
One of the FBI’s Major Claims in the iPhone Case Is Fraudulent - danielsiders
https://www.aclu.org/blog/free-future/one-fbis-major-claims-iphone-case-fraudulent
======
Dowwie
TL;DR: "they're asking the public to grant them significant new powers that
could put all of our communications infrastructure at risk, and to trust them
to not misuse these powers. But they're deliberately misleading the public
(and the judiciary) to try to gain these powers. This is not how a trustworthy
agency operates. We should not be fooled."

~~~
unfamiliar
The TL;DR should be "iPhone 5C NAND flash can be wiped and restored to
default, making brute forcing the PIN a possibility," not this speculative
snippet.

~~~
vermilingua
Except that all the evidence points to this speculative snippet being correct,
and is the point of the article. So, your tl;dr is missing the crucial point
of the article, that the FBI is making a power gambit through deception.

~~~
virgilp
By the same measure, Apple is deceiving everyone too.

Apparently, they can't enable the phone's "icloud backup" because someone
changed the icloud password. Doesn't Apple have old passwords -i.e can't they
restore the old password from backup? And presuming they can't (why?)....
can't they simply modify the server-side to not check for password for a given
account, and accept just accept any password for backing up?

------
toyg
I have to say, whoever at the FBI decided this was the right case to push
their new doctrine, could have done his/her homework a bit better. Technically
speaking, this is the last iPhone you can actually crack _without_ assistance
from Apple. They are making it harder for themselves. They only have to wait
for another major incident, retrieve (or plant, why not) an iPhone 6 from the
scene, and do it again, this time _for real_.

Unless they are trying to pre-empt something else (like the recently-touted
shift to "devices even we can't access" from Tim Cook, which may or may not be
simple advertising), they just picked the wrong time to stir this particular
pot.

~~~
mentalpiracy
This case isn't just about Apple though. If the FBI wins this case, it becomes
a precedent that can then be turned around and used on ANY hardware or
software company in the future.

~~~
CamperBob2
Which is why it should have been important enough to them to wait for the next
9/11 or similar incident.

Waving around the proverbial pipe wrench for a case this ambiguous is just
stupid. They're just as likely to have it taken away from them altogether.

------
kabdib
Heck, the FBI could also disable writes to the chip, or simply interpose some
logic that pretends to write, but actually doesn't (a non-write-through cache
:-) ).

That is, if the secrets in question are on that NAND chip.

~~~
drakenot
For this device, with no Secure Enclave, I believe they are on the NAND chip.

~~~
kabdib
Heck, there are probably 20 companies with a Silicon Valley zipcode that could
do that work, then. And a few in LA. I know people who could do this in their
garage (and that's not hyperbole).

~~~
jessaustin
That would rather defeat the point of this whole fake political-judicial spin
effort. Teh terrorists already destroyed their personal phones that had actual
terror secrets. These work phones, which could have been confiscated by San
Bernardino County at any time, are vanishingly unlikely to yield months-old
information of any sort.

~~~
baldajan
They already retrieved a ton of info from a month or so old iCloud backup. The
FBI has a good idea what might be on the phone, but they aren't saying what
they already found.

------
geographomics
Interesting technique, but it doesn't remove the long interval between
permitted passcode attempts - an equally important problem for brute-forcing.

So the FBI would most likely still require Apple's assistance in this.

~~~
jperras
If you can copy the contents of the NAND memory to one chip for testing, then
you can copy it to a hundred chips and parallelize the process, assuming I
haven't misunderstood the hardware issues at hand (not my specialty, to be
fair).

The exponential backoff of attempts is not really an issue in that case.

~~~
devy
Interestingly, this is the EXACT advice [1] given at the Apple + FBI @ U.S.
Congressional Hearing on March 1st from California congressman Darrell Issa
(R).

Congressman Issa was previously the CEO of DEI, a car security and audio
equipment company. He is possibly one of the most tech-savvy members of U.S.
Congress and happens to be one of the wealthiest as well [2].

The Congressional hearing video footage is here, the suggestion was proposed
at 1h23m 13s in.[3]

[1]: [http://qz.com/628745/i-have-no-idea-the-fbi-director-at-
the-...](http://qz.com/628745/i-have-no-idea-the-fbi-director-at-the-apple-
judiciary-hearing-gets-schooled-on-security-tech-by-a-congressman/)

[2]:
[https://en.wikipedia.org/wiki/Darrell_Issa](https://en.wikipedia.org/wiki/Darrell_Issa)

[3]:
[https://youtu.be/g1GgnbN9oNw?t=4993](https://youtu.be/g1GgnbN9oNw?t=4993)

~~~
spenczar5
I noticed the same thing. I wonder whether James Comey's aw-shucks answer
(roughly, "I have no idea, I'm just a regular Joe, I don't know much about the
tech here") was feigned.

