BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Apple Publicly Rejects Backdoored iPhone OS

Apple Publicly Rejects Backdoored iPhone OS

This item in japanese

A locked iPhone 5c has become the central focus in a mass shooting case which has ramifications for all iOS customers and devices. Apple has so far refused to provide a backdoored version of iOS to allow its contents to be read, and instead has published a public complaint about the US Government's overreach in this case. The EFF since has writen in support of Apple's stance and plans to file an amicus brief in support.

In December 2015, two shooters caused one of the deadliest mass shootings in America with 14 people dead and 21 people injured, in an attack on social services workers. Both suspects were later shot and killed subsequently to the attack. An iPhone 5c was recovered from the scene with a passcode lock, and a judge has ordered Apple help the FBI in decrypting the contents in order to provide more information about who else might be connected to the incident.

The iPhone 5c is a cheaper version of Apple's smartphone, without the TouchID fingerprint sensor. Newer iPhones (and other devices) that have a TouchID sensor have an embedded security processor called the secure enclave, which is used to store private information such as the decryption keys necessary to mount the file system. Older versions of the iPhone's running iOS 8 still have an encrypted file system, but the key is stored in a special location in flash memory, not normally available to users.

In this case, the FBI is concerned that the device may have a 'wipe contents after 10 attempts', a setting on iOS 8 which wipes the decryption key if more than ten incorrect passcodes are attempted. Once the decryption key is removed, the contents of the file system become unreadable. In addition, the time between successive incorrect passcode attempts increases exponentially resulting in brute force taking an increasing amount of time, even if the automatic wipe isn't enabled.

As ArsTechnica reports, a judge has ordered Apple to assist in the decryption of the device by providing a special version of the iOS software which can be run, effectively bypassing the lock on the iPhone and thus accessing the data:

Apple's reasonable technical assistance shall accomplish the following three important functions:

  1. It will bypass or disable the auto-erase function whether or not it has been enabled;
  2. It will enable the FBI to submit passcodes to the subject device for testing electronically via the physical device port, bluetooth, wi-fi or other available protocols;
  3. It will ensure that when the FBI submits passcodes to the subject device, software running on the device will not purposefully introduce any delay between passcode attempts beyond which is incurred by Apple hardware.

Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the subject device. The SIF will load and run from RAM and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that it would only load and execute on the subject device. This SIF will be loaded via the Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI.

However, the ability to provide this may not be technically possible. As Robert Graham notes on Erratasec, the DFU update mode requires the very passcode to be entered that the operating system is asking for to unlock the iPhone. Without this it may not be possible to upload a new image, whether specifically crafted or otherwise, without erasing the contents and laying down a new image.

The order doesn't ask Apple to reveal the passcode; merely make it breakable within a reasonable amount of time by electronic means (instead of having to pay someone to sit typing 0000, 0001, 0002 ...). However, by providing a version of the operating system that can be used to boot without a passocde effectively goes against the security of the device. This in turn would provide a means for the backdoor to become widely available, defeating the security of iOS devices without TouchID and the secure enclave.

Recent stories about iPhones bricking themselves with Error 53 message have occurred when the TouchID sensor is replaced, causing a potential security leak. A class action lawsuit has now been filed against this behaviour that some are calling anti-competitive, but which Apple has deemed a security feature. The timing of this may be co-incidental, but should a future version of the iOS software allow for the leaking of the private key the same situation may occur in future if a way is found to break into the enclave through bypassing the TouchID sensor connections.

However, Apple is not taking this court order lightly – based on a law over 200 years old, under the All Writs Act of 1789. It says that weakening the protection of one device will weaken the protection of all, allowing the FBI to use the image wherever and however they see fit to access any data on any iPhone. (Even if the specific software image had an embedded serial number check, this may be possible to work around via technical means for the future.) In a rare public letter, Tim Cook has posted a message to all customers, saying that this unprecedented step goes beyond the Government's control:

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand. 

This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.

 ...

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

...

Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.

...

The implications of the government’s demands are chilling. If the government can use the All Writs Act to make it easier to unlock your iPhone, it would have the power to reach into anyone’s device to capture their data. The government could extend this breach of privacy and demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.

Opposing this order is not something we take lightly. We feel we must speak up in the face of what we see as an overreach by the U.S. government.

...

The full version of Apple's Customer Letter is made available here as a PDF.

Given that the two suspects in the case were shot dead on the day of the attack, one might argue that accessing the contents of the phone is moot. However, the specific case – whether the FBI or the Government can demand a backdoor – is far more chilling. Like a virus, once it has been created it will be possible for anyone to use, for good or for evil. Which side succeeds remains to be seen.

Rate this Article

Adoption
Style

BT