A Take on Apple Vs FBI by EfficiencyNext’s President

Posted by on Feb 25, 2016 in From the Cloud, From the Mind, Uncategorized | Comments Off on A Take on Apple Vs FBI by EfficiencyNext’s President

Note: The opinion in this blog post is that of Paul Katz, President of EfficiencyNext LLC. There has and continues to be a vigorous debate among EfficiencyNext staff, with many going #teamfbi and others #teamapple.

The current Apple Vs FBI issue with regard to accessing a terrorist’s iPhone 5c has been a subject of active debate within technology and non-technology circles. The position held by many in technology is that Apple is correct in this specific matter. I, however, feel the FBI should prevail in this one specific case.

Detangling Things

There has been much talk about back doors and weakening encryption with regard to the court order for Apple to unlock the iPhone 5c used by Syed Farook, one of two the shooters in San Bernardino terror attack . The iPhone in question is owned by the San Bernardino County Department of Public Health, which has given complete consent for the FBI to access the phone.

The court order is not aimed at weakening the iPhone’s encryption. Instead, the court order requires Apple to build a custom operating system that can be installed on the specific iPhone involved, which will:

  1. Nullify the auto-wipe feature
  2. Remove delays between PIN code attempts
  3. Allow for PIN attempts to be conducted at a rate of 80 milliseconds per attempt

Apple, through signed encryption security, is the only party that can load a custom operating system on an iPhone, by their own design. This is why the FBI, through the court system, has compelled Apple to build the custom OS, and brute force determine the PIN to unlock the phone. The request is made under the authority of the All Writs Act to help service a valid search warrant.

Hence, this particular case is not about encryption, but rather having Apple create a technique they can run themselves (and only them) which bypasses login security mechanisms.

Why I Believe the FBI is Right

Apple’s Government Information Requests policy currently states “For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”.

Apple failed to consider the possibility that the All Writs Act might be employed to compel them to unlock phones via their authentication mechanisms. In my opinion, (I’m not a lawyer BTW), the All Writs Act applies. Apple seems sufficiently related to to this matter, and building a custom modified OS for a company of their size and financial ability doesn’t seem an undue burden.

Under the current Law, I don’t see Apple having much of a case. And concern for precedents must cut both ways. If Apple, one of America’s most powerful corporations, is able to refuse to help service a court approved warrant, how many other companies can follow suit?


The Advice Apple Should And Can Give

Each iPhone has the ability to accept passwords and phrases far more complex than a four or six character numeric code; the option is there, just buried a little.

A six digit numeric pin has one million possible combinations (000,000 through 999,999). Brute force at about 12 attempts a second would take just under 24 hours. This is what the FBI is banking on.

That said, A six character password (alphanumeric + special characters) has over 281 trillion possible combinations (281,474,976,710,656) by my count. Presuming the password isn’t readily guessable, we are looking at 6,515,624,460 hours of bulk attempts to brute force the password.

Even sticking with numbers, a user can have a nine character numeric password with a possible one billion combinations (a thousand fold increase over a six character PIN). That would take 23,148 hours to brute force open, or 964 days. Multiply that by ten for every added number in the PIN.

In short, the ultimate security for users right now is right where it should be, in their hands. Apple can fight what they consider is a good fight if they want, but they should advise customers they might indeed lose, and that those who value privacy in the face of government warrants should consider using iOS’s complex password options. They could tell their customers this today.

In Summary

There are deep policy questions about encryption, master keys, key escrows, etc… None of that is before us today.

The circumstances of this one iPhone 5c allow the FBI to make what appears to be a reasonable request under the All Writs Act. Apple has the capability to do the work. They are related to this matter. And it does not impose an undue burden. Apple’s failure to consider the All Writs Act in 2014 when they started encrypting iPhone devices in a bid to not service government warrants ultimately is their responsibility. And if Apple truly is concerned about their customers’ security, they need to acknowledge they might not be above the law as they see it, and tell their customers to secure their phones with complex passwords accordingly.

Syed Farook did not do so. Under a valid government warrant and with Apple’s help, his phone should be accessed.