Apple's fight with the FBI could trigger a password arms race

A U.S. magistrate's order requiring Apple to assist the FBI in unlocking a dead mass shooter's iPhone could lead device makers to require stronger passwords in future.

Apple’s dispute with the FBI over providing access to a mass shooter's smartphone could lead device makers to require stronger passwords in future.

Much of the debate around the issue has suggested that the FBI is asking Apple to break its encryption in order to gain access to the contents of a smartphone used by one of the perpetrators of the December shootings in San Bernardino.

But the case is as much about passwords as it is about encryption. The FBI wants Apple to override a mechanism on the iPhone that could erase the data on the device after 10 failed password attempts. Using a computer program, investigators can try out thousands of passwords until they hit on the one that works, in what’s known as a brute force attack.

If Apple is forced to comply, the agency would be able to crack a four-digit PIN in a matter of minutes, said Robert Graham, owner of security research firm Errata Security.

Regardless of how strong the underlying encryption is, the security protections are only as strong as the password. It’s a clever move by the FBI, which would gain access the phone without tackling the much more challenging task of breaking the encryption.

It’s also a situation Apple might have avoided, by requiring stronger passwords sooner. But users still have the option to use a four-digit passcode that contains only numbers.

A six-digit PIN implemented in iOS 9 could take the FBI about 22 hours to crack, Graham wrote in a blog post. But if phone makers required users to create stronger password of six letters, or a combination of numbers and letters, they could take more than 300 years to crack.

Apple is fighting the request because, like many other tech firms, it doesn’t want to be in the business of deciding whether to hand its users’ data over to law enforcement. If smartphone makers require users to implement stronger passwords in future, they will make the FBI’s current strategy much harder.

The FBI's request for Apple to help break the password protection on the iPhone 5C in question is "relatively straightforward," said Amit Sethi, senior principal consultant for Cigital, a security-as-a-service vendor.

The 5C doesn't come with Apple's Secure Enclave chip-based encryption included with newer models, making it easier to defeat the password security, Sethi said by email.

"In this case, Apple can probably create a modified version of iOS that will only run on that particular device that will allow law enforcement to brute force the PIN/password used to protect the device," he said. "Even if that version of iOS gets in the wrong hands, it should not be usable on any other devices."

Without Secure Enclave, Apple could implement the password workaround through a "single firmware update," added Dan Guido, co-founder of the Trail of Bits security blog.

"In plain English, the FBI wants Apple to create a special version of iOS that only works on the one iPhone they have recovered," wrote Guido, a veteran security consultant. "The FBI will send Apple the recovered iPhone so that this customized version of iOS never physically leaves the Apple campus."

Magistrate Judge Sheri Pym originally gave Apple five days from Tuesday to respond to her order, but that deadline may be extended until next Friday. The U.S. Department of Justice weighed in on the case on Friday, filing a brief in support of the FBI's request.

This fight between Apple and the FBI is shaping up to be a major test case in a year-and-a-half-old argument over whether law enforcement agencies can require device and OS makers to help them defeat encryption and other security measures. Some legal experts predict the case could go all the way to the U.S. Supreme Court.

The judge's ruling, if it stands, opens the door to law enforcement agencies inside and outside the U.S. demanding technology companies help them break security measures in wide range of scenarios, some unrelated to major police investigations.

The problem with the ruling is "the precedent that this sets," said Cigital's Sethi. "Will the U.S. government require Apple to build a backdoor into all Apple devices that takes away this protection and makes all users' devices less secure?"

The contents of the iPhone used by Syed Rizwan Farook, who killed 14 people in a mass shooting in San Bernardino, California, on Dec. 2, are key to an ongoing terrorism investigation, U.S. Attorney Eileen Decker of the Central District of California said this week.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?