The problem of law enforcement and encryption is mostly talked about in vague terms of “backdoors” and “a new Manhattan Project”, but here’s something concrete: a District Court Judge just ordered Apple to help the FBI access files on one of the iPhones of the San Bernardino shooters.
The ruling was handed down by Sheri Pym on Tuesday afternoon in Californian district court. It doesn’t force Apple to bypass the device’s encryption, but rather help the FBI brute-force the passcode:
Apple’s reasonable technical assistance shall accomplish the following three important functions: (1) it will bypass or disable the auto-erase function whether or not it has been enabled; (2) it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available on the SUBJECT and (3) it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware.
Apple has long maintained that following iOS 8, it can’t access information on a passcode-protected device. This ruling is kind of a way around that: it’s not mandating Apple to break the encryption per se, just help the FBI with what I assume is a very boring brute-force attack.
Apple has five business days to respond to the request, and it’s unlikely that the company is going to roll over, given its response to unlocking requests in the past. The Electronic Frontier Foundation also appears to be assisting in the fight:
Over the next few hours and days, critics are going to argue vehemently that Apple has a responsibility to assist law enforcement with unlocking devices, and in this particular case, it’s going to be difficult for the company to take the moral high ground.
But it’s worth remembering what’s at stake here: once law enforcement (and, inevitably, everyone who wants one) has a copy of Apple’s software (if it’s even possible to make!), any encryption unlocked by a four-digit pin will be nullified. It doesn’t take that long to brute-force 10,000 permutations, especially if they don’t have to be manually entered. There’s also the legal precedent—compelling device manufacturers to write custom software to facilitate investigations is a slippery slope towards encryption backdoors.
For anyone saying that this is a capability the FBI needs going forward, it’s worth noting that this will be, at best, a one-trick pony. You can also secure your iPhone with an alphanumeric 20-digit passcode, which is a hell of a lot harder to brute-force.