------
croddin
Apple said that could sync the data if the AppleID password wasn't changed.
Can Apple just revert the AppleID account on their servers to a backup with
the old password hash (or however it is stored)? Why wouldn't this work? Has
something on the phone changed because of the password change or is Apple
unwilling or unable to revert the AppleID account?

~~~
chime
The local device could have cleared the stored password if the remote server
rejected it even once.

~~~
nkurz
Could have, and perhaps should have, but I haven't seen anyone claim that it
actually does delete the stored password after a failure. And it would be
awkward if the automatic backup stopped functioning and required manual
intervention after each intermittent network failure. It should be fairly easy
for someone with an iPhone to test and find out.

~~~
jjnoakes
> And it would be awkward if the automatic backup stopped functioning and
> required manual intervention after each intermittent network failure.

But not awkward after a valid reply from the server saying "password
incorrect".

~~~
nkurz
Possible, but still awkward. If the network failure is between the server and
the password database, it would still need to distinguish between "password
permanently incorrect" and "password temporarily incorrect".

But my stronger point was that there is no need to speculate, since someone
with an iPhone can verify what actually happens. Set up backups, change the
password, verify that it fails, change the password back, and report what
happens.

~~~
kiallmacinnes
If the HTTP status code is 5xx, keep the password. If the HTTP status code is
4xx, delete the password.

Obviously making some assumptions (like HTTP, or a 5xx on network fail between
internal services), but telling the difference between "user supplied bad
data" and "the server messed up" really isn't that awkward at all.

~~~
chime
That's exactly what we do in one of our iPad apps.

------
tylercubell
It seems like there are several articles and security experts out there
explaining how to recover data from a locked iPhone as if it were a cakewalk
but where is one example of a complete soup-to-nuts case study on unlocking
the same model phone as the San Bernardino shooter?

If you want the American public to believe the FBI is making fraudulent
claims, show demonstrable proof that it can actually be done instead of all
the talk and theories.

~~~
ismyrnow
^this

------
codeonfire
The device is evidence, so all of you saying they can just start desoldering
things and such need to think about that. What is the first thing a defense
attorney would say if the data were to be used in a criminal trial? That's
right, "the FBI replaced the memory chip on the phone with one they wrote
their own copy of the data to." That is only after they potentially
permanently damage the device and data.

~~~
TheDong
And yet, there's no issue with "We'll let apple take the device, flash a
custom OS onto it, and allow us to make attempts remotely while not having
physical access to the device".

That's what they're asking for. Part of the FBI's argument is that they need
the information for safety of our country, not specifically for the trial.

~~~
rhizome
Isn't the FBI's position that the FBI will have physical possession of the
device at all times?

~~~
wl
The FBI said it would be acceptable for Apple to retain possession of the
phone while it was running the customized version of iOS out of RAM in order
to prevent the custom iOS from falling into their hands.

~~~
simoncion
> The FBI said it would be acceptable for Apple to retain possession of the
> phone...

However... in _that_ case the FBI _will_ have _remote_ access to the phone in
question to run whatever software tools against it they require. (This
requirement is in the order. :) )

Given that "prevent iOS from reading the ROM used to boot the iDevice"
_probably_ isn't a threat that Apple considered to be a serious one, it's
entirely possible that the FBI (or an agent of another TLA embedded within the
FBI) could use this remote access to _also_ gain access to Apple's (signed!)
PIN entry delay and self-destruct removal modifications.

If this happens, _and_ there's a way to bypass whatever mechanism Apple used
in the modified image to make it run only on that single iPhone, then Apple
has just unwittingly (and unwillingly) handed a backdoor to any iPhone of that
model to FedGov (along with any _other_ governments that have clandestine
access to the systems of the TLAs in question).

Don't be confused; the stakes are _really_ high.

------
Spooky23
I think this makes the FBI look dumb, but I don't think this really helps them
either.

If the NSA did this for espionage it's one thing, but I'm curious as to
whether substantially modifying the iPhone in this way would stand up in
court.... How would the police assert that they preserved evidence after doing
this?

I was involved in a drawn out case challenged the validity of data recovered
from backup at great. That was easy to assert with normal IT people, and yet
it took weeks to litigate. Couldn't imagine how this would go.

