a older iPhone 5C. There's no TouchID. There's no Secure Enclave. This is a older iPhone with iOS9 on it. The security is weaker on this phone then newer iPhones. Every generation Apple is improving the Security of their products. I'm sure after all this, Apple will lock down the phone even more so. Things like no Auto Update a OS without a passcode, even if it's a valid signed OS update. Having Encryption keys still for things on iCloud I see going away also at some point. Keys for the OS went away with iOS8 and newer. Which is how Apple helped in the past but can't now. I'm sure they were tired of breaking into all these phones for the Government and said screw it. We can't do that any more.
[ link to this | view in chronology ]
Re: Nice security
[ link to this | view in chronology ]
Re: Re: Nice security
This is one of the outcomes I suggested would happen in an earlier post. The FBI wants this case to go away before it sets a precedent they don't like. Nevermind them losing the public relations battle.
I suggested that the FBI would find another way to break into the phone. That it may or may not work. I also suggested that the phone would be destroyed in the process, maybe by 'accident'. That didn't seem to happen.
Next I would suggest that if the lying FBI really was just wanting to get into this one phone, they would then disclose this vulnerability to Apple. As per president Obama's policy that they should help make the nation's cyber security safer. I won't hold my breath.
As an example of how secret technology gets abused, look no further than a tool like Stingray once it gets into the wrong hands like the FBI. Useful for catching bad guys, yes. But easily and widely abused, also yes. Lying to courts about what it is, how it is used, the scope of what it does, yes.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
... and that said action would be dismissed for lack of "ripeness".
Having said that, there's a lot of lawyering on Apple's side, and a lot of amicus briefs, that will get pulled into the next case. Will this get ignored? Not on your life.
Will Apple be able to get from the government a thin red cent of what they paid in court costs (let alone lawyer time)? Not on your life.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
They tried to use a pile of bodies for their own ends and miscalculated the reaction to their doing so. You can be sure that they've learned their lesson from this and will make future attempt under cover of gag orders and sealed legal filings(with the justification being 'National Security' of course) so it doesn't happen again.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It's evidence you know...
I bet they even have a hard time convincing anyone that the information they 'gather from the phone' actually came from the phone.
They will claim this fishing expedition has saved how many lives and how soon will that claim be made?
[ link to this | view in chronology ]
surely the first one has to be 'did the DoJ/FBI actually get into the phone or is this just another crock of shit dreamed up to try to keep the 2 agencies out of the shit and looking like total pricks?
[ link to this | view in chronology ]
Open source, reproducible builds are the only antidote
[ link to this | view in chronology ]
Re: Open source, reproducible builds are the only antidote
2/3's of the encryption software made is out of the U.S. and U.S. control. It's really pretty dumb and short sited to screw U.S. Citizens of their Security and privacy for a very tiny fraction of people!!! Especially when the end result would be weak security for most, expect any Criminal or Terrorist with half a brain to buy any old Android phone and install any number of 3rd party encryption software with no back doors. Talking about some dumb people in Government
We already had this battle with the FBI 20 years ago. Them using the same exact excuses. Wanting to install the Clipper Chip into all hardware to gain backdoor access. What country would want to buy that U.S. hardware???? In the end it was hacked anyway. Congress already passed a law and Apple is protected by that law. How the FBI tried to get around it and this court going along with it?!?!
[ link to this | view in chronology ]
s/wimper/whimper/g
[ link to this | view in chronology ]
Probably a secret court so Apple can't talk about it.
[ link to this | view in chronology ]
Speaking in secret of secret
[ link to this | view in chronology ]
Re: Speaking in secret of secret
But yes, all this secrecy is undermining the illusions that we had that the people had a participatory role in government.
Feel free to strike at them in a way they cannot retaliate. That's what we need right now.
