FBI's Own Actions Likely Made Farook's iPhone Data Inaccessible

from the oops dept

On Friday, we noted that one of the reasons that the FBI was unable to get access to the data on the remaining iPhone from Syed Farook was because after the shooting and after the phone was in the hands of the government, Farook's employer, the San Bernardino Health Department, initiated a password change on his iCloud account. That apparently messed stuff up, because without that, it would have been possible to force the phone to backup data to the associated iCloud account, where it would have been available to the FBI. But, after we published that article, a rather salient point came out: the Health Department only did this because the FBI asked it to do so.

From a San Bernardino County Twitter account:
If you can't read that, it says: "The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request."

In short: a big reason why the FBI can't get the info it wants is because of an action taken... by the FBI.

Apple has also provided further information on this, showing how it was perfectly willing to cooperate in reasonable ways with the FBI -- but that it was the FBI that messed things up:
The Apple executive told reporters that the company’s engineers had first suggested to the government that it take the phone to the suspect’s apartment to connect it to the Wi-Fi there. But since reporters and members of the public had swarmed that crime scene shortly after the shootings occurred, it was likely that any Wi-Fi there had been disconnected. So Apple suggested the government take the phone to Farook’s former workplace and connect the phone to a Wi-Fi network there.

The executive said that Apple walked the government through the entire process to accomplish this, but the government came back about two weeks later and told Apple that it hadn’t worked.

Apple didn’t understand why it had not worked—until the company learned that sometime after the phone had been taken into the custody of law enforcement, someone had gone online and changed the Apple ID that the phone uses to conduct backups.
Two interesting points in there: first, do you remember how there was all this discussion about the insane media scrum that ransacked Farook's house? And lots of people pointed out that useful evidence may have been harmed by it. At the time, the FBI insisted they were all done with the house, but it appears that may have been part of the reason why they couldn't get the backup.

The second is that Apple had not revealed this tidbit earlier. The company explained that it had felt that its conversations with the government had been confidential until the FBI revealed this detail in the totally unexpected Motion to Compel it filed Friday. It appeared that the FBI was so eager to push its PR stunt that it filed the document (which it had no reason to file), and then revealed even more of its own bungling in this particular case.

Whether intentional or not, this is only going to add support to people who say that the FBI doesn't actually care what's on the phone, but wanted to be able to go after the data in this case because they knew they could set a precedent in a case where their argument will generate the most sympathy. Remember, back in September, after the Intelligence Community lost the fight to get a law banning strong encryption, intelligence officials said out loud that they'd just wait until the next terrorist attack:
Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

There is value, he said, in “keeping our options open for such a situation.”
Two months later, you get a "terrorist attack" (or a workplace dispute that can be painted as a terrorist attack) and a sorta, kinda encrypted phone, and voila. Just what the intel community asked for. It would be crazy to suggest that any of this was done on purpose -- it's almost certainly a bit of convenience for the intel and law enforcement communities. But the fact that the FBI directed the Health Department to change the password, and that's part of the reason they're now locked out, really raises some questions about what the FBI's priorities were here. It also raises a separate question of whether or not companies should be forced to hack their own system in cases where the FBI's own bungling was responsible for the loss of information. But, really, that's a minor point, given that the DOJ wants that power even in cases where the FBI didn't mess things up itself.

Filed Under: encryption, fbi, icloud, password reset, san bernardino county, syed farook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous, 27 Feb 2016 @ 11:51am

    Yes, Apple should be able to revert the FBI's resetting of the Password!

    "I feel like I'm missing something"...me too, the solution SEEMS SO SIMPLE.

    "can't Apple just change it back to the way it was before?"...yes, Yes, YES! Finally someone online thought of my idea! I had thought of this too, even before reading your comment. I was actually trying to Google to see if anyone else had mentioned this & you had! (so it's your idea too)

    Problem: The FBI reset the iCloud password...so, now the device won't be able to trigger an automatic backup.

    Solution: Restore that account's password from backup, to BEFORE the FBI reset it!...via direct Database manipulation -- SQL commands on the server.

    I'm sure Apple has multiple backups of the iCloud user database, maybe even hourly, they could dig thru those backups (a simple grep, not hard) to find every time (or the most recent time) that that account's password was changed & simply restore the old password & then hope the device will auto-backup.

    As some of you may not know, Apple doesn't need to know the old iCloud password to restore it: I assume (& hope) Apple is using the industry best-practice of using bcrypt (in PHP terms, the "password_hash()" function) to store the password hash instead of the password (but actually how they store it don't matter for this procedure)...so you simply restore the previous password hash into the live iCloud Database (Apple would have direct Database access on the iCloud server, of course). No one knows the old password, but the device does & could then, theoretically perform an auto-backup.

    "Can't Apple just configure their iCloud servers to accept whatever password the phone throws at it as being the correct pw"...actually, yes, they probably can. My solution (even before reading your comment) was to restore the old password from backup, but with custom code in the login function, they could configure "that account" to accept any password...they'd wanna lock it down tho, otherwise anyone who tries that account would get in, with any password, while the phone was doing the backup.

    What they could do instead tho (besides just restoring the password hash from backup, as above) is, assuming the phone tries to login by sending the literal password, in plain text (over a secure connection), just start logging any passwords tried on that account, then they would know the plain text password the phone is trying to use, then they could change the password hash to match that plain text password. On the other hand, if the phone is trying to connect using some other "login token", instead of the "password" in plain text...they could just configure that "token" to be "correct".

    However, if the device's auto-backup was turned off, none of this will help (unless they can turn auto-backup on remotely). Before doing anything more complicated, Apple could look into their logs to see if that phone has even been TRYING to connect to them at all. We know it hasn't done a backup in months, but has it even talked to Apple's Servers at all? -- for example: iOS Update check? App update check? Check for new msgs? They should be able to see any attempts the phone made to connect to their Servers...which includes failed login attempts. If there are any, then they would know the phone is trying & failing to connect (due to the password being changed) or they would find out it's not even trying to connect...making the fact that the FBI changed the password, not matter at all.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.