What is Apple fighting for: iPhone security, or how the FBI wants to compromise privacy for a billion people


Some have called it the battle for our future: the clash between the world's biggest tech company and the world's biggest government.

But first, some background: on December 2nd, 2015, gunman Syed Farook and his wife, Tashfeen Malik, opened fire, killing 14 people and injuring 22 in a terrorist attack in the town of San Bernardino, California. After the shooting, the couple left in an SUV, only to be found hours later and killed in a shootout with the police. The FBI seized an iPhone 5c running on iOS 9 and locked with a passcode. The Federal Bureau believes that the phone has information vital to the investigation and it is pushing Apple to take unprecedented measures to crack the device.

A federal judge has issued a court order requiring Apple to build a backdoor that would allow the FBI to hack the iPhone of the San Bernardino shooter. Apple says that there are no guarantees that such a backdoor - that currently does not exist - would be used for this case alone and will allow the government to spy on anyone with an iPhone. The company will appeal. While the legal process will likely take months, it's good to know why this is important not just for the personal data of everyone with an iPhone, but for the personal data on any phone, period.

"If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge," Tim Cook said in an open letter to Apple customers explaining the situation.

What Apple is opposing here is Big Brother, in a very real, modern reincarnation.

First, though, let's try to understand why the all-powerful FBI finds it impossible to break into the San Bernardino shooter's iPhone on its own and has gone to the trouble to require Apple's assistance.


iPhone security 101



It's important to know that iPhone security can be roughly divided in two eras: pre-iPhone 5s (aka pre-Touch ID) and post iPhone 5s.

With the introduction of its Touch ID fingerprint scanner, Apple has introduced an overhaul of the iOS system security, making its platform much more secure. Before we dive into the details, we should clarify that the San Bernardino shooter used an iPhone 5c that the FBI now has. It is an old phone from the first, pre-iPhone 5s era of security. However, the FBI finds it impossible to crack even this phone within reasonable amounts of time.

This brings us to the core features of iPhone security.

There are three key protections on iOS that prevent the FBI from breaking into the San Bernardino shooter's iPhone:

  1. iOS may completely wipe the user’s data after too many incorrect PIN entries
  2. PINs must be entered by hand on the physical device, one at a time
  3. iOS introduces a delay after every incorrect PIN entry

What the FBI wants


As you'd expect, the court order (PDF here) asks Apple to remove all three in what would create a backdoor for the FBI to use to 'brute-force' the PIN code on the phone. Brute forcing simply means that the FBI will hook up the iPhone to a powerful computer that would quickly run through all possible PIN combinations until it guesses the one that the shooter has used on his iPhone. Here is what the FBI wants Apple to do to allow it to brute-force the phone:

  1. Disable the iPhone function that wipes the phone after too many incorrect PIN entries
  2. Enable PIN input to happen not on the iPhone itself, but from another device, so that the FBI could have a computer doing this work
  3. Disable the delay so that the computer that guesses PINs can do this as fast as possible

Two important notes here: some research firms claim they are able to hack into iPhones before the 5s that are running on up to iOS 8.4, so one can assume the iPhone 5c in question runs on iOS 9. Also, encryption would not be that critically locked down and could be bypassed easier on a phone that is not powered down. This suggests that the FBI either allowed the phone to run out of battery, or obtained it powered down. In either case, all evidence suggests that the FBI cannot crack into the shooter's iPhone on its own.


Put in simple terms, the FBI has ordered Apple to build a custom, signed version of iOS that would disable the protection that Apple itself implemented. The version will bypass passcode delays, won't wipe the phone after a few incorrect attempts, and will allow the FBI to hook up its computer to guess the passcode faster. This, by all means, is a backdoor.

So why cannot the FBI itself build such code and flash it onto the iPhone? The reason is in the way iPhone firmware updates work: they are flashed via the Device Firmware Upgrade (DFU) Mode. Once your iPhone is in DFU mode, you can add new firmware to your iPhone via a USB connected device. However, before installing the firmware, the iPhone always checks whether the firmware file has a valid signature key. Only Apple has the signature keys, and this is why the FBI cannot simply load its software on its own terms.

What if it was a newer iPhone: enter the Secure Enclave



The hacking of an iPhone, however, might have been even harder if the shooter used a newer iPhone - the 5s, 6 or 6s. 