[ link to this | view in chronology ]
Next Time, Insist on Affidavits
[ link to this | view in chronology ]
Re: Next Time, Insist on Affidavits
Courts take statements from law enforcement as sacrosanct. The highest form of evidence. There are numerous cases of videos showing things different from what a cop testified to, and the court concluding that the video must be lying, not the cop.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
1. The FBI does not have a method to break the iPhone, and this is just a way to get out of an unpopular lawsuit
2. The FBI always had a way to break in, but lied so that they can set a precedent
3. The FBI didn't care what was on the phone, and thus did not try to break in until now
4. The FBI has been completely honest and they really tried everything, not finding a method to break in until they discovered a brand new method just now
I do not know which one is true, but I believe that it is not number 4
[ link to this | view in chronology ]
Re:
Why not? Hanlon's Razor applies perfectly.
[ link to this | view in chronology ]
Not number 4
We had bunches of white-hats saying how they'd break into the phone, and the NSA offered. Even if they didn't the whole point of the DHS is to create bridges by which the FBI could use NSA resources for just this sort of thing.
Now since none of the FBI's efforts have been revealed we don't know what they tried or didn't try (and what they ruled out since it would risk blanking the trusted platform).
But it's hard to believe that they tried or ruled out everything that was put on the table and still couldn't get into the phone. That would be a technical miracle of probability.
[ link to this | view in chronology ]
I'm not sure I could name any other hardware that would take that long to break, given that kind of access. Last time I tried to break a password on a MS-Windows box, it didn't take all of fifteen seconds, or a soldering iron: just a 10-second reboot.
Granted, the FBI comes off as thicker than two bricks, technically speaking--but they've got a lot of money to hire independent contractors.
[ link to this | view in chronology ]
Re:
Yeah, but this company is adverticing their amazing security features. If they actually spent _any_ time securing the system, the barrier to entry would be much higher to breaking the security. Would pretty much require brute-forcing the pin code, and simple exponential delay in the user interface would make that impossible.
[ link to this | view in chronology ]
Thankfully the government has played that "but, terrorism" hand to the point that the average person now sees right through it. The DOJ made a huge miscalculation in its public war against Apple. They didn't account for the average person being FUD'd out.
Maybe now we can finally have a coherent discussion about encryption that's based on truth and facts instead of "OMG TERRORIST PEDOPHILES SELLING YOUR CHILDREN CRACK BECAUSE OF ENCRYPTION."
Encryption has been around since the dawn of man and it can't be wished or legislated away. All fighting a technology does is drive innovation, so maybe history will show that this was the time we finally started taking our privacy seriously, and bringing the 4th amendment into the information age where it belongs.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Curious
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A lose for all geeks
[ link to this | view in chronology ]
Re: A lose for all geeks
Surely those people don't use iOS anyway, do they?
[ link to this | view in chronology ]
Apple security
"iOS supports four-digit and arbitrary-length alphanumeric passcode".
from Apple's iOS security white paper:
https://www.apple.com/la/iphone/business/docs/iOS_Security_May12.pdf
The minimum passcode length is four digits but the default is six digits and probably is the length Farook used on this iPhone. Each attempt requires 80 milliseconds to execute on the iPhone. Yes, it is intentionally slow. If he used just a six digit passcode there are 1 million possibilities which would take (1,000,000 x .08s) or 22 hours to crunch through all possibilities without taking into account extra time needed if the method wasn't just a program supplying attempts directly to the iPhone without interruption. The average time to crack the passcode, given this scenario, is 11 hours. However, if a six character alphanumeric passcode was used, it would take more than two years on average to crack the passcode. So, the level of security seems to now lie with the user's choice of passcode.
[ link to this | view in chronology ]
Re: Apple security
[ link to this | view in chronology ]
Re: Re: Apple security
[ link to this | view in chronology ]
Re: Apple security
[ link to this | view in chronology ]
Re: Re: Apple security
[ link to this | view in chronology ]
Re: Apple security
[ link to this | view in chronology ]
Re: Re: Apple security
[ link to this | view in chronology ]
After all the BS they've been shoveling it's a shame they can just get away with dropping the case instead of Apple getting a ruling that the government can't force a company to compromise their own security.
[ link to this | view in chronology ]
The exploit works on one phone.
But it probably doesn't work for all iPhones.
It was pointed out during this debacle that a 2010 whitepaper demonstrated the hacking of a TPM chip, which is, I think, the sort that is used to protect even latest models.
So the FBI in 2016 should probably be able to crack even new models with long passwords. Though it's expensive (takes a lot of time and resources).
Which is preferable to it being cheap: expensive cracks usually get warrants first. Cheap ones don't.
[ link to this | view in chronology ]
Re: The exploit works on one phone.
It's BS and everyone knows it's BS because it just doesn't work that way. Like the magic golden keys to the front door they want lol.
[ link to this | view in chronology ]
Re: Re: The exploit works on one phone.
Maybe they asked the pin code from the criminal?
[ link to this | view in chronology ]
Re: Re: Re: The exploit works on one phone.
[ link to this | view in chronology ]
Re: Re: Re: Re: The exploit works on one phone.
Agent B: Look, it's moving! C, write this down!
B: One.
C(writing): One.
A: Two.
C: Two.
A: Three.
C: Three.
B: I think he's fighting it, doesn't want to tell us the last digit. Give up dead guy, we'll get it eventually, we splurged and got the Special Edition oija board, with extra ghost compelling power!
A: There, that did it, the last digit is coming clear now. And it looks like it's... four.
C: Four.
B: So then, the passcode to the phone is... one, two, three four? What the- that's the kind of password an idiot uses!
(Comey, walking past pokes his head into the room)
Comey: Any luck on the oiji boa- I mean the super classified technique?
A: ...
B: ...
C: ... sorta?
Comey: Well, what is it?
B: One, two, three, four.
Comey: That's amazing, that's the same password I use for my phone! Quick, tell the boys down at the lab, I've got to tell the boys in legal to drop the case. Also should probably change my password just in case too while I'm at it.
[ link to this | view in chronology ]
Re: Re: The exploit works on one phone.
[ link to this | view in chronology ]
Re: Re: Re: The exploit works on one phone.
It means they found a post-it note with the passcode.
[ link to this | view in chronology ]
But how much does it cost, and how much is it worth to them?
For an "average citizen", private data is likely worth under $1000 to an identity thief, and under $50 to a totalitarian government secret-police organization. And a computer such as the iPad which costs over $1000 to break is probably safe, because nobody will pay the fee.
For a small-time pimp or drug pusher, the government would love to have a $100 key--much more, and they'd pass.
For a high-profile criminal case, the government will pay the $10,000 with glee.
Government officials are especially valuable, for either espionage or blackmail. (Hillary Clinton's emails are probably being privately chortled over in half-a-dozen chancellories around the world. I'm sure they'll start leaking if she's elected.)
For a celebrity, paparazzi might pay $10,000.
For a robber-baron class MBA, competition might pay the money.
But phone theft and identity theft are what matter most to ordinary folk. Apple is plenty good enough today.
And could get better. (They design their own chips: what's to prevent including that vulnerable ROM on the chip with the iPhone CPU, without any kind of external lead, so that you'd HAVE to go through the OS to access it?
Which is a good thing, because jailbreaking technologies, like all electronics except internet service, keep getting cheaper.
I don't have an Apple phone, and can't imagine ever buying one (I don't like the lack of a visible file system). But the presence of strong security on iPhones makes security better for everyone else. Because it moves the cost/benefit ratio: thieves have to assume the more valuable computers have better security, so that the average Android phone is worth less to break.
[ link to this | view in chronology ]
Re:
If you think outside the Box, use iCloud drive or Dropbox for example and think of them as a file system in a way. You can access those files from one program to another and even from your PC or Mac, or iPad, etc.
You know what you have with file systems you can see. People screwing software up. It can also be a big security issue.
Playing aorund with my cheap WinBook Windows 8.1, now Windows 10 7" Tablet. Dealing with the file system really SUCKS!!! Windows 10 was a improvement over Windows 8.1 on the tablet, but I still like my iPad 3 much better for a number of reasons. I deal with the file system enough on my Custom Desktop and Laptop at work.