~~~
boosting6889
They're not looking to prosecute anyone (defendant is dead), presumably
they're trying to recover info the could lead to more terrorists/plots

~~~
lswainemoore
Yes, but presumably they might want to bring what they find as evidence in
such future cases.

~~~
kabdib
Heck, they can just use "parallel construction" and lie their teeth off, as
usual.

------
iLoch
I wonder if the FBI has checked for any ways to circumvent the passcode screen
using software bugs.

Edit: Not sure why I got downvoted. I can currently circumvent my keyboard
passcode with a number of steps, and I'm on iOS 9. Steps to try for yourself:

Edit: Ok I've been tricked. The steps below are unnecessary as the first step
actually unlocks your iPhone in the background. ¯\\_(ツ)_/¯ The fact remains
though that these bugs have existed in the past and may exist on the device
the FBI wants to unlock.

1\. Invoke Siri, "what time is it?"

2\. Press the time/clock that is shown

3\. Tap the + icon.

4\. Type some arbitrarily long string into the search box. Highlight that text
and copy it.

5\. Tap on the search box. There should be a share option if your device is
capable. Tap the share option.

6\. Share to messages.

7\. Press the home button.

Congrats, you're more effective than the FBI.

~~~
knd775
Data is still encrypted in that state. The passcode screen is not what is
preventing access. That is how it works in Android (where a lockscreen is just
an app that is locked into the foreground), but not iOS. Bypassing the iOS
passcode entry screen gets you to a weird limbo-like state where a lot of
thing don't work. I don't recall what that state is called.

~~~
tuxracer
This is not accurate regarding Android [http://www.zdnet.com/article/google-
now-requires-full-device...](http://www.zdnet.com/article/google-now-requires-
full-device-encryption-on-new-android-6-0-devices/)

~~~
knd775
FDE on Android still leaves a lot to be desired. It hardly stands up to
Apple's implementation. The only time that any data is encrypted is when the
device is off or a volume is unmounted.

------
baldajan
This reminds me of the republican congressman from Cali, Issa, telling the FBI
in very technical terms (inserting in between that he could be completely
wrong) the exact same thing mentioned in this article. I'm unsure if the
author was inspired by congressman Issa or if he came to it by his own accord.

More over, what's more fascinating is, some people may say it's privacy v
security and the fight for terror. But what has emerged from the last few
weeks is multiple reason why the FBI should not win in court, regardless of
your perspective of terror. It's been very clear from day 1 that the
intentions of the FBI are vicious and non-genuine, and with every passing day,
more people are finding out.

------
loumf
I wouldn't be so sure the FBI knows this. Apple certainly does -- if they told
the FBI, why didn't they also put that in their letter?

~~~
ebbv
If the FBI's technical teams can't figure this out they should all be fired
and it's all the more reason we shouldn't trust them with back doors into
anything.

------
ChuckMcM
Seems like a pretty articulate explanation of what is going on here. Of course
I realize that my confirmation bias will cause me to see articles more in line
with my way of thinking as 'right' but I've also worked with NAND flash
devices and believe that the chip[1] they use in the phone does not have any
sort of protections on the NAND flash itself, you should be able to just drop
it into a test fixture and read it out.

[1] [http://toshiba.semicon-
storage.com/info/docget.jsp?did=15002...](http://toshiba.semicon-
storage.com/info/docget.jsp?did=15002&prodName=TH58NVG4S0FTA20)

------
albinofrenchy
Anyone else a little surprised that apples security feature here is so easy to
sidestep? I'd have thought, in the least, that any such keys were stored in
the main processor without external read/write capabilities.

~~~
brk
No, I'm not that surprised. I think this feature is intended to protect your
personal data from the casual iPhone thief or to minimize risk if you
lose/forget your iPhone somewhere. I don't think it was intended to be a
secure-from-governments kind of features.

