A Federal Judge has ordered Apple to create a security weakness in iOS so FBI agents can launch a brute force attack on the passcode from an iPhone used by one of last year's San Bernardino shooters. The FBI says their scheme would be a one-off thing, but Apple says it'll open a hole that greatly reduces the security and privacy protections built into our iOS devices, and he's right.
A Federal court says Apple has to make a hackable version of iOS for the FBI
Syed Rizwan Farook and Tashfeen Malik opened fire during a San Bernardino County Department of Public Health party on December 2, 2015, killing 14 people and injuring 22 more. They were tracked down later that day by FBI agents and killed in a shootout, who then recovered their iPhones.
The FBI asked Apple to give them access to the encrypted data on one of the iPhones, which isn't possible because the security system built into the device was designed so Apple can't do exactly what the FBI was asking. The FBI characterized Apple's response as declining to voluntarily provide access to the device and took their fight to Federal Court in a move to force the company to do the impossible.
What the FBI has asked for now, and the court agreed, is for Apple to put together a special version of iOS that bypasses the built-in data wipe feature users can enable (and presumably the domestic terrorists in this case did), and turn off the failed login attempt delay. That gives the FBI the ability to use a brute force attack to find the iPhone's passcode without risk of losing the data it contains.
The way the FBI plans to accomplish this was detailed in the court order:
Apple's reasonable technical assistance may include, but is not limited to: providing the FBI with a signed iPhone Software file, recovery bundle, or other Software Image File ("SIF") that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory. The SIF will be coded by Apple with a unique identifier of the phone so that the SIF would only load and execute on the SUBJECT DEVICE. The SIF will be loaded via Device Firmware Upgrade ("DFU") mode, recovery mode, or other applicable mode available to the FBI.
The FBI's assertion that they want Apple to introduce a security hole in just one iPhone sounds nice, but the reality is once the security-weakened version of iOS is created, the door is open for serious abuse. It also opens a door where other governments could demand Apple unlock iPhones for them, or had over the FBI-mandated iOS for their own use.
Next up: Apple fights back