DOJ says Apple should be forced to unlock encrypted user data if asked by government

9 to 5 Mac ^ | October 24, 2014 | By Chance Miller

[Swordmaker]

Earlier this week, Apple stated that it would be nearly impossible for it to access the data on a passcode-locked iOS device running iOS 8 or later. The company also noted, however, that even if it were possible, it would not feel comfortable doing so as to not tarnish the trust it shares with its customers. The Department of Justice has now dismissed that argument, saying that Apple should be required to unlock encrypted data because iOS is “licensed, not sold” to customers (via DailyDot).

“Apple designed, manufactured, and sold [the phone] that is the subject of the search warrant,” the government told U.S. Magistrate Judge James Orenstein. “But that is only the beginning of Apple’s relationship to the phone and to this matter. Apple wrote and owns the software that runs the phone, and this software is thwarting the execution of the warrant.”

The specific case in which the U.S. government needs an iPhone unlocked relates to executing a search warrant on a suspect indicted for possession of methamphetamine. Apple argues that decrypting a phone in one case would set a precedent that would only burden the company in the future, taxing its resources, employees, software, and equipment. “This burden,” Apple said, “increases as the number of government requests increases.”

The DOJ, of course, rejected this argument, saying that Apple shows no attempt to quantify the burden of which it speaks, nor does it show any evidence.

Apple also argues that aiding government requests for user data would hurt its reputation to the public due to the level to which sensitivity to digital privacy has risen. The company says that this harm to its reputation to could have a lasting economic impact. Earlier this week, Tim Cook spoke out against software backdoors, again voicing Apple’s support for privacy for its customers

As you would expect, the DOJ also rejects this argument, again saying Apple provided no concrete evidence to support its claims.

The government rejected this argument, saying that Apple offered no concrete evidence that reputational concerns constituted an “undue burden” as defined by law.

[zeugma]

Question for ya sword. I lock my phone using a pin. I tried using an actual passphrase for a while, but it was just too much of a pain in the rear, because you have to use the keyboard. I really like the phone-type buttons, because they are larger, and wouldn’t mind having more than a 4 digit code for that. Do you know how to tell it to still use the number pad, yet have more digits available?

[Defiant]

That might work, you’d have to check with a techie to be sure. Sounds like the TV writers at least understand the issue a little, which is not common.

[no-s]

It has to be a living finger. . . just as a photo print of a fingerprint doesn't work

Naaaah: fingerprints aren't very secure.

[Swordmaker]

Question for ya sword. I lock my phone using a pin. I tried using an actual passphrase for a while, but it was just too much of a pain in the rear, because you have to use the keyboard. I really like the phone-type buttons, because they are larger, and wouldn’t mind having more than a 4 digit code for that. Do you know how to tell it to still use the number pad, yet have more digits available?

iOS9 requires six numbers on the numeric pad. . . but if you've already selected four, it still defaults to the four when you upgrade. I'm not sure if you can force it to a six. A friend with a new iPhone had an accident with his and the new one they gave him to replace it was not started with his back-up and required six. . . and when the back-up was restored, still had the six, not the four he had before which were inherited from his previous iPhone 4S. . . so I am not certain of the mechanism. The new one would NOT take a four digit passcode under iOS9, it insisted on six.

[Swordmaker]

Naaaah: fingerprints aren't very secure.

That guy, it turned out, was using his own iPhone for his tests. . . and his own thumb print to test. He actually was reading his own thumb through his test print. When his technique was used on another person's iPhone it failed. Even using his own thumb print on his own iPhone, he had only a 20% success rate with his supposed technique. His concept uses "fingerprint copies" and the technique Apple uses does not even read fingerprints but the subcutaneous ridges BELOW the fingerprints.

He did not even understand that basic function of how Apple's finger reader worked before he started building his technique, which sometimes penetrates deep enough to read his own ridges beneath both his thin rubber mold, his skin, and occasionally sense the subcutaneous ridges enough to activate his own iPhone.

[no-s]

That guy, it turned out, was using his own iPhone for his tests. . . and his own thumb print to test.

He wasn't the only one to make the claim. The issue here is that some attacks were demonstrably successful. Actually the history of biometric sensors is rife with special claims that only require one counter-example to refute. It's probable that Apple spent extra attention to ensure the sensor would not be easily spoofed by a trivial approach. That's what you're hopefully protected from.

However, in the final analysis, the protection relies on an attacker not being able to reproduce the correct fingerprint within the correct number of tries within the time limit. If the fingerprint can be reliably reproduced at all, then the odds of a successful fingerprint reproduction attack are too high to consider it as secure as a PIN.

[zeugma]

Later tonight, I’ll try resetting my pin. I’ll let you know if it goes to 6.

[Swordmaker]

Later tonight, I’ll try resetting my pin. I’ll let you know if it goes to 6.

I traded in my iPhone 6 for a new iPhone 6S and while doing it asked your question. It's easy. Just reset your passcode and you can choose a four or six figure numeric passcode or you can chose to have a more complex alpha-numeric passcode. Or you can choose to be completely foolish and have no passcode at all. You can change your choice at anytime. . . user choice. Apple is flexible on this.

[zeugma]

HA! That’s exactly what I did last night. It didn’t appear to offer the opportunity of continuing with a 4-number pin though, unless I missed something, which is always possible. I ended up having bigger fish to fry last night though. Couldn’t seem to get my phone backed up this time to my Win7 VM I built specifically for that purpose. USB devices sometimes work weirdly under Vmware workstation.

[Swordmaker]

He wasn't the only one to make the claim. The issue here is that some attacks were demonstrably successful. Actually the history of biometric sensors is rife with special claims that only require one counter-example to refute. It's probable that Apple spent extra attention to ensure the sensor would not be easily spoofed by a trivial approach. That's what you're hopefully protected from.

If what you claim were true, where are all the break-ins. Sorry, it isn't true. You cannot use an image or a constructed rubber fingerprint to spoof the iPhone sensor to get around the biometric finger"print" sensor on an iPhone. I repeat, it does NOT read fingerprints, it reads the subcutaneous ridges beneath the fingerprint layer of your fingers. That layer is never imprinted on anything like a fingerprint. . . nor can it be cast to make a rubber faux print. That is why all of these attempts fail.

Again, it has NOTHING to do with FINGERPRINTS. . . if it did, they'd have broken it by now with very high-res copies, as they did with all fingerprint scanners in the past, which is what I think you are referring to.

[discostu]

And with due process they can be. DOJ whines too much.

[Swordmaker]

And with due process they can be. DOJ whines too much.

At this time, only 10% of Apple iOS devices can Apple get into and then only for limited data. Any iOS devices running iOS or later is 256bit AES encrypted and one the user has the passcode, which Apple does not have. Without that passcode which, internal to the device, is entangled with the device's UUID generates the very complex AES encryption key, no one can decrypt the data in any non-astronomical time frame. If the user has elected to use a complex 16 character passcode using the upper and lower case alphabet, numbers, and symbols from the 223 characters available on the Apple keyboard, the key would be 140 characters in length. Using a key of that length would, running the math, require 5.62 X 10¹⁹⁵ years, 5.62 undecillion years, to try every single possible key, using the fastest supercomputer array we have at our disposal today which can try 3 Trillion keys a year by brute force.

The half life of a proton is estimated to be only 10³⁰ years and it is estimated that the Universe itself will be degraded into a temperature less soup of elementary particles by approximately 10⁸⁰ years from now. . . and if your supercomputer still existed, it wouldn't be even half-way through trying keys!

I think the contents of your iOS device might be a tad moot way before then, don't you? At least you wouldn't be caring too much about it. . .

[no-s]

Don't know why you would assert no reported criminal hacks on relatively new iteration of some tech is a positive assurance of safety. Typically criminal hacks focus on efficient things, like social engineering and bad passwords, and only escalate to harder cracks when the easy stuff gets locked up. The best people looking for and exploiting new stuff are getting compensated for their work. The results are kept secret so money can be made selling the exploit.