~~~
hollander
Guess again - it is! It's a work in progress, and on the 6S it has improved a
lot with the secure enclave in its own chip. It seems it will get even better,
with encryption in the icloud as well.

The SE uses a different key for each app, so even if you can decrypt one key,
you only get data from one app.

------
drivingmenuts
From the sound of various blogs, articles, etc., it sounding like the FBI
doesn't have anyone who has technical expertise in this area (or if they do,
those persons are being kept buried). While the court case is important to the
FBI (and very wrong to the public), the technical details of breaking into an
iPhone should not have been an issue for them.

I'm starting to think no one is driving the clown car in their technical
division.

~~~
mynameisvlad
Well, according to the congressional hearing (posted in another comment thread
on this post), the FBI has "engaged all parts of the US government" to try and
find a solution and came up with none. Which is funny, because the congressman
who was questioning Comey proposed essentially the same thing as this article.

------
kevin_thibedeau
> If it turns out that the auto-erase feature is on, and the Effaceable
> Storage gets erased, they can remove the chip, copy the original information
> back in, and replace it.

Sounds like a better hack would be to interpose the flash memory interface
with a RAM cache that simulates writes without modifying the original flash
data. Then they can hammer away at brute forcing it without the delay of
reburning the flash.

------
revelation
The ACLU is not wrong, they are right in the _technical_ sense.

But I very much doubt you would practically manage to remove that NAND chip
and replace it very often on that umpteen layer ultra thin board. Instead,
remove it once and stick it in a test fixture, then try brute forcing it.

~~~
edraferi
"Technical correct... the very best kind of correct!"

The bigger question here is: do you really want law enforcement to hack into
things as standard procedure? They certainly don't. It's difficult, expensive,
slow, and worst, unbound by law. It's a world where your privacy is exposed
based on the federal hacking budget rather than a judge's opinion about your
potential criminality.

It's much better for law enforcement to be constrained by law than technical
ability.

------
Aoyagi
Sorry about the slight OT, but what truth is there in this statement I was
presented with?

>Even if an iPhone is locked, all of that encrypted data can technically be
read easily so long as the phone had at least been unlocked once since the
time it was booted up.

Obviously I think it's a nonsense, but I have no way of disproving it (even
though the burden of proof is on the claimer, naturally).

Edit: OK I found this [http://www.darthnull.org/2014/10/06/ios-
encryption](http://www.darthnull.org/2014/10/06/ios-encryption) so never mind,
I guess...

------
payne92
This attack was already widely discussed here, last week:
[https://news.ycombinator.com/item?id=11199093](https://news.ycombinator.com/item?id=11199093)

------
emcq
Maybe their exists experts that can get this right every time but there are
significant risks to damaging a chip desoldering and resoldering. It's not
just removing a through hole capacitor.

~~~
timv
Yet the FBI's official plan is to get Apple to assign a few developers to put
together a custom version of iOS that they trust will overcome all risk of
erasing the device.

Is there a reason we should have confidence in software engineers rather than
electrical engineers?

~~~
keithnz
sw can test it on another phone till they get it right....EEs can only
practice on another phone, if they screw up on the actual phone, it's gone
burger

------
ldom66
Never attribute to malice that which can be attributed to stupidity. Some
engineer probably told upper management they couldn't decrypt the phone
because the software would erase all data. Maybe because they didn't know, or
didn't want to, but still this has blown out of proportion.

To be clear I don't think apple should compromise the phone, just that this is
not a long con by the FBI to compromise all phones.

~~~
oldmanjay
There needs to be a corollary considered here, possibly something like "never
invoke the stupidity out lane for those who have previously demonstrated their
malice"

------
SocksCanClose
the most frustrating part of this whole thing is the multi-headed response by
various agency chieftains. fbi says one thing. nsa says another. former
generals say another.

am i crazy to want the president step up and say: "our position as a
government is: x"? there's no/no way this has escaped his notice. isn't that
part of the job description of "leader of the free world?"

~~~
edraferi
The executive branch is a big organization. Each agency has a different
mission, culture and authorities (legal powers). The cryptowars are a complex
issue, so it makes sense that the agencies have different takes on it.

I agree that thr government should have a unified view on all this. However,
it should come from CONGRESS, not the President. This is clearly an area where
our democracy needs to make a decision about how we govern ourselves, then
enshrine that decision in law, then follow that law.

