Apple Executives Detail Scope Of FBI Request And Company’s Motivations For Not Complying

In a call with reporters today, Apple executives spoke in response to a motion the Justice Department filed today to force Apple to comply with a request from the FBI to provide access to the iPhone of Syed Farook taken as evidence in the case of the San Bernardino terrorist killings. Updates below.

The executives — speaking on background — also explicitly stated that what the FBI is asking for — for it to create a piece of software that allows a brute force password crack to be performed — would also work on newer iPhones with its Secure Enclave chip. Our previous reporting had included statements to this regard, but it’s worth reiterating. This is a battle Apple is fighting for all iPhones, not just older models.

Apple’s executives said that the methods the FBI are ordering it to use in bypassing the iPhone’s security could be used as a template or master key that could unlock more devices in the future. The FBI’s original order and the subsequent government filings have consistently stated that the kinds of access it is looking for would be limited to this single device.

The executives said that they were speaking about these details openly now because the filing from earlier today included numerous additional pieces of information, and characterized Apple’s refusal to comply with the order as a “marketing strategy”. A previous confidentiality agreement that Apple had been under prevented them from speaking of these details, but the public brief that the DOJ filed today openly talked about these items.

The executives also reiterated that they abhor terrorism, but that have opposed the order because they care deeply about protecting the safety of the majority of people who are not terrorists.

On the call today, a senior Apple executive said that they had been communicating with the government since January and had posed several different ways to get the information that the FBI says it needs. Those methods were rendered moot, said the executive, when the Apple ID password to the attacker’s account was changed less than 24 hours after the government took possession of the phone.

One such method involved utilizing a feature of iOS that connects to known WiFi networks to access the data on the device. During the attempts to leverage this method, the discovery was made that the Apple ID password had been changed while in government custody. The reset may have been performed by Farook’s employer, the San Bernardino County public health department, according to the DOJ filing.

Screen Shot 2016-02-19 at 5.15.56 PM

Update: Now, as noted by the San Bernardino Sun, the San Bernardino County twitter account has piped up, placing the blame on the FBI, who it says it was working with when it reset the password. “The County was working cooperatively with the FBI when it reset the iCloud password at the FBI’s request,” reads the tweet. This counters the early implied FBI narrative that a county employee reset the password without their influence, as seen in the filing above.

Update 2: In a statement on Saturday, the FBI confirmed that it worked with San Bernardino County officials to change the Apple ID password, preventing efforts to perform any further auto-backups of the device.

“The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data.  The reset of the iCloud account password does not impact Apple’s ability to assist with the the court order under the All Writs Act,” said FBI spokesperson Laura Eimiller in a statement which was sent from her iPhone. You can read the full statement here.

A senior Apple engineer responded to the FBI statement on Saturday evening, noting that the statement admits that the FBI admitted to changing the password, that this prevented access to the backups and that the backups did have forensic value.

This removal of a pathway to the iCloud backup on the part of the FBI, whether it was borne of impatience or some other motivation, could be characterized as willfully negligent forensic procedure. If, as the FBI statement indicates, they reset the iCloud password because they were impatient, then it did, as Apple characterizes it, cut off an avenue of investigation. This admission could come back to haunt the FBI in court, and forensics experts we’ve spoken to are shocked that this would have been allowed, much less encouraged.

The FBI also states that iCloud backups are not enough, that it needs to extract data from the device:

“Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains.  Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone.  As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.”

An apple engineer countered the narrative, characterizing iCloud backups as comprehensive.

This last chunk of the statement is odd for a couple of reasons. First, if the FBI is able to crack the passcode with Apple’s help, the only way it’s going to get data off of it is with an extraction tool that basically dumps a backup of the device using the iTunes backup method. That means they will get no more data than they will from an iCloud backup. There’s even an argument that they could get more data from an iCloud backup because of incremental backups. Second, if the FBI wants to truly extract more data from the device than a backup would give them, then it would need a second, more powerful decryption tool from Apple — and if it needs that tool, why didn’t it request it directly from Apple in the first order? Very strange.

Either the FBI needs more than it is saying, or it is wrong to say that the iCloud backups are not adequate.

Because the Apple ID password of Farook’s iPhone has been changed, the iPhone can not auto backup to iCloud, providing a new backup that Apple could access to extract the information that the FBI was after.

Apple has already complied with requests for access to iCloud backups of the device, which can be accessed even though the iPhone itself is locked and encrypted with a passcode. The last backup was performed on October 19th, 2015, several weeks before the attack was carried out. It is important to note, however, that since the Apple ID password had been changed, there is no way to tell whether Farook manually disabled the iCloud backups or not. The backups were apparently sporadic, which Apple believes left the door open for the possibility that they were not explicitly disabled.

The government’s request hinges on the information between the October 19th date and the date of the incident. In other words, if Apple could have triggered an iCloud backup, then it would have included the information that the FBI was after.

These methods, said executives, would have made it possible to deliver the information that was requested without Apple having to modify a special version of its iPhone software to create a “back door” into the device’s contents, bypassing the passcode. Once the password was changed, those methods became impossible.

Apple has a long history of providing data extraction services to government agencies, but these methods do not rely on it breaking passcodes, and only apply to iPhones running iOS 7 or previous. Since iOS 8 was released, the vast majority of information on any given iPhone is encrypted using the passcode, and unable to be accessed via extraction. This is the case with Farook’s iPhone 5c.

Apple did mention that the county agency Farook worked for installed some kind of management software on the phone, but specifics were not given. We are reaching out to the government to get characterization on what kind of device management software was installed on the iPhone and why it was not possible to use that software — common in enterprise environments like the agency that Farook worked in — to reset the password.

The executives characterized the government’s efforts as anything but being about a single device, pointing to the fact that Manhattan District Attorney Cyrus Vance has stated that he has 175 iPhones that he would like to unlock. “This has become, ladies and gentlemen, the wild west of technology,” Vance said at a conference, as reported by ABC. “Apple and Google are the sheriffs and there are no rules.”

The Apple executive also noted that no other government in the world — including China — has ever asked it to perform the kind of iPhone cracking that the FBI is asking it to do. But, if it were to comply, those requests would surely not be far behind.

The executive also indicated that it was fair to anticipate that Apple would continue to harden iPhone security to protect users against this kind of cracking, whether by Apple or otherwise.

Article updated to note Federal officials acknowledge the password reset.