Also there's nothing magical about the fingerprint sensor. The existence of any verifiable public model that permits capacitive touch array spoofing from a fingerprint sample permits the inclusion of the vulnerability in the risk assessment. The quantification of the risk is the only rational subject of debate at this point. It's not reasonable to assert absolutes of "cannot", "never", and "all" etc.

[Swordmaker]

Also there's nothing magical about the fingerprint sensor. The existence of any verifiable public model that permits capacitive touch array spoofing from a fingerprint sample permits the inclusion of the vulnerability in the risk assessment. The quantification of the risk is the only rational subject of debate at this point. It's not reasonable to assert absolutes of "cannot", "never", and "all" etc.

YOU are the one attributing "magic" into this. I am talking a technology that does not lend itself to the hacks you are talking about. Apple has had iTouch technology in the wild for three years now and those supposed hacks you are talking about ARE NOT breaking into iPhones as you claim. It is not happening. Ergo, your proposed means of breaking in, the ones claimed to have been done, were NOT replicated. It is not magical. It is technology that is protected by both patented technology and trade secrets which Apple has not patented.

No-S, you seem to not be reading what I write. . . because you keep writing this:

". . .touch array spoofing from a fingerprint sample. . ."

in which you are always begging the question, assuming the conclusion you are making. Such "spoofing" of an iTouch has not been successfully been demonstrated with a third party fingerprint, because, as I have repeatedly told you, it is NOT the fingerprint that is read, but the sub-cutaneous ridges below the fingerprint. No "fingerprint sample" can spoof the sensor. Arguing your basic assumption that it can returns you back to your starting point. Your assumption is flawed. You seem to be similar to this fellow:

A patrolling police officer sees a fellow crawling around in the grass at midnight below a street light. A cop comes up to him and asks him what he is doing.

"I'm looking for a diamond ring my girlfriend threw at me when we had an argument a few minutes ago! It cost me over $10,000 and I'm still making payments on it!" said the distraught young man.

So the police office got down on his hands and knees and helped him look. After 10 minutes of looking with his big maglight to assist, the officer commented, "Maybe it would help if I knew where your girlfriend was standing and which way she was facing when she threw the ring?"

"Oh, you're right!" said the young man. "We were arguing, under those trees over there, about a hundred feet that way!"

The officer jumped up and exploded. "Why in the hell are we looking for her ring here!? There's no way in hell that ring could be all the way over here!"

"Well, duh," said the young man, sounding as if the policeman were being unreasonable and stupid, "It's too dark over there, there's no way I could find it in the dark, and there lots of light here!!"

In other words, just because you want the data to be where you think it should be, doesn't mean it is.

If it were as simple as you make it out to be, there'd be companies out there building devices to convert recovered fingerprint traces into reliable iPhone/iPad unlocking systems and selling them to police departments for a few thousand dollars each. They'd be competing for the business. There are not. . . because it is not a viable solution because it doesn't and cannot, and never, will work.

When I say "cannot," and "never," it is in the vein of trying to get blood from a turnip. Why? If the data you are seeking is not in what you are trying to scan, you "cannot" and "never" will get it, because it simply isn't there.

In this instance the "fingerprint" data the sensor is seeking is not in the fingerprint at all, because it was ALWAYS below the level of the ostensible "fingerprint" that anyone thinks of as a fingerprint, the fingerprint one can ink and leave on a fingerprint card, or at the scene of a crime. Apple "Thought Different" about the issue and looked farther into the finger at those sub-cutaneous (below the skin) ridges beneath the fingerprint and found a way to measure and record the subtle differences in the living flesh of the user's finger.

If someone were to develop a scanner that ALSO reads the sub-cutaneous ridges below the fingerprint level of the subject's finger and analyzes that and then is capable of duplicating the response the iTouch is expecting, then and only then, might they be able to break into the iOS device using that sensor. Of course, they probably would still have to somehow get the cooperation of the owner of the finger to scan those sub-cutaneous ridges.

[no-s]

because it is not a viable solution because it doesn't and cannot, and never, will work.

When I say "cannot," and "never," it is in the vein of trying to get blood from a turnip. Why? If the data you are seeking is not in what you are trying to scan, you "cannot" and "never" will get it, because it simply isn't there.

OOOH! Silly ME!!! Oh all-knowing Swordmaker, I bow before your comprehensive mastery of the rebuttal. After all, bluster and rhetorical fallacy are surely the correct way of achieving certainty for all time.

Please forgive my ignorant skepticism; Surely Apple has banished exploits for all eternity, This Time For Sure!

Those lying hackers! We'll never listen to them again, they can't even pretend to know more than the great and glorious Apple! Everything they come up with is an obvious lie because Apple doesn't share everything, trade secrets y'know. It would never happen (again, oops).

BTW, there is a non-zero probability the diamond ring is under the light anyway, and while blood doesn't normally come from a turnip, fingerprints are normally the result of finger touches, so there is a non-zero quantity of information about the finger in the fingerprint.

But I can see you know more than any silly person who voices skepticism about the possibility of quantifying the quantifiable certainty of your certainty.

[Swordmaker]

BTW, there is a non-zero probability the diamond ring is under the light anyway, and while blood doesn't normally come from a turnip, fingerprints are normally the result of finger touches, so there is a non-zero quantity of information about the finger in the fingerprint.

What PART of "the data the iTouch system uses is NOT A FINGERPRINT" is it that you repeatedly fail to understand, No-S????? It is a very straight forward statement of fact, yet you seem to keep missing that very important fact. Apple does not take a photo of a fingerprint. It is taking specific measurements THROUGH the fingerskin into the depths of the finger.

A fingerprint that would be transferred to any object by grease, mud, sweat, or any other transfer means, such as an inked or cast impression, WILL NOT and CANNOT replicate any of the depth/distance information to those sub-cutaneous ridges that Apple senses to use in it's iTouch system; they are much to subtle for anything so ephemeral or gross a sampling system as you describe to include any traces.

Getting snarky about a scientific fact does not change the scientific fact just because YOU find it inconvenient. It's a fact that I have been trying to impart to you through your skull which seems to be made of Impervium.

YOU seem to be fixated on the idea that the sensor is a "fingerprint" sensor when it is anything but a "fingerprint" sensor, when I have been telling you in every post it is NOT a "fingerprint" sensor.

Yet, here you are AGAIN claiming that somehow, someone is going to find that DIAMOND RING under THAT STREET LIGHT. . . but that's why I told you that story! It is obvious you believe in sympathetic Magic. No-s . . . You apparently do not even see the analogy because you are still blithering about "fingerprints" being able to help a hacker break into the system when the data is not in a mere fingerprint.

I am not "blustering," no-s. I've read Apple's technical papers on their system. . . and, yes, I am certain it is not going to be hacked by copying a fingerprint. It is really obvious you have not.

Perhaps this analogy would help. . . using a fingerprint to get the sub-cutaneous data is like trying to see an accurate depiction of a person's skeleton by using a optical photograph of them. You are using the wrong tool.

[no-s]

there you go on with the rhetorical fallacy and personal attacks again. you say you've seen technical papers proving this is an impossibility? Can you reproduce them for us? Or are you just blowing hot air?

Since you describe yourself as knowledgeable in the subject, can you objectively describe the precise quantitative and qualitative differences in the sensor used from iPhone 6 to 6s?

What is the precise depth of the "subcutaneous" finger touch sensing? How do we know this is as unique as a finger tip?r

How do we know for a fact that fingerprints (the actual fingerprint, not a photo of one) contain no recoverable information that can be used to defeat the iTouch sensor?

For decades I've heard BS about biometric security, and when people try to get close to the details, there's always some blowhard trying to shout any skepticism down about the "impossibility" of an attack. And they've been proven wrong every single time, because it only takes one successful attack to render "impossibility" obsolete. Looks like iPhone 6/6s already fell, so impossibility is off the table.

So the only real issue is the unlikeliness of a successful attack. It does look pretty unlikely, requires the acquisition of good quality fingerprint samples and a few $1000 worth of equipment to produce just one attack vector with a some non-zero probability of defeating iTouch. It's just not going to be worth it in most cases. It's not even borderline. But it's not the same as impossible.

[Swordmaker]

there you go on with the rhetorical fallacy and personal attacks again. you say you've seen technical papers proving this is an impossibility? Can you reproduce them for us? Or are you just blowing hot air?

No-s, you are the one making accusations around here. You are the one making personal attacks, not me. I am merely pointing out you seem to keep missing the obvious. . . and it is obvious that a surface phenomenon such as Fingerprints does NOT carry any information about structures below the surface. The skin does not show the shape of the pads of fat, nerves, blood vessels, the distal phalanx, and other sub-cutaneous structures under the epidermis layer. They are at different depths and different densities.

I told you that Apple looked at the failings of the biometric fingerprint systems in the past and literally "Thought Different." The failings of previous "Fingerprint" systems is that they used fingerprints," something people leave reverse copies of every where they go! Not very secure at all if every Tom, Dick and Harry can literally lift a copy off of any surface you touch, reverse it, and Voilá, a duplicate of the key to your device! So, Apple asked, how do you retain the convenience of using a finger, but NOT use a fingerprint?

Apple's engineer's found a way in the anatomy of a human finger. . . which YOU apparently keep ignoring and WANT the iTouch sensor to be using a mere fingerprint, which I have been repeatedly telling you it does not.

The Anatomy of a human finger tip.

If you notice, between the epidermis layer with its distinctive fingerprint, nerves, blood vessels, sweat glands, etc, and the distal phalanx (the bone) is a bunch of fat blobs that look like a pile of cottage cheese or curds. These fat blob have ridges and bumps all over them that are distinctive and different for every human being and finger. No two are alike. . . and they do not change, barring accident such as a slashed finger. Apple's engineers found a way to measure the distance to the fat blobs and into the fissures between the blobs. . . and to map the features of the fat UNDER the epidermis, which is too thick and too coarse to show the fine grain of the fat ridges.

How do we know for a fact that fingerprints (the actual fingerprint, not a photo of one) contain no recoverable information that can be used to defeat the iTouch sensor?

Your idea that you could somehow find out anything about those fat ridges, the lobes and fissures that are measured and mapped by the iTouch sensor, with a oily residue fingerprint image, or an inked copy fingerprint, or even a casting of a finger, is akin to expecting a blind Braille expert to read a page of Braille print with a drawing or a photograph of the page, or through a sheet of leather laid on the page. Not one of those allows the data being used to be sensed by the means available.

Since you describe yourself as knowledgeable in the subject, can you objectively describe the precise quantitative and qualitative differences in the sensor used from iPhone 6 to 6s?

What is the precise depth of the "subcutaneous" finger touch sensing? How do we know this is as unique as a finger tip?

All of those questions are irrelevant. The first are trade secrets of Apple. . . and Apple has improver the iTouch sensor system since it was first introduced in the iPhone 5S, and it is also available in several models of iPad.

You can ask any good professor or text book on human anatomy what the distances to the gross layer of adipose tissue under the epidermis of a human finger is, but I doubt even those sources have the information on the depths of the fissures and surfaces of the lobes available at their, ahem, fingertips. As for uniqueness, it is unique enough to do the job at hand. . . and it is as unique as anything else that is created randomly by nature. Perhaps, there are multiple people with the same patterns of adipose finger tissue, but Apple has constructed their system so that after five failed iTouch attempts at entry, the user must use their passcode to gain entry. Trying multiple people to try and match an unknown pattern of finger fat patterns simple will not work to gain entry. The odds of hitting your mythical match are astronomical.

Looks like iPhone 6/6s already fell, so impossibility is off the table.

It hasn't . . . and I told you why the hacker thought he had succeeded. When others attempted to do it, they failed. He was using his own iPhone and a copy of his own fingerprint on the same digits it would fit. The device read the patterns through his copy, but only once out of five tries. The copy fingerprint did not work when his friend tried the copy on his finger. Others could not even get that. His "technique" failed peer review.

Now, I've spent far more time on this than arguing with you is worth . . .