How Apple could hack terrorist’s iPhone for FBI (if it wanted to)

By

This tool can unlock any iPhone's PIN.
Open up! The FBI wants in.
Photo: Jim Merithew/Cult of Mac

A federal judge has ordered Apple to comply with the FBI’s demands to unlock the San Bernardino terrorist’s iPhone 5c. Apple CEO Tim Cook has boldly and politely refused. However, his reason has nothing to do with whether Apple has the ability to hack the iPhone.

It simply doesn’t want to.

Apple has spent the past few years making its devices more secure by adding Touch ID and a secure element. The iPhone 5c doesn’t have Touch ID, though, so the FBI wants to brute-force unlock it by guessing the terrorist’s PIN. The problem is, iOS will automatically wipe the device after too many unsuccessful attempts — and iOS also delays how often you can guess a passcode. So the FBI created a plan for how Apple can help the bureau get around it.

In a court filing posted yesterday, the FBI detailed three things it wants Apple to change on the terrorist’s iPhone 5c:

1 – Bypass or disable the auto-erase function whether or not it has been enabled;
2 – Enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT DEVICE;
3 – Ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.

Essentially, the FBI doesn’t want to physically enter passcodes on the iPhone 5c’s screen for the next 20 years. So the bureau is asking Apple to hack iOS to let the FBI submit an unlimited number of PINs electronically as fast as the hardware can handle it (one passcode every 80ms) without any delays for wrong guesses.

In order for Apple to remove those restrictions, it would have to create a custom version of iOS. Apple has created custom firmware for law enforcement before that bypasses the lock screen; however, ever since iOS 8 encrypted data by default with a PIN and hardware key, the feds can’t access any data without breaking through the PIN entry.

The FBI can’t create its own iOS firmware and sideload it through DFU mode on the iPhone because the agents do not have access to the keys Apple uses to sign the firmware. The federal court order demands that Apple provide the FBI with a signed iPhone Software file that can only run on the RAM of the terrorist’s iPhone, and then give the bureau remote access to the device.

All of this could be done on Apple’s campus, without the feds getting their hands in on the action, or so they claim. The problem is that it would essentially create a master key to every digital safe Apple’s built. Apple would be creating a hacking tool for the FBI and others, potentially exposing millions of customers to attack if the firmware makes it outside 1 Infinite Loop.

There could be alternative methods to accomplishing the FBI’s goal without creating a special iOS firmware. This brute force hacking machine only costs $300 and can unlock any iPhone PIN in 4.5 days (as long as it’s running iOS 8 and lower). Infamous iOS hacker Will Strafach aka Chronic also suggested on Twitter that it could be possible to get into the iPhone using other exploits.

“In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession,” Cook warned in his letter.

There’s also a very real possibility that Apple could create this hacking tool for the feds and it won’t even help them with iPhone 5c in question. If the San Bernardino shooter used a four-digit PIN for his passcode, the proposed hack would allow the FBI to guess one PIN every 80 milliseconds and break into the device within 30 minutes. But if the recovered iPhone is using an alphanumeric password, the changes are unlikely to provide a big enough boost to speed up the guesswork.

“While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products,” warned Cook. “And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”