With the introduction of Touch ID, Apple has placed a separate hardware chip, the poetically named Secure Enclave (SE), a separate computer (or co-processor, if you prefer) in the iPhone. The Secure Enclave takes care of the privacy of file encryption, Apple Pay and Keychain Services. When you enter your iPhone passcode on a device with Secure Enclave, the passcode is bundled together with a key that is embedded in the SE, so in order to break into the phone, you now need both the passcode and this key. Keys from the Secure Enclave cannot be read by iOS in any way, so that's why even a modified version of iOS would not be of any help to the FBI - had the shooter used a newer iPhone.

Even if the FBI succeeds in forcing Apple to build a custom iOS version (FBiOS?), if it were dealing with a Touch ID iPhone, the FBI agents would not be able to crack the phone. The obstacle in the way is the fact that the Secure Enclave (SE) keeps its own, separate record of failed PIN attempts and separately mandates a delay. After 9 failed PIN attempts, SE will introduce a 1-hour delay between attempts, making brute-forcing the password practically impossible.


However, since the San Bernardino shooter's iPhone 5c does not have this Secure Enclave chip, it relies only on software to dictate PIN attempt delays that prevent brute-force attacks. Hence, the FBI can order Apple to build such software, disable the delays and this would be enough to brute-force an iPhone 5c.

To illustrate the power of the Secure Enclave, you need to look no further than the recent scandal over 'Error 53'. The 'Error 53' is a fatal iPhone error that users who have serviced their iPhones in unauthorized centers get when their iPhone has been serviced with a third-party Touch ID fingerprint scanner. Apple has restricted iPhones to work with a single Touch ID sensor via the Secure Enclave, a security measure that prevents hackers from bundling fake Touch ID sensors to brute-force fingerprint authentication.


Going one step further, let's ask the question: what if the shooter had a newer iPhone? Building an iOS backdoor - as the FBI requires - would not be enough then, but is it even possible to crack the Secure Enclave? The answer is unclear. Apple is not providing details about the Secure Enclave to the public, but security expert Dan Guido suggests that Apple has changed passcode delay times in the past on Touch ID phones, which would be possible only if it could update the firmware for the Secure Enclave chip. Hence, if it was a newer iPhone (and, we bet, in the near future) the FBI would be asking Apple for not only an iOS backdoor, but a separate Secure Enclave backdoor as well.

An unconstitutional order


The fight for consumers privacy has been going on for eons, but for the first time in recent history, we have a company the scale of Apple make such a bold step to protest the government's requests. The American Civil Liberties Union and the Electronics Frontier Foundation (EFF) have taken a firm stand, supporting Apple's position and the right to privacy. Cryptologists and national security experts have long held this position. Google's Sundar Pichai has expressed (lukewarm) support as well. Other high-profile figures like Whatsapp chief Jan Koum has also taken a stand with Apple. But it is shocking to see giants such as Facebook and Microsoft, to name a few, remain in worrying silence.

Admittedly, Apple has positioned itself as one of very few that puts security at the forefront and makes it a key value for Apple as a brand, but this is a fight about much more than just Apple.

"If the FBI can force Apple to hack into its customers’ devices, then so too can every repressive regime in the rest of the world," Alex Abdo from the American Civil Liberties Union writes.
 
"Code is speech, and forcing Apple to push backdoored updates would constitute “compelled speech” in violation of the First Amendment. It would raise Fourth and Fifth Amendment issues as well," the EFF adds. Yes, this would be in direct violation of The Constitution.


What's really at stake? Put simply, law enforcement would typically request access to information by a warrant, but it cannot mandate a company to change its product, as that would mean interfering in its business. This would be comparable to the FBI ordering carriers to start recording everyone's calls, so that the FBI can listen in (currently, carriers only hold the numbers of contacts and lengths of calls, but not the actual call recordings). That is the type of precedent that is at stake.

The public backlash


Apple has not taken an easy decision: it stands firmly to protect users' privacy and security in a very sensitive case of terrorism that populists can easily use to manipulate the debate and put the blame on Apple. The headlines do not disappoint:

"Apple chose to protect a dead ISIS terrorist’s privacy over the security of the American people," Sen. Tom Cotton says, while Sen. Dianne Feinstein is about to introduce a bill to force Apple to comply with the court order.

