How Apple could hack terrorist’s iPhone for FBI (if it wanted to)


This tool can unlock any iPhone's PIN.
Open up! The FBI wants in.
Photo: Jim Merithew/Cult of Mac

A federal judge has ordered Apple to comply with the FBI’s demands to unlock the San Bernardino terrorist’s iPhone 5c. Apple CEO Tim Cook has boldly and politely refused. However, his reason has nothing to do with whether Apple has the ability to hack the iPhone.

It simply doesn’t want to.

Apple has spent the past few years making its devices more secure by adding Touch ID and a secure element. The iPhone 5c doesn’t have Touch ID, though, so the FBI wants to brute-force unlock it by guessing the terrorist’s PIN. The problem is, iOS will automatically wipe the device after too many unsuccessful attempts — and iOS also delays how often you can guess a passcode. So the FBI created a plan for how Apple can help the bureau get around it.

In a court filing posted yesterday, the FBI detailed three things it wants Apple to change on the terrorist’s iPhone 5c:

1 – Bypass or disable the auto-erase function whether or not it has been enabled;
2 – Enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE;
3 – Ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

Essentially, the FBI doesn’t want to physically enter passcodes on the iPhone 5c’s screen for the next 20 years. So the bureau is asking Apple to hack iOS to let the FBI submit an unlimited number of PINs electronically as fast as the hardware can handle it (one passcode every 80ms) without any delays for wrong guesses.

In order for Apple to remove those restrictions, it would have to create a custom version of iOS. Apple has created custom firmware for law enforcement before that bypasses the lock screen; however, ever since iOS 8 encrypted data by default with a PIN and hardware key, the feds can’t access any data without breaking through the PIN entry.

The FBI can’t create its own iOS firmware and sideload it through DFU mode on the iPhone because the agents do not have access to the keys Apple uses to sign the firmware. The federal court order demands that Apple provide the FBI with a signed iPhone Software file that can only run on the RAM of the terrorist’s iPhone, and then give the bureau remote access to the device.

All of this could be done on Apple’s campus, without the feds getting their hands in on the action, or so they claim. The problem is that it would essentially create a master key to every digital safe Apple’s built. Apple would be creating a hacking tool for the FBI and others, potentially exposing millions of customers to attack if the firmware makes it outside 1 Infinite Loop.

There could be alternative methods to accomplishing the FBI’s goal without creating a special iOS firmware. This brute force hacking machine only costs $300 and can unlock any iPhone PIN in 4.5 days (as long as it’s running iOS 8 and lower). Infamous iOS hacker Will Strafach aka Chronic also suggested on Twitter that it could be possible to get into the iPhone using other exploits.

“In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession,” Cook warned in his letter.

There’s also a very real possibility that Apple could create this hacking tool for the feds and it won’t even help them with iPhone 5c in question. If the San Bernardino shooter used a four-digit PIN for his passcode, the proposed hack would allow the FBI to guess one PIN every 80 milliseconds and break into the device within 30 minutes. But if the recovered iPhone is using an alphanumeric password, the changes are unlikely to provide a big enough boost to speed up the guesswork.

“While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products,” warned Cook. “And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”

  • It’s not that they don’t want to hack the phone for the authorities. It’s that they don’t want to create the tool for the FBI to hack the phone. The court order says ‘make custom firmware and give it to the FBI’ and that’s not something Apple is going to do.

    • BusterH

      so what you’re saying is they don’t want to?

      • James Foreman

        They don’t want to permit unfettered access, yes. I doubt they’d say no to a request for the iPhone to be remotely unlocked, and then the contents of the phone transferred to the FBI with no access to the ‘tools’ used for the hacking.

      • I was really just trying to clarify the ask. Some people online were talking like Apple won’t help law enforcement, but that’s not true. They will assist with a court order for a reasonable request. This case is about an unreasonable request.

  • bswigart

    Don’t do it, creates a precedent for all future cases by all sorts of agencies and hackers and even terrorists (domestic or otherwise).

    • minime13

      The precedent was created the first time Apple created custom firmware to help.

      They could easily make this new custom firmware obselete in their next update.

      This is Apple getting some free publicity when they need it, because their stock and sales have been tanking in the past few months.

  • Juniper

    Isn’t some of the data from texts and phone calls stored in the cloud where it could be accessed by the FBI?

