
Terrorist’s Apple ID Password Changed In Government Custody, Blocking Access - hanapbuhay
http://www.buzzfeed.com/johnpaczkowski/apple-terrorists-appleid-passcode-changed-in-government-cust
======
circuiter
What's strange is that they're investigating two international terrorists who
committed mass murder and all they're talking about is their fucking iPhone?

What if after all this drama and forcing everyone to install backdoors and
disable encryption they find out that they used it only to play Clash of Clans
and take pictures of food?

~~~
junto
You could write a good film script here;

how some secret 3 letter agency has gone rogue and has a long and complex plan
to incite a couple of people to terrorism, making sure they conveniently die,
leaving no witnessed.

This shadow group then invoke the hearts and minds of the people, through the
fear of a series of terror acts to relinquish their privacy rights, happily
accepting a legal precedent to remove encryption from the masses. Their end
goal being total population control and surveillance on order to control the
masses on behalf of a secret and powerful governing elite.

A bunch of FBI agents suspect this secret group have programmed these people
to commit these terror acts, and since they are now dead they need to recover
the data from the phone to prove this dastardly conspiracy.

Starring Matt Damon as the one rogue ex-agent who brings the whole almost
perfect plan crashing down, and Liam Neeson as the FBI agent who is determined
to bring this shadowy elite to justice.

~~~
junto
Why the down votes out of interest? Bad plot?

------
zaroth
iCloud backups are not protected by your iCloud password. I know this because
I've personally reset my password and then successfully recovered an iCloud
backup to a new phone with the new password.

However, the auto-backup feature, which would have pushed the most recent data
from the phone onto iCloud just by leaving the phone powered on... apparently
that is disabled when the iCloud password is reset. Which makes sense if you
think about it, the phone still has the old iCloud password, and it would need
the new password in order to authenticate to iCloud. So they inadvertently
disabled the backup feature by locking the phone out of iCloud!

The first question this raises is can the auto-backup be made to start working
again by Apple changing their backend iCloud authentication code to
specifically allow this device to login to iCloud with the "wrong" (old)
passsword? That would not involve touching the phone and seems like a much
cleaner solution. Unless there is code on the phone which disables or destroys
the iCloud authentication token / stored password after encountering a login
error, which really would surprise me, because API errors could be spurious,
but I guess it's possible if they are looking specifically for an "invalid
login" return code and then dumping the old token in order to trigger a UI
prompt to enter a new password.

The second question is why are the existing backups a month and a half old?
Doesn't this imply the device was not even turned on or connected to the
network for that last month and a half?

The other interesting tidbit in the article is the statement the FBI was able
to verify that the phone was never paired with any devices to obtain data. How
in the world could they know that?

(Cross-posting this comment from another article, because it's more relevant
here)

------
mattnewton
Footnote 7, Page 18 of the governments brief to the court
[http://www.politico.com/f/?id=00000152-fae6-d7cd-
af53-fafe53...](http://www.politico.com/f/?id=00000152-fae6-d7cd-
af53-fafe53bb0002)

~~~
danieltillett
Wow so the government broke the autobackup approach by reseting the password
afterwards. That was clever!

~~~
Steko
Not by the police but by the county which as the shooter's employer, was the
owner of the phone.

------
jessaustin
More confirmation, as if anyone needed it, that this case is not about the
months-old data on one particular phone, but rather about breaking the
security of all phones.

~~~
jfoster
Sorry, but how does this confirm that? It sounds to me as though someone
screwed up by changing the password rather than it being intentionally changed
so they could request that Apple build an iOS with a backdoor.

~~~
imron
Maybe the FBI should concentrate their efforts on finding that someone and
asking them what the password is.

~~~
jfoster
I would assume they have found that person. It's curious that anyone took it
upon themselves to initiate the password reset without authority, but I'd bet
they have simply forgotten what they changed it to.

~~~
michaelt
If that's the case, it sounds like the FBI are being very careless with
evidence and passwords to suspects' phones, even in very high profile cases.