------
zaroth
Relevant grant from the Department of Homeland Security from 2011:
[https://www.sbir.gov/sbirsearch/detail/361729](https://www.sbir.gov/sbirsearch/detail/361729)

I'm surprised someone at Uni hasn't made demonstrating this exact attack a
class project.

------
bertil
What strikes me as odd in all those analysis is that they all assume that the
FBI is not expecting that weakened security will mean that there will be far
more difficult to address crime -- i.e. far more on their plate.

------
darksim905
I don't know why this case is getting so much attention when it's readily
apparently the FBI could just get everything off the phone with a cellebrite &
call it a day.

------
differentView
> Why the FBI can easily work around “auto-erase”

If it's so easy, then the ACLU should have no problem demonstrating it with an
actual iPhone 5c.

------
pbkhrv
How practical is it to remove-restore-replace the NAND chip every 10 tries if
you have to search through millions of combinations?

~~~
voxic11
Where do you get the millions of combinations figure?

~~~
CIPHERSTONE
Maybe it was a type and he meant to say: >You see, a six digit passcode has
one million possible combinations instead of 10,000.

~~~
pbkhrv
Wasn't a typo, I did mean "millions", see my comment above.

------
sabujp
so john mcaffee was right?

------
lisper
This is really annoying. I wrote a blog post last week making this exact same
point, posted it here, and it promptly got flagged to death, most likely by
the same people who were commenting that I was "absolutely, totally wrong".

[https://news.ycombinator.com/item?id=11199093](https://news.ycombinator.com/item?id=11199093)

Nice to be vindicated though.

~~~
timr
To be fair, this isn't an especially relevant argument, even if it's true.

The FBI isn't going to rip open a phone, unsolder a chip and risk destroying
the device, when it can do what it's done successfully, many times in the
past, and ask Apple to unlock the phone for them:

[http://www.npr.org/2016/02/22/467602161/the-seeds-of-
apples-...](http://www.npr.org/2016/02/22/467602161/the-seeds-of-apples-
standoff-with-doj-may-have-been-sown-in-brooklyn)

This thread is a real-world demonstration of the XKCD comic about pipe-wrench
security:

[https://xkcd.com/538/](https://xkcd.com/538/)

Nerds think that proving that there's some theoretical, high-tech attack
against the _this specific phone_ means that the FBI should therefore lose.
But that's irrelevant. This case is about the pipe wrench.

~~~
csydas
Well, no, I think it's still very relevant.

To use the classic XKCD comic, the crux of the case is that FBI is the one
arguing the first panel (i.e., some bogus magical encryption we can never
break), and _because of that claim_ , they need to be able to compel Apple to
compromise the security features using the old wrench trick.

The reality of there being practical alternatives for the FBI to pursue should
give pause as to whether they can compel Apple to compromise the security
features, and arguably the method described/discussed is indeed very
practical.

All in all, it's less about the FBI's ability to do any of this and instead
more about "should be the allowed to force a company to do something like
this?". By demonstrating the claim that it's impossible to proceed without
Apple's help is not true, I would think it should give pause to any court as
to how to rule, since the implication of the ruling is pretty big.

~~~
timr
The point is that the definition of "practical" is debatable -- any reasonable
person can see that there are more risks associated with mucking around with
the circuit board than having Apple install a custom software build, which
carries no technical risk at all.

It doesn't matter that you can come up with some theoretically plausible
attack that works in this one case. If it's harder or riskier or slower or
less effective than Apple _complying with the warrant_ , then the question
stands.

~~~
semiel
It actually seems clearly the opposite to me. This approach uses standard
tools and methodologies for which there are already experts. Asking Apple to
write new firmware has the potential of software bugs and similar unexpected
issues.

