Last night the Justice Department announced that it dropped the action against Apple to compel the company to break into San Bernardino shooter’s Syed Rizwan Farook’s iPhone. The government said that it unlocked the iPhone with the help of a third party eliminating the cause of the action.
The government’s contractor found and exploited a flaw in Farook’s iPhone. Had the iPhone been unlocked this way by a security researcher, he or she would have been obligated to notify Apple and if in a reasonable time Apple did not remedy the flaw in a reasonable time the researcher would be obligated to release information about the flaw to the public. But the government’s contractor isn’t obligated to follow the security industry rules and may be prevented by contract and law from disclosing the flaw.
With the legal contest between Apple and the Justice Department terminated, two questions remain. Who at the Black Hat Security Conference will disclose how the shooter’s iPhone was unlocked? And, what should the privacy conscious person do to stop the government or other law enforcement or criminal entity from unlocking his iPhone?
Who at the Black Hat Security Conference will disclose how the shooter’s iPhone was unlocked?
The Black Hat Security Conference USA begins on July 30, 2016 in Las Vegas. It may be too early for a disclosure of the unlocking methods used by the government to be disclosed right now, but in the months leading up to Las Vegas security analysts will be vying to give the talk that explains how the government unlocked Farook’s iPhone because every technology and business news outlet will cover the researcher’s talk.
There is a lot already known about how to unlock this iPhone model. A security analyst independent of the government may already have discovered how to unlock this device.
According to the Trail of Bits blog, the iPhone model that was unlocked has very specific design flaws compared to more recent models with fingerprint readers. The iPhone 5C in question will increase the time between attempts to enter the passcode from immediately to 1 hour after nine attempts, but unlike newer iPhones that implement this delay algorithm in impenetrable hardware called the Secure Enclave the iPhone 5C implements the delay algorithm in software. A four-digit passcode entered once every hour could take up to 11 years to unlock. But automated testing of the iPhone 5C running a version of iOS 9 installed without the passcode delay algorithm software could try a new passcode every 80ms, yielding the correct passcode in a half hour or less.
Another design flaw in the iPhone 5C is it doesn’t run an encrypted version of the iOS 9 operating system making it possible to insert a branch instruction or some other modification to the binaries that would circumvent the passcode delay algorithm and prevent the potential erasure of all the data on the device.
What should the privacy conscious person do to stop the government or criminal entity from unlocking his iPhone?
Newer iPhones with fingerprint readers running iOS 9.3 are much more secure. These iPhones implement the increasing delay of passcode attempts in the Secure Enclave hardware and iOS is encrypted preventing this type of exploit from working with newer models.
Owners of older models do have an option though. By changing the four-digit passcode to a nine character alphanumeric password the time to guess all the password combinations would increase from less than a half hour to 33,333 days or ~91 years.
Security breaches of popular devices and personal privacy are often blown out of proportion. In this case you can set your watch on July 30 for this issue to become a popular news story again.