    • RL

      No. Apple has said it does not store iMessage data and is not provided with the encryption keys to decrypt messages on the fly as the messages pass through their servers.

      Now if you’re using SMS and not Apple’s messaging protocol (such as messaging with a non-iOS phone where the text is green and not blue), that’s a different matter. AT&T, Sprint, Verizon, etc. might be holding onto those.

  • RL

    The FBI isn’t being terribly clever about this. Why ask Apple to jump through hoops to allow the FBI to brute force the phone’s password protection? If you extend things far enough, all Apple has to do is to create an iOS patch that completely removes the need for a password entirely. Or change the password validation code to accept anything as a valid password. Why spend all that time creating software that only goes halfway?

  • I don’t get it, in order to install this custom firmware, they’d have to install it over the existing one, thus deleting any data in the process, is that right?

    • Ben Durham

      I don’t think so. If I’m right, firmware updates usually don’t involve the part of memory where the user’s files are stored. Either that or the files get moved out of the way, then replaced.

      • Correct. That’s what happens when you jailbreak. Hell, maybe the FBI should just jailbreak the damn thing now that that’s legal.

  • lam

    I’m a chinese in China and never been U.S, I cant understand why Amrican think people’s privacy more imporant than people ‘s life. in China, everyone belive to live is no. 1 factor,“people died ,everything is gone” . these people insist on mobile phone privacy have any courage to face victims family member ? so selfish and shameless —— sacrifice others life ,protcet yourself privacy in exchange

    • tralalalalalala51

      In China, your lack of privacy does get people arrested and killed. Especially human rights activists.

      In the fight against tyranny you always have to defend the most despicable humans first.

  • ZRB

    Hoe do you install in updated iOS on a locked device? You cant do it from the phone because its locked and if you connect it to a computer it will tell you to unlock it before it can install it. The only way I can think of to do it would be to put the phone in DFU mode and and install from the computer but that would erase the device.

    • Anton Atanasov

      Not the case with the iPhone 5C in question and the iOS version it’s running.

      • ZRB

        Explain how. Its been long before the 5C that you haven’t been able to install an iOS update onto a locked phone.

  • applechic515

    I just find it so hard to believe that the FBI can’t do this without Apple being involved. Am I alone here? They are the FBI, aren’t they? And is this the first terrorist ever to use an iPhone?

  • arnbar

    I still don’t get it. If a totally trustworthy, unimpeachable Apple engineer creates the hacking tool or whatever is needed to access the data (maybe with Tim Cook sitting there watching the process) and the data is privately extracted and only the data delivered to the FBI and then this workaround software is either destroyed or secretly secured, what is the danger to the rest of us? Supposing this was a case where 100 or 1,000 people were killed and it was likely that many more accomplices were involved (not to diminish the crime that was committed) shouldn’t legally authorized investigators be able to access the contact list of a perpetrator? Couldn’t you have this software as an Apple proprietary “secret weapon” of sorts for only this kind of situation? The whole thing about the NSA is that they circumvent the legal system. If a judge sees due cause for police to enter a house and issues a warrant, it is specific and accepted by society. It seems to me that Apple must not trust its own personnel to keep the the substitute OS or whatever it is secure.

    I would also add that the agreement state that this system be implemented only in extraordinary cases of terrorism or national security, not everyday criminality.

    Explain this to me like I’m 5 years old.

  • chevyclutchfoot

    It seems to me that the FBI doesn’t really need custom firmware created – they could do that themselves, but they can’t get the firmware to run unless it’s properly signed. So what they need is the private encryption key that Apple uses to sign its firmware. Presumably that’s some kind of hash that’s hashed from the same the same key and probably a checksum for all firmware ever put out — or which ever will be put out — on iOS 8 devices. Once the private key that goes with the checksum is released, really anyone could write firmware that would allow the device to be brute forced.
    Why doesn’t the FBI just ask for the private key and write the firmware itself? I want to float a conspiracy theory here: I think the government already has that private key to make a signature, either by social engineering or by quantum analysis. I think it doesn’t want to admit it has the key because that would expose that either it had a mole inside Apple or it had a quantum computer capable of hashing out a 2048-bit key. Or both. It also doesn’t want it known that the key is in the wild – or would be in the wild – if Apple simply handed it over to them. That’s why they are insisting on Apple writing the brute-force-friendly firmware and signing it themselves.
    Any takers on this one?