Experts contend Apple has the technical chops to comply with court order

Possible to subvert iOS to give FBI ability to brute-force the passcode, say security professionals

On a technical level, Apple can comply with the U.S. Federal Bureau of Investigation's (FBI) request for help in accessing an iPhone used by Syed Rizwan Farook, one of the people accused of killing 14 in California two months ago, security experts said Wednesday.

"I believe it is technically feasible for Apple to comply with all of the FBI's requests in this case," said Dan Guido, the co-founder and CEO of Trail of Bits, a New York City-based security firm, in a Wednesday post on his firm's blog. "On the iPhone 5C, the passcode delay and device erasure are implemented in software and Apple can add support for peripheral devices that facilitate PIN code entry."

Essentially, what the FBI has asked Apple to do -- with a federal magistrate's concurrence -- was to make it possible for investigators to brute-force the passcode on the iPhone 5C by subverting iOS's limitations on entering such codes, as well as removing the auto-wipe feature, triggered when several incorrect passcodes are entered. On Farook's iPhone 5C, which is running iOS 9, each successive incorrect entry enforces a delay until the next can be punched in.

The result: The FBI has been stymied, afraid that entering wrong passcodes -- which must be tapped in by hand -- would take too long, but more importantly, quickly wipe the iPhone clean.

"In plain English, the FBI wants to ensure that it can make an unlimited number of PIN guesses, that it can make them as fast as the hardware will allow, and that they won't have to pay an intern to hunch over the phone and type PIN codes one at a time for the next 20 years," said Guido.

Guido initially argued that the same request would be moot on newer iPhones -- any model equipped with the Apple-designed A7 SoC (system on a chip), which was first used in 2013's iPhone 5S.

The barrier would be the Secure Enclave (SE), a co-processor fabricated as part of the A7. The Secure Enclave is not accessible to iOS, so any changes Apple might make to its mobile operating system -- the gist of what the FBI's asking Apple to do -- would be worthless.

SE is responsible for processing the fingerprint data acquired by the Touch ID sensor, and also encrypts the device and its contents with a unique key pre-set during manufacturing that is "entangled," or combined, with the device's unique ID (UID) as well as the user-set passcode on the lock screen. Apple does not know or have a record of the key embedded in the Secure Enclave.

However, in an update to his post, Guido said that it would also be possible to undermine SE, although it would require revisions to not just iOS, but also to the SE firmware.

"Apple can update the SE firmware, it does not require the phone passcode, and it does not wipe user data on update," he said. "Apple can disable the passcode delay and disable auto erase with a firmware update to the SE. After all, Apple has updated the SE with increased delays between passcode attempts and no phones were wiped."

Other security experts agreed with Guido that it was technically possible for Apple to comply, but claimed that on later iPhones, SE made it futile. "On newer phones like the iPhone 6, with Apple's [SE], such an update of the firmware would be impossible," asserted Errata Security on its website. "Updating the firmware to do what the FBI wants would also erase the crypto keys, or at least first require unlocking. If such a trick would work on the newer phones, then Apple has been lying about them."

But while Apple could comply -- the experts agreed that it's technically viable on the iPhone 5C -- the Cupertino, Calif. company clearly does not want to.

Late Tuesday, Apple posted a memorandum by CEO Tim Cook that spelled out his firm's position. "The U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone," Cook said in the open letter.

Cook also argued that the demand was the edge of a slippery slope, that by acceding to the FBI's request, Apple would open Pandora's Box. "The government suggests this tool could only be used once, on one phone. But that's simply not true," Cook contended. "Once created, the technique could be used over and over again, on any number of devices."

Join the CSO newsletter!

Error: Please check your email address.

More about AppleApple ComputerFBIFederal Bureau of InvestigationInc.

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts