The buzz surrounding the FBI’s lawsuit to compel Apple to help it unlock an iPhone used by one of the San Bernardino terrorists increased on Tuesday, when NSA whistleblower Edward Snowden dismissed the agency’s stance as “bullsh*t.”
He made the remark during a video conversation with Malkia Cyril, executive director of the Center for Media Justice, and Dan Froomkin, Washington editor of The Intercept, at Common Cause’s Blueprint for Democracy conference.
The statement provoked some testy reactions.
“Does Snowden really matter any more?” asked Jim McGregor, principal at Tirias Research. “I think he’s just looking for publicity.”
Snowden’s involvement in the issue will have “very little effect,” suggested John Gunn, vice president at Vasco Data Security.
Snowden is “a polarizing element,” Gunn told TechNewsWorld. People see him either “as a traitor or the reincarnation of Thomas Jefferson and a patriot willing to give his own life to protect our liberty.”
Possible Technical Options for the FBI
The FBI can bypass Apple’s auto-erase feature by backing up the effaceable storage on the iPhone before trying to guess the passcode, Snowden said, pointing to ACLU Technology Fellow Daniel Gillmor’s explanation of the possible approach.
Auto-erase in fact does not erase all the data from the iPhone’s underlying storage, Gillmor argued; instead, it destroys one of the keys that protects the data — the file system key.
That renders the data permanently unreadable. However, the effaceable storage is stored in the iPhone’s NAND flash memory, and the FBI only has to copy that flash memory before trying to crack the passcode. That NAND flash memory can be restored from its backup copy.
That procedure is routinely carried out in kiosks in Chinese malls to upgrade a 16-GB iPhone to 128-GB for about US$60, according to forensic expert Jonathan Zdziarski.
The FBI has a number of options available, he noted. The bureau could deconstruct the chip on the device in order to read the fuse bank where the UID is stored. If the UID could be extracted, the FBI then could reverse-engineer the rest of Apple’s encryption and brute force it against the PIN.
Another possibility would be to try to isolate the hardware-based encryption off the silicon and feed encrypt/decrypt requests directly through it, performing an on-chip brute force while bypassing iOS, Zdziarski suggested.
Further, the bureau could borrow time on the NSA’s and CIA’s supercomputing clusters to try a brute force attack on one or more of the individually encrypted files most critical to the FBI’s needs.
The FBI hasn’t tried approaching security researchers, who may have proofs of concept that could crack the firmware running on the iPhone in question, believed to be iOS 9.0.x, Zdziarski maintained.
Support for the FBI
Getting a court order forcing Apple to unlock the iPhone in question “does not put our security or privacy at risk, since there’s a one-to-one capability that would allow for limited access to single devices only via cryptographic techniques,” argued Philip Lieberman, president of Lieberman Software.
“All devices can be penetrated by an abundance of means available to governments and criminals, irrespective of the representations of Apple and others,” he told TechNewsWorld.
It’s Just Politics
The FBI “wants the rules set in their favor for all future instances,” Vasco’s Gunn contended. “Petty criminals don’t incite the level of fear that it takes for people to be willing to sacrifice their constitutional rights.”
FBI director James Comey has argued against encryption since at least 2014.
The FBI and law enforcement agencies “understand very well that legal precedent is much easier to come by than legislative action requiring backdoors be built into encrypted software and devices,” Application Developers Alliance CEO Jake Ward told TechNewsWorld.
The lawsuit “seems like a pissing match between two bullies — one looking to score points with consumers and privacy advocates, and the other trying to set a precedent and make an example out of Apple,” remarked Tirias’ McGregor.
However, “this is a sticky issue because there are gray areas,” he told TechNewsWorld. “Privacy should be a right of every citizen, but the government has the responsibility to protect its citizens.”