Resetting terrorist’s Apple ID password wasn’t a screwup, says FBI

No, the FBI says, changing the password on the San Bernardino terrorist’s iCloud account was not a screwup.

Prior to Saturday night, when the FBI released a “we did it on purpose” statement, some media outlets were reporting that county workers had gone ahead and changed the password on their own.

They did not, the FBI said. Rather, it was done by the county and the FBI working in conjunction.

The reason why this is all so important is that by resetting the password, the investigators got access to Syed Rizwan Farook’s backups, but only as recently as 19 October: weeks before he and his wife, Tashfeen Malik, allegedly carried out a mass shooting that killed 14 people and seriously injured 22 at the Inland Regional Center in San Bernardino, California.

In doing so, the bureau rendered it impossible to access later backups that could have contained information posted closer to the date of the attack.

The pair died in a shootout with law enforcement.

The Justice Department and Apple are in agreement over at least one thing: resetting the iCloud password means that getting a more recent backup – one that followed the 2 December incident – is out of the question.

Senior Apple execs said on Friday that were it not for the password change, the company may have been able to get at more recent backups of the information the government was after.

As Buzzfeed News reports, Apple execs told reporters that the company had proposed four different ways to recover the information the government wants, all without building a backdoor into its iOS encryption.

One method would have involved connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup that might have delivered information stored on the device between 19 October and the date of the mass shooting.

The execs said that Apple had sent trusted engineers to try it.

But the engineers found that the Apple ID password associated with Farook’s iPhone had been changed sometime after his death: within 24 hours of the government having gotten their hands on it, in fact.

Changing the password obviated the chance to get at a fresh copy of the device data via the known-Wi-Fi-network method Apple had planned.

On Friday, the FBI blamed the resetting on the phone’s owner – Farook’s employer, the San Bernadino Health Department.

The FBI wrote in a court filing that somebody at the department had reset the password remotely:

The owner, in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely.

Not so, the San Bernardino County’s official Twitter account promptly stated.

Rather, “The County was working cooperatively with the FBI when it reset the iCloud password at the FBI’s request.”

In the statement put out late Saturday night, the FBI said that Farook’s iPhone was already locked when it was seized during a search on 3 December, making it “a logical next step” to get at iCloud backups and whatever evidence they may have held.

The FBI now says that it worked with San Bernardino County to reset the password on 6 December so as to get immediate access to the backup data.

Could investigators have gotten more evidence from fresher backups than 19 October?

As of Saturday, the FBI was shrugging at the idea:

It is unknown whether an additional iCloud backup of the phone after that date – if one had been technically possible – would have yielded any data.

As Naked Security’s Paul Ducklin remarked, forensic analysis of computer devices is hard enough if you have controlled offline access to a copy that can be replaced at will.

It’s way harder when you have the cloud in the loop, as well.

In such a situation, investigators are over a barrel: do they cut the phone off and shut it down in the hope of preserving where things were, in case the crooks try to wipe it?

(Of course, the phone user in this case was already dead, taking the chance of wiping his phone with him. But what if an accomplice had wiped it?)

Or do they leave it turned on and connected, in case they can’t ever get into it again?

Or then again, do they wait for a hardware engineer from the company in question to show up and try a method that well might have worked to get them the information they were after?

At any rate, the FBI still wants to unlock that iPhone, regardless of iCloud backups, it said, given that the phone itself will likely offer more data than a backup could:

Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains.

Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone.

As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.

As far as Apple is concerned, the government is seeking an “unprecedented use” of the All Writs Act, a 1789 law that authorizes US federal courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”

Gizmodo’s Kate Knibbs notes that the government has leaned several times on the act to compel Apple and other communications companies to help them with investigations.

Not all judges are sympathetic to uses of the writ, which, Knibbs notes, can be like handing judges a blank check if interpreted broadly.

But it has been used against communications companies in the past.

In 1977, the Supreme Court set a precedent for allowing its use to compel a telecom’s cooperation with the government as it conducted surveillance to set up a racketeering sting.

In a separate statement published on Lawfare, FBI director James Comey told people to stop freaking out about what he called the government’s pleadings, which constitute an order that Apple unlock Farook’s encrypted iPhone.

This isn’t about breaking encryption or setting loose some master key, Comey said.

Rather, it’s about developing software to enable brute-force password attacks.

Specifically, a US judge last Tuesday – 16 February – ordered Apple to develop a way to skirt an iPhone auto-erase security feature that kicks in after 10 failed password attempts.

The government simply wants that security feature disabled, Comey said:

We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it. We don’t want to break anyone’s encryption or set a master key loose on the land.

Apple CEO Tim Cook has said that there’s nothing simple about it.

The government is after an encryption backdoor, Cook says: a deliberately programmed weakness that enables computer security to be sidestepped whenever it suits you.

“You” being the government, or maybe a rogue employee, or crooks. Where there’s a backdoor, there are inevitably people who know about it.

Tech companies have lined up to back Apple’s refusal to break its encryption.

Sophos is one of those companies, and it’s put out a #nobackdoors pledge that explains why.

Sophos gave the pledge its own page here:

Comey writes that he hopes people will “take a deep breath and stop saying the world is ending, but instead use that breath to talk to each other.”

I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead.

That’s a heart-rending argument.

But as we wrote when Sophos made its #nobackdoors pledge, this case goes far beyond the phone of one terrorist, and that’s Apple’s point:

Apple is determined to stand its ground, arguing that to create a programmatic backdoor, even in a dramatic case like this, would open a password-cracking Pandora’s Box.

To backdoor one iPhone would effectively betray all of Apple’s many millions of law-abiding customers, and pave the way for similar writs against other American companies and their customers.

Image of iPhone passcode courtesy of ymgerman /