Apple is in hot water because they are not responding to a Judge’s order to disable a core security feature in the iPhone in order to access data about the San Bernardino Shooters. This comes shortly after a Harvard Report indicating requests like this are stupid. Apple has taken a hard line with regard to customer security but it is hard to understand why, in this case, where the phone belongs to the local government and the owner is a dead terrorist why Apple isn’t stepping up. First Apple “probably” can do this but even they likely don’t know for sure and if they do it then it will showcase it can be done. If it can be done others will work to emulate what Apple did potentially eventually making the feature worthless. But that is only one part of why Apple is not motivated to help. Let me explain.
The Task
Now the feature the FBI wants disabled is the one that locks the phone and erases all the data after 11 attempts. The phone takes about 10K different number combinations for a 4 number pin though you can use an algorithm and some knowledge of the user to cut this down substantially but you still will likely need way more than 11 attempts.
So, no problem, Apple just has to disable the feature but to do that normally they have to use the phone’s PIN and that’s what they don’t have.
Why It Is So Hard
Now if this was easy to do anyone stealing the phone would do this and over the last few years there has been a massive effort to make stolen phones worthless and to keep data safe. In fact for some time a number of cities and States have wanted Apple and others to fully brick the phone after a series of wrong attempts to stop people from being mugged for their phones. (They ended up going in a different direction but phones became far harder to break into as a result).
So doing what the FBI is asking should be impossible but given Apple uniquely has access to the source code, in theory, they should be able to find a way around their own security.
Why Apple Is Motivated Not To Help
New problem, the folks that wrote this into the code are the most likely to do this work but they were asked to make this kind of thing impossible so, if they can do it they are kind of screwed because their CEO wanted what they are attempting to be impossible. If it was Steve Jobs rather than Cook he’d likely fire them if they were successful and even under Cook they aren’t really motivated to showcase there is a way to do what they likely represented can’t be done.
This means you’ll need to use some other specialist but this specialist will now develop the unique skill of being able to bypass Apple security which means they will suddenly become incredibly valuable to anyone else that wants to do this and that is not a skill you want folks to know you have if you want to remain free unless you are already a government employee. Now Apple doesn’t want the government to know how to do this because if it got out the government could bypass security folks in Europe, Asia, and Eastern Europe would likely switch of iPhones and likely be joined by not an insignificant number of US users.
Wrapping Up:
In short there is no upside for Apple, any Apple employee, or for Apple to let any government employee do this. If they take part in any way in breaking into an iPhone successfully Apple is generically screwed and the most qualified Apple employees to do this are screwed.
If I were the government I’d buy a bunch of similar iPhones, take them to the Black Hat conference and put a prize of a $100K for anyone that can do to an iPhone what they want done. They’ll likely get it done faster and more cheaply than Apple will do it for them. In fact there is actually a pretty good chance that someone somewhere has already figured out how to do this and I’d likely start with the CSA or NSA in my quest.
But asking a company to violate their own security particularly when it could have an adverse impact on both the employees that do it and the company, which is just not going to be a quick or easy path to success. And I don’t blame Apple at all, were I them I’d likely behave in exactly the same way largely because I’m not feeling suicidal.
A couple of questions to leave you with. Why would a Terrorist assume their government owned phone wasn’t monitored and, given this guy’s background, why wasn’t it?