Modern-day buffoons like Donald Trump have also quickly jumped in on this, in an attempt to rape in the benefits of a nation hurt by gun violence. "Who do they think they are?" Trump throws a tantrum in front of the media, but fails to consider the implications of a backdoor to the privacy of millions of people.

Those reactions will only intensify as public figures try to reap the political dividends of a highly sensitive issue. It's commendable that Apple is taking a firm stand to protect users privacy despite the very high possibility that it will be bad-mouthed by influential public figures.

Conclusion: Here's why this is important


Finally, to wrap things up, let us repeat the main concerns around this unprecedented fight for the people's privacy: if Apple is required to crack an iPhone for US law enforcement agencies, why should not it do the same when the Chinese, Iranian or Russian governments request the same?

If Apple provides code that allows the FBI to crack the iPhone 5c of the San Bernardino shooter, what guarantees are there that a malicious hacker won't some day get hold of that code and get the capabilities to break into millions of other iPhones? 

Furthermore, after the Snowden revelations in 2013, what guarantees are that our government itself won't hack into Americans' phones at will?

Which side are you on?

Apple
82.39%
FBI
17.61%

Story timeline

FEATURED VIDEO

87 Comments

94. Roshnishama

Posts: 36; Member since: Aug 10, 2015

Surely I'm not fan of apple but still like them!

90. egyptian3030

Posts: 30; Member since: Nov 21, 2015

I'm not Apple Fan or one of their customers but I'm supporting them in this case, the hole world become crazy because of dictators security agents who would like to have all power over people in all ways, and if FBI really want to only to have access to this phone better to give to Apple to open the devise in its lab by their own way then copy of data to deliver to the court and I think Apple is well-known and trusted company which care about USA Safety but FBI wants to have their way to control people only. I salute Apple for their Stand.

86. geoffphuket

Posts: 50; Member since: Feb 08, 2016

Tim should do as he's told and modify the software! If those of you moaning have nothing to hide on your phones, then what are you concerned about?

82. ZypKode

Posts: 11; Member since: Dec 27, 2014

Criminasl know now to put in 10 wrong Passcode and then commit the Crime.

77. RoboticEngi

Posts: 1251; Member since: Dec 03, 2014

Apple shouldnt give FBI or any other government a universal key. But they SHOULD unlock that particular device. Hell if they dont every single terrorist and criminal will go for the iphone, because apple will protect their "privacy"...And i would love to see any of the "civil rights" "fighters" here, stand up for privacy when their own loved ones have been gunned down by some drug addict, and the only way to get the person convicted is to unlock his iphone....Then all these hypocrits will come cryin gon their knee's.....Or do you want more of 9/11 and paris?

80. TheRealist

Posts: 16; Member since: Feb 06, 2016

I'm just being realistic man :) We know how the FBI gets their own way.

81. Slammer

Posts: 1515; Member since: Jun 03, 2010

Exactly! No one should be above the law. In the case of Apple winning, anyone owning an iphone could almost hide from it. John B.

87. geoffphuket

Posts: 50; Member since: Feb 08, 2016

If the FBI had access to whoever's phone they wanted, there would be no more terrorist attacks.

76. TheRealist

Posts: 16; Member since: Feb 06, 2016

In the end the FBI will create a law so it can access future iphones.

75. vliang86

Posts: 337; Member since: Oct 05, 2015

Apple vs FBI = the most important battle of the decade.

74. stuck_788

Posts: 54; Member since: Jul 26, 2013

I think they already do... and since they introduced fingerprint scanners, they got all our fingerprints...

72. dancheung77

Posts: 202; Member since: Jan 28, 2015

democracy is when we as citizens get to say no and we can choose what's right for us. If we comply with whatever throw at us by the government, especially privacy issue, then we are no different than those communist countries. People constantly under surveillance, give up rights when govt ask to and you don't get to vote. democracy s what sets us apart from China and North Korea. If you don't mind giving up your right, then why don't you just move to North Korea, you prob feel more comfortable there, just sayin

71. phonearenaviewer

Posts: 59; Member since: Jan 22, 2014

Instead of unlocking phone why can't apple just download all of the info from the phone and provide it to FBI?

66. geoffphuket

Posts: 50; Member since: Feb 08, 2016

The FBI should have their way so they can arrest more Islamic terrorists.

64. Slammer

Posts: 1515; Member since: Jun 03, 2010

It seems to me that Apple could easily have federal agents bring the single phone to corporate and unlock it without compromising all other security. This appears to be a power trip between both the feds and Apple. John B.

63. oozz009

Posts: 520; Member since: Jun 22, 2015

Wait a minute PA. What if it was a 5S and the FBI simply took the criminal's finger and used a scotch tape (or something else) to take his fingerprint and then used that to unlock the phone. Wouldn't such a method work? If not, why not?? Anyone???

68. geoffphuket

Posts: 50; Member since: Feb 08, 2016

They probably do that already

59. Bernoulli

Posts: 4364; Member since: Sep 01, 2012

Seems like it's a repeat of what happened to blackberry in Pakistan, haha would be ironic if the turn out is the same and Americans called their own company 'insecure'

58. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

For all the losers who sided with the FBI. You're stupid. Because if the FBI was to get this in their hands, privacy of your cellphone is 100% gone. They could remotely access any iPhone and used it features to monitor every call, text and more. It doesn't matter if you have anything to hide or not. It's about your right to privacy. Then what is next, pressure would surely come onto Microsoft, Google and any phone maker who wants to sell phones in the USA. Samsung, HTC, LG and more. Then they could go to Intel and say we need backdoors put in CPU's or even GPU's. Even if what they asked for was even possible, that doesn't mean they should have it. I dont care how big the Government is. The bigger they are the harder they fall. After all, where is the Roman Empire now?! Humans are inclined to evil, no matter how good their e=intentions are. look how many inventions that wre meant to be used for the good of mankind has been taken by the Governement to hurt people, Cars, planes, trains, helicopters, subs, explosives, fire, the ATOM, hydrogen and so much more are all good in themselves and Feds have taken them and turned them all into weapons. Like user Engineer-1701d said in another thread trying to take a case like the movie Taken? Well imagine if things like Iron Man, Hulk or even Superman was even possible. If someone created that, you know for a fact the military wants it's hands on it. I mean, look what they did with Stealth technology they got from the aliens. The Feds woudlnt be able to protect such a tool from the wrong hands, because they themselves are the wrong hands. It is enough we have no privacy as it is. Cameras on roads, streets, bathrooms, stores, you name it. What little privacy I have, I want to keep it.

70. S.R.K.

Posts: 678; Member since: Feb 11, 2016

Well said Techie.

55. theo14461 unregistered

What will the FBI learn from their locked iPhone? How they conspired to kill innocent people? I'm with Apple on this one.

89. geoffphuket

Posts: 50; Member since: Feb 08, 2016

Sounds like your on the side of the terrorists

49. all4dom

Posts: 23; Member since: Sep 30, 2013

Can someone please explain who is more secure.....apple.or android. I love my Samsung galaxy note series phones, but this article does have me thinking about going to apple because they seem to put more effort in a secure platform then google.

53. sissy246

Posts: 7129; Member since: Mar 04, 2015

I have nothing to hide so don't care. Love my note 5. Apple knows that we'll lose,a lot of money if they open up that phone

46. Neros

Posts: 1016; Member since: Dec 19, 2014

It's a PR move.

41. darkkjedii

Posts: 31797; Member since: Feb 05, 2011

Resist that crap Apple. It'll set a bad precedence.

42. TerryTerius unregistered

Let's hope they can. Or more importantly, let's hope our politicians and Judges see the light.

48. darkkjedii

Posts: 31797; Member since: Feb 05, 2011

Well said. This reminds me of enemy of the state lol. That privacy act.

56. avalon2105

Posts: 352; Member since: Jul 12, 2014

This reminds me of V for Vendetta. Whole concept of trading freedom for security seems eerily familiar. I could even imagine Tim Cook wearing Guy Fawkes' mask.

35. jellmoo

Posts: 2687; Member since: Oct 31, 2011

Thanks for this write up. It very nicely summarizes what is a complex and very serious issue. Their motives may be suspect, but Apple is fighting the good fight here, against a request that is blatantly unconstitutional.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless