We are closely following the case of Apple battling the US government on unlocking the iPhone of San Bernardino mass murderer Farook who killed 14 in December 2015. In our previous post we looked at what the FBI was asking, and why Apple opposes the motion.

On February 19th, a new document shows up. The “GOVERNMENT’S MOTION TO COMPEL APPLE INC. TO COMPLY WITH THIS COURT’S FEBRUARY 16, 2016 ORDER COMPELLING ASSISTANCE IN SEARCH; EXHIBIT”. In this document (which is a highly recommended reading by the way), government attorneys summarize several important points and reply to the many Apple’s and public concerns raised after the original court order. So what do we know today about this case that we didn’t know last week?

The Passcode Is Numeric

The government states that the iPhone 5C in question is protected with a numeric password (see the above motion, p.5/13). This, in turn, means that all possible combinations can be enumerated in about 30 minutes (if the passcode consists of 4 digits) or several days (if there were 6 digits).

In other words, Apple could disable the artificial delay that increases the time between unsuccessful entries, as well disable as the provision that may wipe the phone’s data after 10 unsuccessful attempts. The company could then run an attack on the passcode (using either an in-house tool or one of the many existing forensic solutions such as Elcomsoft iOS Forensic Toolkit), and unlock the device in almost no time.

Apple Suggested Making a Cloud Backup

Apple does not want to comply with the court order and physically break into Farook’s iPhone. As an alternative way to obtain information from the device, the company suggested that the FBI connects the device to a charger and leaves it “overnight” in the proximity of a known Wi-Fi network (presumably, the Wi-Fi network of Farook’s employer or one with the same SSID and password).

This strategy would make the iPhone produce a cloud backup, dumping information into iCloud (if running iOS 8) or iCloud Drive (if running iOS 9). This valid advice was based on the following assumptions:

• “Auto Join” Wi-Fi network was enabled in the phone’s settings (a reasonable assumption)
• the device was discovered powered on, and
• it was kept powered on in a Faraday bag (a standard practice in handling wireless-capable devices)
• Wi-Fi was enabled on the device
• the device was unlocked with the correct passcode at least once after booting (otherwise, Wi-Fi passwords remain encrypted, and the device will not attempt to connect to any Wi-Fi network)

If all of the following would be true, and if cloud backups were not explicitly disabled by Farook, the iPhone would make a cloud backup that Apple could hand to the FBI and close the case.
Unfortunately and unexpectedly, there was one final assumption that was not met:

• the user’s Apple ID password is not changed or reset

Apple ID Password Was Reset By “The Government”

After a press-conference handled by Apple, a number of publications appeared stating that “the government” changed Farook’s Apple ID password in an attempt to download data from his iCloud account. This information was followed by the fact that the password was in fact reset by San Bernardino County, who, in turn, tweeted that “The County was working cooperatively with the FBI when it reset the iCloud password at the FBI’s request”.

Was this even necessary, and what are the implications?

First and foremost, the FBI did not need Farook’s Apple ID password in order to obtain data from his iCloud account. Apple routinely hands iCloud backups to law enforcement; the same could be done in this case.

However, changing the Apple ID password effectively removed the possibility of making the iPhone in question produce a cloud backup when connected to a known Wi-Fi network. Even if all the other conditions were met (that is, the phone was discovered powered-on and was kept in that state all the time; it was unlocked at least once before it was found; Auto Join Wi-Fi is enabled for that particular Wi-Fi network, and iCloud backups are not disabled), the device would fail to connect to iCloud even if it did attempt to produce a backup. Here’s why.

Why Resetting Apple ID Password Was a Wrong Move

Once the user signs in to their Apple account in iPhone Settings, the device saves a binary authentication token. This token is then used to authenticate with Apple services (including iCloud) without requesting the user’s Apple ID password every time the system wants to produce a cloud backup, upload a photo to iCloud Drive or update an app from Apple App Store.

The token is valid for a very long time, and does not expire in just a few days. This authentication technique makes it possible for the system to make cloud backups completely in background without requiring any user input.

Changing Apple ID password instantly invalidates all tokens saved on all devices using that Apple ID. In order to continue using Apple’s cloud services, the user would have to enter their new Apple ID password when prompted. However, as Farook’s iPhone is locked with device passcode, there is no way for the FBI to enter that new password to the device. Effectively, by resetting the Apple ID password, the FBI shut the possibility of making the phone produce a cloud backup.

Back to Apple

With no possibility of making a cloud backup, the FBI goes back to Apple, asking the company to comply with the court order. The government understands the company’s and public concerns raised after the original court order. According to the motion filed on February 19, “After the government served this Court’s Order on Apple, Apple issued a public statement responding directly to the Order. […] In that statement, Apple again did not assert that it lacks the technical capability to execute the Order, that it is not essential to gaining access into the iPhone, or that it would be too time- or labor-intensive. Rather, Apple appears to object based on a combination of: a perceived negative impact on its reputation and marketing strategy were it to provide the ordered assistance to the government, numerous mischaracterizations of the requirements of the Order, and an incorrect understanding of the All Writs Act.”

The government addresses privacy concerns with the following statement: “…contrary to Apple’s recent public statement that the assistance ordered by the Court “could be used over and over again, on any number of devices” and that “[t]he government is asking Apple to hack our own users,” the Order is tailored for and limited to this particular phone. And the Order will facilitate only the FBI’s efforts to search the phone; it does not require Apple to conduct the search or access any content on the phone. Nor is compliance with the Order a threat to other users of Apple products. Apple may maintain custody of the software, destroy it after its purpose under the Order has been served, refuse to disseminate it outside of Apple, and make clear to the world that it does not apply to other devices or users without lawful court orders. As such, compliance with the Order presents no danger for any other phone and is not “the equivalent of a master key, capable of opening hundreds of millions of locks.””

The attorneys state that “Apple is not above the law in that regard, and it is perfectly capable of advising consumers that compliance with a discrete and limited court order founded on probable cause is an obligation of a responsible member of the community. It does not mean the end of privacy. As discussed above, the Order requires Apple to assist only in facilitating proper, legal access based on a finding of probable cause.”

The motion continues:

“…the government is not seeking to “break” Apple’s encryption infrastructure or unlawfully violate the privacy of its customers. Instead, through proper legal process through the Court, the government is seeking to use capabilities that Apple has purposefully retained in a situation where the former user of the phone is dead and no longer has any expectation of privacy in the phone, and the owner of the phone consents both to the search of the phone and to Apple’s assistance thereto.”

The original text can be found at www.justice.gov/usao-cdca/file/826836/download, and is a highly recommended reading for everyone interested in this case.

As usual, we won’t comment on Apple’s or the government’s position or statements. Yet, we encourage you to share your opinion in the comments below.