I haven't used CD's in a while on the PC other then to RIP Movies. SD cards or USB Memory sticks. Can't remember the last time I used one. There new ways of doing things. I started out on a Commodore Vic-20 with a tape drive.
You like file systems, why not toss the GUI also. Hey, go back in time to just MS-DOS. You can get down to the nitty gritty.
I was ease of use these days. I want it to just work. I just spent about 3 days trying to get windows 7 working correctly on a Netbook for the Boss he wanted to take with him to Japan to use. Why?!?! It had a number of Windows issues. Same old crap with Windows and it's issues over the years. Trying to figure out what the hell went wrong and how to fix it without having to re-Install Windows. Something I'm sure many would just end up doing.
If I didn't need my PC for some things, I'd go Mac. Something my brother has tried to get me do for the last 20+ years.
[ link to this | view in chronology ]
So file a FOIA to find out what was on the iPhone;
The govt should immediately publish everything on this iPhone.
[ link to this | view in chronology ]
Backdoor
[ link to this | view in chronology ]
Perjury...undermines trust in *ENTIRE* FBI
As a member of the public, I think this should carry serious LEGAL repercussions for the FBI. Defense lawyers, if they demonstrably perjured themselves here, what else did they fabricate from whole cloth????
FBI attorneys should be disbarred and sent to jail for this!
[ link to this | view in chronology ]
Re: Perjury...undermines trust in *ENTIRE* FBI
Prosecutors don't have to charge anyone they prefer not to, and the FBI and various attorneys departments have good reasons to be good friends, and better reasons not to be adversaries.
So they can lie in court all they want.
[ link to this | view in chronology ]
Re: Perjury...undermines trust in *ENTIRE* FBI
...or is breaking the law something that only happens to people who are not agents of the state?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
At least they didn't win.
Silicon Valley would've likely have seen a mass emigration. The effects from that on economy would've disastrous.
[ link to this | view in chronology ]
The next step
If they don't, then the next guys need to remember to point out that the last time the FBI freaked out over a phone it turned out to be nothing at all.
[ link to this | view in chronology ]
Re: The next step
But trust them, it's totally valuable, and totally worth it, honest. /s
[ link to this | view in chronology ]
YouTube video showed how to do it?
[ link to this | view in chronology ]
Oh, no!
[ link to this | view in chronology ]
Seriously?
1) Apple broke it for the FBI on the condition that the FBI swears Apple didn't.
2) FBI did NOT get in, Apple didn't help them, and they "announced" they broke the security to screw over Apple for not helping them.
What third party would take a 0Day exploit that cracks Apple security at this level and GIVE it to the FBI rather than soak the NSA for a couple of hundred grand instead?
[ link to this | view in chronology ]
he, he!
All they asked for was access to one phone. Apple said, even in their filling, they had done the same prior, so why stop now?
You Microsoft haters, win 10 given to the Chinese, is also called the Chinese version of win 10, it's pictografic, remember Apple has a Chinese version also. But the Apple version is source code of their latest version. China is also friends with one of the biggest spying countries, in the middle East, and another in Europe. Not saying, look it up. Hand in hand.
So, some insfrinces, Android, win10, are as secure as Apple. Just they are consumer friendly. Apple, is the big hat security. Supposedly two weeks to break in? When the codes are known to a third party, is it secure? Not anymore.
My big take off this. If I was the American government, Apple losses it right to sell to the military, and security forces of America. Buy the BlackBerry company, set up as an American company, move it here and issue bb to all of the Americans in security, and replace all government phones with the bb. Apple thinks itself superior make them prove it. They cannot. Bb was mandated by the Saudis to put a backdoor in to be used there. That's how they lost the trust. Apple was asked for a one time program, for one phone, not an OS, so we know there are backdoors, and who are they open to? Just not the US. But who?
[ link to this | view in chronology ]
FBI already had that data
[ link to this | view in chronology ]
It was a budgetary decision.
Thanks everyone for your concern.
The FBI.
(sarc.)
[ link to this | view in chronology ]