Main menu

Pages

What the FBI Can Get From Seized iPhone

Seized iPhone
After the letter they sent to arstechnica.com, it made everything a little clearer and showed everyone what the Federal Bureau of Investigation (FBI) is asking from tech company Apple.

The FBI statement clarified its role in resetting the iCloud password on the seized iPhone 5C central to the San Bernardino terrorism investigation.

Earlier, a spokesman for the San Bernardino County Health Department confirmed to the tech site that his agency changed the iPhone’s associated iCloud password at the request of the FBI. That action had the unintended effect of making any further iCloud backup attempts impossible, likely frustrating the terror probe. The San Bernardino County Health Department, which owns the phone, was shooter Syed Rizwan Farook's employer.

However, in their earlier statement, written by FBI Los Angeles Field Office spokeswoman Laura Eimiller, also claimed that "we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains." She did not respond to further questions by phone and e-mail.

The latest FBI statement directly contravenes what an Apple executive, who was granted anonymity, told reporters: That if the iPhone had backed up to iCloud as Apple had suggested, then the data that the FBI may have been able to recover would be precisely the data that it is currently trying to get directly off of the phone that Farook used.

Arstechnica.com spoke with three iOS security experts at length. They agreed that Apple's statement is theoretically correct only if the bureau performed just a classic Cellebrite-style direct data extraction. Doing that would produce the same data as an iCloud backup. However, there might be other information and data on the phone that the FBI could access if agents could break the passcode and decrypt the phone. After all, bypassing that passcode limit is precisely what the FBI has asked Apple to do.

A few days ago, Apple was given an unprecedented court order—under an obscure 18th century law known as the All Writs Act—to create custom firmware for the iPhone 5c that was used by Farook. That new firmware would remove a possible automatic wipe feature on the phone if a passcode is incorrectly entered 10 times and would remove a delay between passcode attempts intended to make brute-force entry more difficult.

If Apple does comply, it would allow the government to enter PIN codes in rapid succession until it gained access to the phone. Apple CEO Tim Cook has publicly said it will resist this attempt, calling it a significant "overreach." A court hearing has been scheduled for 22 March 2016 in Riverside, California.

So, what information on the phone wouldn't be available as part of an iCloud backup? There are a handful of applications that Farook may have had installed on the phone that don’t associate with iCloud. The FBI has not said publicly what it expects to find on the phone.

"Signal Messenger isn't going to back up your messages to iCloud and since they’re end-to-end encrypted, the only place they’re going to be is on the phone," Dan Guido, the CEO of Trail of Bits, a security firm, told arstechnica.com.

Another possible app that the FBI may want to see running on the phone could include Telegram, another messaging app that has been known to be associated with Islamic State radicals. Telegram, however, has an optional app-specific passcode that protects access to the app even if the phone is unlocked.
"That would be a thing that me as an FBI agent would be concerned about," Guido added. "Maybe [Farook] communicated on it, so we need to get access to the phone. That’s a reasonable line of thinking for an FBI agent to make."

With access to installed apps like Signal and Telegram, the FBI may want to know who else Farook was communicating with, and what was said, which could open up other avenues or confirm other details about who he was communicating with.
reactions

Comments