February 18th, 2016

Wired Explains the Current Security Controversy Involving Apple


The government is apparently _NOT_ asking Apple to unlock the phone. The government already has access to some of what was on the phone, due to iCloud backups however, iCloud backups were turned off a month before the shooting, so there thinking is there is more to be found here.

The phone is a 5C running ios 9. It has a password lock. The "auto erase" feature -- which is believed to be turned on on this phone -- will brick the phone permanently if you fail for 10 guesses. There are also delays after each failed password attempt. "the government wants to try bruteforcing the password without having the system auto-erase the decryption key and without additional time delays." To accomplish this goal, the government wants a tool that will bypass the protections and allow the password to be entered electronically, rather than manually. This is believed to be definitely possible, but Apple is reluctant to be in the position of hacking its own customers. This particular hack would not work on later phone models -- however, Apple could probably create similar hacks that would work on later phone models. And it does set a pretty dodgy precedent, essentially, an after the fact back door would be created.

All is not lost for the end user. If you create a strong/long alphanumeric password, even with this tool (which does not yet exist), it could take years to break in. And Apple may make further changes to make this less possible.

On the political side, the Wired article has this to say:

"If the controversy over the San Bernardino phone causes Apple to take further steps to close that loophole so that it can’t assist the FBI in this way in the future, it could be seen as excessive obstinance and obstruction by Capitol Hill. And that could be the thing that causes lawmakers to finally step in with federal legislation that prevents Apple and other companies from locking the government out of devices."

I am not inclined to believe that this is a real risk. Too many consumers -- and honestly, ones who aren't even that tech savvy -- are concerned about Bad Actors, including other state supported hackers breaking into phones whose security has been compromised to support US law enforcement. Law enforcement has not made a good enough case to support back doors, and the case against back doors (Bad Actors abusing them) is very, very strong.