San Bernardino County Calls the FBI Liars Over Terrorist's iCloud Account [Updated]

Illustration for article titled San Bernardino County Calls the FBI Liars Over Terrorists iCloud Account [Updated]

Late last night a Twitter account associated with San Bernardino County said that it worked under the direction of the FBI to reset Syed Farook’s iCloud password. Why does that matter? Because it would make the FBI liars. [Update, February 21st, 12:19pm: The FBI has now released a statement which we’ve published in full at the end of this post.]

As you probably know by now, the FBI has demanded that Apple break into the San Bernardino terrorist’s iPhone. Apple has refused, insisting that doing so would set a terrible precedent. But both the FBI and Apple are currently waging a fierce PR battle over one of the possible ways that information from the phone could’ve been retrieved in the early stages of the investigation: Hacking Farook’s iCloud password and causing his phone to push information to the cloud remotely.

In a filing yesterday the FBI claimed that the owner of the phone, San Bernardino County, had been the one who bungled the auto-backup of the phone to iCloud. San Bernardino County was Farook’s employer because he worked for the local Department of Health. The County technically owned the phone (emphasis mine):

[...] to attempt an auto-backup of the SUBJECT DEVICE with the related iCloud account (which would not work in this case because neither the owner nor the government knew the password to the iCloud account, and the owner, in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup) [...]


But San Bernardino County’s Twitter account (which remains unverified but appears authentic) now claims that it was working under the FBI’s orders. Specifically the tweet said, “The County was working cooperatively with the FBI when it reset the iCloud password at the FBI’s request.”

Illustration for article titled San Bernardino County Calls the FBI Liars Over Terrorists iCloud Account [Updated]

This statement contradicts both the FBI’s insinuations that San Bernardino County acted alone and the claims made by an anonymous source from the federal government contacted by ABC News. That source said that an IT employee working for San Bernardino County was not instructed by the FBI to attempt a password reset for Syed Farook’s iCloud:

The auto reset was executed by a county information technology employee, according to a federal official. Federal investigators only found out about the reset after it had occurred and that the county employee acted on his own, not on the orders of federal authorities, the source said.


Gizmodo was on a call with Apple executives late last night under strange conditions that there would be no direct quotes and no names. They used the word “government” when referring to who bungled the opportunity to force the back-up to iCloud. At the time, it seemed Apple was referring to the FBI without saying so directly. But Farook’s employer was the San Bernardino Department of Health, which is also a government agency.

This is all independent of the question over whether Apple should be compelled to unlock the terrorist’s 5c phone directly by hacking the passcode. Some have floated the idea that the phone should have been unlocked using the deceased terrorist’s fingerprint, but that wouldn’t have worked for a number or reasons—most importantly, the fact that the iPhone 5c doesn’t have a fingerprint scanner.


We’ve reached out to San Bernardino County for comment and will update this post when we hear back.

Update, February 21st, 12:19pm: The FBI released a statement to Ars Technica. Basically the FBI is now claiming two things: 1) Yes, the FBI ordered the reset of the password, and 2) The reset of the iCloud password is irrelevant to the court order that Apple should now unlock the terrorist’s iPhone by building a tool to crack the passcode on the device.


They insist that even if they hadn’t bungled the password reset, there’s still information that a forced iCloud backup wouldn’t have been able to retrieve on the phone. Thus, they think it’s irrelevant how or why the iCloud backup failed.

The full statement:


Recent media reports have suggested that technicians in the county of San Bernardino independently conducted analysis and took steps to reset the iCloud account password associated with the iPhone 5C that was recovered during a federal search following the attack in San Bernardino that killed 14 people and wounded 22 others on December 2, 2015. This is not true. FBI investigators worked cooperatively with the county of San Bernardino in order to exploit crucial data contained in the iCloud account associated with a county-issued iPhone that was assigned to the suspected terror suspect, Syed Rizwan Farook.

Since the iPhone 5C was locked when investigators seized it during the lawful search on December 3rd, a logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack. The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data. The reset of the iCloud account password does not impact Apple’s ability to assist with the the court order under the All Writs Act.

The last iCloud data backup of the iPhone 5C was 10/19 and based on other evidence, investigators know that Syed Rizwan Farook had been using the phone after 10/19. It is unknown whether an additional iCloud backup of the phone after that date — if one had been technically possible — would have yielded any data.

Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains. Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required the All Writs Act order, since the iCloud backup does not contain everything on an iPhone. As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.


Photo: Tashfeen Malik and Syed Farook, as they passed through O’Hare International Airport in Chicago on July 27, 2014


Share This Story

Get our newsletter



I’m missing something. If the terrorist was using iCloud, and Apple knows his username, and all they’re after is his typical iCloud stuff (contacts, notes, emails maybe) then even if they tried to change his password for iCloud, wouldn’t apple still be able to get on their own servers and find out his info and its cached old versions?