~~~
ins0
I agree with you. Writing a custom firmware on the device is on the same risk
level as desoldering the chip. In both cases it would be a smart option to
test this approaches on a different device first.

~~~
dlp211
The difference is that one of those options is nearly completely reproducible,
the other requires humans to deconstruct a device which introduces more
chances for things to go wrong.

------
officialchicken
Obligatory ACLU and EFF donate links, "Freedom isn't free":

[https://action.aclu.org/secure/become-freedom-fighter-
join-a...](https://action.aclu.org/secure/become-freedom-fighter-join-aclu)

[https://supporters.eff.org/donate](https://supporters.eff.org/donate)

~~~
joshstrange
Obligatory you can donate to the EFF via Amazon Smile:

EFF:
[http://smile.amazon.com/gp/chpf/search?ie=UTF8&q=Electronic%...](http://smile.amazon.com/gp/chpf/search?ie=UTF8&q=Electronic%20Frontier%20Foundation%20Inc)

ACLU:
[http://smile.amazon.com/gp/chpf/search?ie=UTF8&q=ACLU](http://smile.amazon.com/gp/chpf/search?ie=UTF8&q=ACLU)

And Chrome plugin that I use to force the browser to the smile site:
[https://chrome.google.com/webstore/detail/smile-
always/jgpmh...](https://chrome.google.com/webstore/detail/smile-
always/jgpmhnmjbhgkhpbgelalfpplebgfjmbf)

I've never used this firefox one but here's a link to a similar one for FF:
[https://addons.mozilla.org/en-
US/firefox/addon/amazonsmilere...](https://addons.mozilla.org/en-
US/firefox/addon/amazonsmileredirector/)

~~~
sosuke
I only recently learned about Amazon Smile. Awesome stuff!

------
JaRail
This article seems wrong to me. I don't know a ton about the iPhone's specific
implementation. That said, I was under the impression that these systems all
worked similarly to the PC's TPM. Essentially, the encryption key is stored in
a chip that acts as a black box. That chip is manufactured in such a way that
makes it extremely difficult to extract data from. You can't simply copy it.
You'd have to take it apart, inspect it with a microscope, and hope you don't
destroy the data in the process.

The OS should set the security level initially. The TPM would enforce it. You
can't modify the OS to make an attempt without it counting against the
initially configured limit.

[https://en.wikipedia.org/wiki/Trusted_Platform_Module](https://en.wikipedia.org/wiki/Trusted_Platform_Module)

~~~
zwerdlds
Not for the 5S. The iPhone TPM (or "Secure Enclave") is available on the A7
processor and above. The 5S includes an A6.

~~~
DoritosMan
I think you mean the 5C.

~~~
amckenna
Correct, the phone in question is a 5C, the 5S has the TouchID sensor and
therefore the Secure Enclave (TPM).

------
sathackr
With 14 million combinations just in a 4 character
alphanumeric(upper/lower/numbers) password, I would think they would start to
encounter flash reliability issues re-writing this "Effaceable Storage" long
before the password could be broken.

This would also slow down their attack considerably.

I disagree that the claim is fraudulent.

~~~
tyre
I believe the passcode is only 4 numbers, not alphanumeric.

~~~
athenot
The passcode can be alphanumeric. It's user-configurable.

[http://www.engadget.com/2014/03/05/how-to-set-up-a-
complex-p...](http://www.engadget.com/2014/03/05/how-to-set-up-a-complex-
passcode-on-your-ios-device/)

~~~
sathackr
thank you. I just assumed it was configurable, like Android,, but, with the
downvotes, I thought I was wrong.

Of course it would take much less time for a 4-digit numeric code -- but AFAIK
at this point the length of the password is unknown, so, the ACLU claiming
fraud based on the assumption of the length of the password is not correct.

Lets see how many more DVs I can get.

~~~
URSpider94
When you tap the home button on an iPhone, it shows you empty circles
indicating how many characters are in the passcode. It also varies the entry
keypad depending upon whether it's alphanumeric or numeric.

In other words, if you are holding the phone in your hand, you can figure out
how many digits the passcode is, and whether it's alphanumeric or just
numeric, without entering a single character.

------
timr
_" The FBI can simply remove this chip from the circuit board (“desolder” it),
connect it to a device capable of reading and writing NAND flash, and copy all
of its data. It can then replace the chip, and start testing passcodes. If it
turns out that the auto-erase feature is on, and the Effaceable Storage gets
erased, they can remove the chip, copy the original information back in, and
replace it. If they plan to do this many times, they can attach a “test
socket” to the circuit board that makes it easy and fast to do this kind of
chip swapping."_

Right. They _could_ do this, and risk destroying the device, or they could ask
Apple to do the easy, reliable thing, and just install a build on this phone
that allows brute-force attacks.

Given that Apple has a long history of complying with these kinds of requests
for valid search warrants, and that this situation is about as clear as it
gets when it comes to justifiable uses of government investigatory powers,
it's obvious why they're taking the latter approach, and not the former.

