The FBI Claims Failure To Guess Password Will Make Data 'Permanently Inaccessible,' Which Isn't True
from the all-in-service-of-future-writs-and-exploitations dept
The FBI’s attempt to force Apple to help it break into an iPhone hasn’t been going well. A lot of that has to do with the FBI itself, which hasn’t exactly been honest in its portrayal of the case. It tried to fight off claims that it was trying to set precedent by claiming it was just about this one phone… which worked right up until it dropped details about twelve other phones it couldn’t break into.
Comey’s protestations of “no precedent” were further undermined by law enforcement groups filing briefs in support of the FBI that basically stated they, too, would like Apple to be forced to comply with orders like these. And then there was the whole thing about some “dormant cyber pathogen” that was basically laughed off the internet within hours of its appearance.
There were also claims that Apple has done this sort of thing 70 times in the past but was just being inexplicably obstinate this time for reasons the FBI could not comprehend. But that wasn’t true either. Apple does provide law enforcement with access to data it can retrieve from its end — which is nothing like writing software that would allow the FBI (and anyone else who gets their hands on it — or who makes similar demands following an FBI win) to bypass the security features of its phones.
Dan Gillmor of the ACLU has taken another look at the FBI’s motion to compel and found it has misrepresented how Apple’s “auto-erase” (which occurs after a certain number of failed login attempts) actually works.
The FBI has been unable to make attempts to determine the passcode to access the SUBJECT DEVICE because Apple has written, or “coded,” its operating systems with a user-enabled “auto-erase function” that would, if enabled, result in the permanent destruction of the required encryption key material after 10 failed attempts at the [sic] entering the correct passcode (meaning that, after 10 failed attempts, the information on the device becomes permanently inaccessible)…
That’s not what actually happens, Gillmor points out. All data is not erased once 10 failed attempts are recorded. An agency with as many technically-astute employees — as well as access to a variety of data recovery and software forensic tools — should know — or likely does know — that it doesn’t work this way. The phone doesn’t erase all of the data, nor does it make it “permanently inaccessible.” Instead, it just destroys one of the keys to the data.
The key that is erased in this case is called the “file system key”—and (unlike the hardwired “UID” key that we discussed in our previous blog post) it is not burned into the phone’s processor, but instead merely stored in what Apple calls “Effaceable Storage,” which is just a term for part of the flash memory of the phone designed to be easily erasable.
The data is still intact. The front door isn’t. But the FBI can work around this by preventing the key from being destroyed in the first place — without Apple’s help.
So the file system key (which the FBI claims it is scared will be destroyed by the phone’s auto-erase security protection) is stored in the Effaceable Storage on the iPhone in the “NAND” flash memory. All the FBI needs to do to avoid any irreversible auto erase is simple to copy that flash memory (which includes the Effaceable Storage) before it tries 10 passcode attempts. It can then re-try indefinitely, because it can restore the NAND flash memory from its backup copy.
Even if the FBI fails in its attempts to brute force the code, the data on the phone remains intact. By working with a copy of the flash memory, the FBI can restore the phone to its “10 guesses” state repeatedly until it finally guesses the code.
The FBI can simply remove this chip from the circuit board (“desolder” it), connect it to a device capable of reading and writing NAND flash, and copy all of its data. It can then replace the chip, and start testing passcodes. If it turns out that the auto-erase feature is on, and the Effaceable Storage gets erased, they can remove the chip, copy the original information back in, and replace it. If they plan to do this many times, they can attach a “test socket” to the circuit board that makes it easy and fast to do this kind of chip swapping.
It’s literally unbelievable that the FBI doesn’t have access to the tools to perform this or the expertise to get it done. Which leads Gillmor back to the inescapable conclusion: this isn’t about one iPhone or even twelve of them. This is about convincing a judge to read the All Writs Act the way the FBI would like it to be read — a reading that would not only push the envelope for what it can demand from unrelated parties in the future, but that would also give it software to modify and exploit.
If it gets to that point, device users are going to have to start eyeing software/firmware updates very suspiciously.
The FBI wants to weaken the ecosystem we all depend on for maintenance of our all-too-vulnerable devices. If they win, future software updates will present users with a troubling dilemma. When we’re asked to install a software update, we won’t know whether it was compelled by a government agency (foreign or domestic), or whether it truly represents the best engineering our chosen platform has to offer.
This is the end game for the FBI, even though it doesn’t appear to realize the gravity of the situation. To it, Apple is the obstacle standing between it and the wealth of information it imagines might possibly be on that phone. Even is Apple is forced into compliance and the phone contains nothing of use, it will still have its precedent and its hacking tool and we’ll be headed towards a world where patch notes contain warrant canaries.