If they can't keep passwords secure, they aren't going to be able to keep this
backdoored iOS version secure either.

~~~
jfoster
That's essentially Apple's concern, isn't it? That they will want to
increasingly rely on this version of iOS, and eventually accidentally
compromise Apple's security model?

~~~
michaelt
Well, I assume Apple have multiple concerns - one is that the cops will leak
the backdoor. But even if you could backdoor iOS in a way that couldn't leak,
I think Apple would still oppose it.

Apple see this as the thin end of a wedge, establishing the principle that the
feds can force Apple to put backdoors in iOS and Apple can't say no. The thick
end of the wedge will have much wider scope and much less oversight.

------
themartorana
Most important point in the article (to me, anyway):

 _" The government says the access being sought could only be used on this one
phone, but Apple's executives noted that there is widespread interest in an
iPhone backdoor, noting that Manhattan District Attorney Cyrus Vance said
Thursday that his office has 175 Apple devices he'd like cracked."_

------
ctdonath
So who changed the password? And why hasn't the FBI asked for the new
password?

~~~
deathanatos
The employer[1]:

> _The FBI obtained a warrant to search the iPhone, and the owner of the
> iPhone, Farook 's employer_

> _the owner, in the hours after the attack, was able to reset the password
> remotely, but that had the effect of eliminating the possibility of an auto-
> backup_

(the first quote is on page 1 of [1]; the second quote is footnote 7 on page
18 of [1] as pointed out by another commenter[2].)

I _think_ — and frankly, the document isn't too clear on it; it'd be great if
an iPhone owner could clarify — is that this is the Apple App Store account
password, and the phone has a separate and different pass _code_. The FBI
knows the password, and can access the account, but not the phone; the phone
I'm guessing won't back up until the pass _code_ is given to it.

Supposedly the previous backup on the account is allegedly too old: " _nearly
one-and-a-half months prior to the IRC shooting incident_ ", and even weirder,
" _back-ups do not appear to have the same amount of information as is on the
phone itself_ " How can the FBI know this if they can't access the information
on the phone?

The FBI's point is that this is a one-time use of the software Apple would
write, and Apple would maintain possession of the software throughout using
it:

> _Indeed, it is less so because the software requested would not reside
> permanently on the SUBJECT DEVICE, and Apple can retain control over it
> entirely._

> _Moreover, to the extent that Apple has concerns about turning over software
> to the government so that the government can run the passcode check program,
> the Order permits Apple to take possession of the SUBJECT DEVICE to load the
> programs in its own secure location, similar to what Apple has done for
> years for earlier operating systems, and permit the government to make its
> passcode attempts via remote access. […] no one outside Apple would have
> access to the software required by the Order unless Apple itself chose to
> share it. This eliminates any danger that the software required by the Order
> would go into the "wrong hands" and lead to criminals' and bad actors'
> "potential to unlock any iPhone in someone's physical possession."_

(from page 20 of [1])

Frankly, that sounds rather convincing against the section of Apple's "A
Message to Our Customers" headed "The Threat to Data Security" (but I'd love
to be proved wrong! why is this a threat to data security given the above?).
That said, I'm unsure about the section headed "A Dangerous Precedent" — this
does seem like a bad precedent. Are we to now assume that our manufacturer
should be included in our threat models for whether our device is secure?

Also, has Apple submitted anything to the court detailing their argument as to
why they should not be forced to follow the Order?

[1]: [http://www.politico.com/f/?id=00000152-fae6-d7cd-
af53-fafe53...](http://www.politico.com/f/?id=00000152-fae6-d7cd-
af53-fafe53bb0002)

[2]:
[https://news.ycombinator.com/item?id=11137995](https://news.ycombinator.com/item?id=11137995)

~~~
hayksaakian
in terms of amount of information, would it be trivial to count the number of
nonzero bytes on the phone's disk?

then compare that to the backup?

~~~
deathanatos
This requires intimate knowledge on how the disk is encrypted by the software,
I imagine. Speculating:

One can imagine that it is possible, for unused blocks on the disk, to simply
encrypt a zeroed out block; essentially, initialize the disk to a state of
random data. From the cryptotext, you wouldn't be able to know how much is
used. However, for efficiency, I could see this not being done, and disk
blocks that never saw use actually being zero.

That said, a previously-used-but-now-freed block might still contain the
encrypted content, and just be unlinked from the filesystem. Unless freed
sectors actually get zeroed, I would say that the number of non-zero blocks on
the disk only indicate an upper bound on the data, and there may be less. (And
thus, your backup might appear to have less data than the disk while still
containing all the data.)

AFAIK, the filing doesn't elaborate, but I also haven't read all of the filing
yet. Nor is this particular filing the only document in the case, and I sadly
don't have access to the court documents. It would seem that in the United
States, these are behind a paywall (see PACER), though I believe it should be
legal to mirror them; it seems that archive.org is attempting to do this with
their RECAP project, but they don't seem to have the case (or I can't find
it).

The case ID is on the filing in my first post: "5:16-cm-00010-SP"; the format
is described here[1]. Essentially, "5 <division of Riverside> :16 <last two
digits of the year> -cm <"misc" case>-00010 <the case number, tenth of the
year, I think?> -SP <no idea.>"

[1]:
[https://www.cacd.uscourts.gov/records](https://www.cacd.uscourts.gov/records)

~~~
MBCook
My understanding is that the device has iOS 7 and full disk encryption wasn't
enabled by default until iOS 8. Do we actually know if the file system is
encrypted?

------
sschueller
If it were an iPhone 6, how long does a finger print last on a corps? In
future crimes is the FBI going to cut fingers off corpses and store them for
later use?

~~~
illumin8
Touch ID requires your passcode after 48 hours. So, only if the phone had been
previously unlocked with a passcode, kept powered on and charged, and 48 hours
had not elapsed, could the government use a corpse fingerprint to unlock.

The device in question is an iPhone 5 and doesn't have a Touch ID sensor, so
the question is moot anyway.

------
allending
What's preventing Apple from reverting things on the backend to 'undo' the
password change and allow the next authentication and backup attempt by the
phone to work? Apart from unless the phone has been restarted in which case
the FS is still encrypted so the backup wouldn't yet be possible until at
least after the first unlock.

~~~
themartorana
Maybe they don't store previous passwords?

Edit: or are you suggesting iCloud be programmed to accept any password for
this account?

------
abc_lisper
Mind blown, if this is true!

~~~
castratikron
Yes, I'd like to see a more conservative source to confirm this fact.

~~~
newman314
It's on TechCrunch too

~~~
slouch
I can't find it.

~~~
garrettgrimsley
[http://techcrunch.com/2016/02/19/apple-executives-say-new-
ip...](http://techcrunch.com/2016/02/19/apple-executives-say-new-iphones-also-
vulnerable-to-back-door-requested-by-fbi/)

7th paragraph or search the text for "One such method."

------
yardie
Why not "enhance interrogate" the shit out of the criminal until he willingly
gives up the password? It works in TV, cinema, and, according to Cheney, in
real life. Amirite?

/s

~~~
Vivtek
This is of course a difficult procedure to apply post-mortem.

~~~
DonHopkins
Bringing dead people back to life works on TV, cinema, and, according to
Cheney, in real life (at least at Easter).

------
pj_mukh
Is there a reason Apple can't take apart the phone and access the hard drive
directly?

Maybe put the hard drive on a dev board of sorts. AFAIK, most cell-phones have
dev board versions that the mfg's engineers use to test various component
hardware revisions no?. There they can access it through root? I might be
missing something here.

It would be hilarious if after all this, they find nothing on the phone.
GENIUS!

~~~
kozukumi
The same reason they can't take the SSD out of my computer and put it in a
dock to get at the data. The drive is encrypted with a key they don't know.