There's a legitimate privacy debate in this case, but this isn't it.

Edit: I'm just stating facts here, folks. Downvoting me won't change those
facts, or make the government change its tactic.

~~~
facetube
When has Apple complied with a warrant that sought to compel a digital
signature?

~~~
timr
They're not being asked to provide "a digital signature". They're being asked
to enable a brute-force attack on a single phone. Here's the full text of the
request:

[http://www.ndaa.org/pdf/SB-Shooter-Order-Compelling-Apple-
As...](http://www.ndaa.org/pdf/SB-Shooter-Order-Compelling-Apple-Asst-
iPhone.pdf)

Order #2 is the relevant order. But to answer your question, they've complied
with similar warrants on at least 70 cases in the past:

[http://www.npr.org/2016/02/22/467602161/the-seeds-of-
apples-...](http://www.npr.org/2016/02/22/467602161/the-seeds-of-apples-
standoff-with-doj-may-have-been-sown-in-brooklyn)

The only difference in this case is whether or not the FBI can compel Apple to
make and install a custom build of iOS to crack the phone.

~~~
mikeash
"Make and install a custom build" means compelling a digital signature, since
the custom OS build must be signed before the device will accept it.

~~~
timr
That's a distinction without a difference. Presumably Apple has done signed
custom installs on the ~70 other iPhones they've brute-forced under warrant,
because signed firmware has existed on iOS since (IIRC) the iPhone 3G.

In any case, the legal question has nothing to do with encryption. It's an
incidental detail.

~~~
mikeash
Those 70 other cases didn't involve installing a custom OS. They were running
older OSes that did not do as good a job protecting the user's data, and thus
could be attacked without any changes to the OS. The whole reason this thing
has blown up now is because Apple finally improved their security to the point
where the old attacks no longer work.

~~~
timr
You are wrong. Apple cracked the other phones by installing software that
brute-forced the password. They didn't have someone sit there and punch in
10,000 codes like a monkey.

Moreover, Apple won't comply with valid warrants for phones running iOS7, so
it doesn't really have anything to do with the security of the OS. This
started only because a federal judge made an issue of the legal justification
for the first time ever:

[http://arstechnica.com/tech-policy/2015/10/feds-since-
apple-...](http://arstechnica.com/tech-policy/2015/10/feds-since-apple-can-
unlock-iphone-5s-running-ios-7-it-should/)

~~~
facetube
Again, do you have any evidence whatsoever for your claim that a piece of
brute-forcing software written by Apple already exists?

~~~
timr
How about the fact that these tools have existed in the public domain for
every version prior to iOS8, plus the fact that Apple could do this _in Apple
stores_ for customers, plus basic common sense?

[http://www.ibtimes.co.uk/translock-utility-ios-can-brute-
for...](http://www.ibtimes.co.uk/translock-utility-ios-can-brute-force-
passcode-jailbroken-iphone-1493296)

But OK, if you insist...here's "evidence" straight from the EFF:

 _" For older phones with no encryption, Apple already had a software version
to bypass the unlock screen (used, for example, in Apple stores to unlock
phones when customers had forgotten their passcode)."_

[https://www.eff.org/deeplinks/2016/02/technical-
perspective-...](https://www.eff.org/deeplinks/2016/02/technical-perspective-
apple-iphone-case)

And before you go there: whether or not you call this "brute forcing" is,
again, a distinction without a difference. The FBI wants access to a single,
password-protected phone, under warrant, and Apple has historically
_maintained custom software_ that helped them comply with these exact
requests. Nobody knowledgable about this case _cares_ that the software has to
iterate through 10,000 numbers, or uses some other method to gain entry. They
just want the outcome.

~~~
facetube
Your first link requires an already-compromised boot path; it cannot be used
on the San Bernardino phone. Your second link describes software that only
works on unencrypted devices, which likely means it needs to be able to grab
the password hash directly (which it's free to then brute-force off-device,
avoiding the max-attempts erasure).

Whether Apple has previously signed a piece of PIN unlock software or not
completely misses the point: they decided to do that. They were not compelled.
They expressed trust in the software because they trusted it. Not because they
were forced to. Compelled speech is constitutionally prohibited.

Maybe give CVE-2014-4451 a try?

