How Apple could let the FBI crack your encrypted iPhone

Apple has said it won't comply with the court order requiring it to install a custom operating system on an iPhone 5c, but there is no technical reason why it couldn't

How Apple could let the FBI crack your encrypted iPhone
DaveOnFlickr (CC-BY-SA 2.0)

Let’s set aside the discussion of whether or not Apple is right to fear that the court order to assist the FBI in accessing a terrorist's locked iPhone sets a dangerous precedent, and instead focus on the technology. Considering all the security features Apple has built into iOS, is what the judge asking for even possible?

Ironically, there could have been a way that the FBI could get into the iPhone. Because the iPhone was issued by the terrorist's employer, a county agency, the county IT department could unlock the device for the FBI -- that is, if it had used mobile management software to manage the employee's iPhone 5c. But the agency apparently didn't, taking that access option off the table.

If the iPhone in question had not been powered down, the FBI would have been able to explore other avenues “as the encryption would not be as locked down,” wrote digital forensics expert Jonathan Zdziarski. But it was in fact powered down when the FBI recovered it.

Beginning with iOS 8, iPhones, iPads, and iPad Touches are encrypted using a key derived from the user-selected passcode. This is combined with a device-specific hardware key so that Apple can’t decrypt the information at all. Only the user can.

What the court wants Apple to do for the FBI

How could Apple break the encryption on the iPhone? It can't.

But that's not what the court order is requiring. Instead, it wants Apple to remove the self-destruct mechanism that wipes the data after 10 failed password attempts. It also wants Apple to allow it to feed potential passwords via the device's Lightning port so that the FBI can automate the password guesses. That way, the FBI can use its full computing power to try thousands, even millions of passwords in hopes of finally unlocking the device -- thus, decrypting the contents.

To do that, Apple is being asked to create a special version of iOS that the FBI would somehow load onto the locked devices; that replacement iOS would then turn off the autowipe feature. That's not a backdoor, but a way to disarm the front door.

Is that even possible? Yes.

How Apple can update a locked iPhone to remove its security protections

Robert Graham of Errata Security, Dan Guido of Trail of Bits, and digital forensics expert Zdziarski all weighed in within hours of the judge’s order being made public. They agree that Apple can comply with Judge Sheri Pym’s order that Apple provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data on the subject device.”

What Apple would need to do is create, then boot the custom firmware on the device without affecting existing data. It knows how to do that -- it's what upgrades do. iOS requires updates to be signed by a special key, which only Apple has, using the Device Firmware Upgrade mode.

But only Apple can do this safely. Although jailbreak versions of iOS also use Device Firmware Upgrade mode, they often don't work, and the FBI can't afford a failed attempt that would then brick the iPhone 5c. “Before any firmware is loaded by an iPhone, the device first checks whether the firmware has a valid signature from Apple. This signature check is why the FBI cannot load new software onto an iPhone on their own -- the FBI does not have the secret keys that Apple uses to sign firmware,” Guido wrote.

One reason the experts believe Apple could comply with the order is that the iPhone 5c's hardware security is not as sophisticated as that in the iPhone 5s and later models. The passcode lock and autowipe features are software-based on the iPhone 5c, so they can be disabled with a software update, Guido said. The same update can also include support for peripheral devices so that the FBI doesn’t have to manually key in each passcode attempt.

In the iPhones 5s and later smartphones, Apple moved the passcode and encryption features from software to hardware, specifically to Secure Enclave, a coprocessor based on the A7 chip that makes the device resistant to tampering. (It's also what makes Apple Pay secure.)

The key embedded in Secure Enclave handles the process for unlocking the iPhone. Secure Enclave also keeps track of incorrect passcode attempts and introduces a delay between attempts, so it responds more slowly with each failed attempt. The mechanism is designed to slow down brute-force attacks such as what the FBI wants to do. Because Secure Enclave is essentially a separate computer within the iPhone, iOS can’t do anything to it.

Because the iPhone 5c doesn't have Secure Enclave, its protections can be bypassed via software.

But the later iPhones' hardware-based security can be defeated, though it's much harder to do so. if the FBI tries the same gambit again in the future with a more recent iPhone, it would be much more difficult because of the newer iPhones' Secure Enclave -- but “not impossible,” wrote Zdziarski. Guido concurs, saying that on an iPhone with Secure Enclave Apple would need to do two firmware updates: one for Secure Enclave and one for the iPhone itself. It's trickier, but possible.

[After this story was posted, Apple stated that the front-door bypass technique the FBI is seeking -- replacing the iPhone's iOS with a custom version that removes the failed-password wipe protextion -- would work with any iPhone, not just the iPhone 5c, providing a way to access anyone's iPhone. The U.S. Justice Dept. offered to let Apple access the iPhone itself, so the proposed bypass version of iOS would not be provided to the government for later on other devices. Apple also claimed that the iCloud passeord for the terrorist's iPhone 5c was changed when the phone was in FBI custody, remotely by the San Bernardino County IT department that owned the phone, and thus Apple can no longer access the phone as the FBI desires even were it to build a bypass version of iOS. The county said the iCloud password change was done "at the FBI's request." Also, the county-issued iPhone 5c did not have the county's mobile management software installed, which its provider, MobileIron, would have provided the FBI the desired access. --Editor]

Apple would need the iPhone to do the FBI's bidding

The court order is not looking for a generic firmware update that can be used against other iPhones. Its request is narrow in scope, asking for an update customized for that specific device. And because the FBI would have to send Apple the iPhone to apply the update, the custom software would never have left Apple.

Apple has argued that creating such a bypass for the iPhone's security would create a method for others to exploit the iPhone -- hackers, corporations, foreign governments, and the U.S. government alike. But if that code never leaves Apple's control, perhaps it could prevent such errant usage after all.

“All companies have a way to modify their own devices and software -- it’s like car companies having spare keys for individual cars ... they exist,” said Lance James, chief scientist at Flashpoint, a threat intelligence and data analytics company. “Even if that requires them to modify the firmware with a key they have, they don’t have to give that software to the FBI.”

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform