The FBI can’t unlock the Texas church shooter’s phone

Yahoo News ^ | 11/7/2017 | David Lumb

[detective]

At a press conference today, an FBI official investigating the man who killed 26 people in a Texas church on Sunday said the agency can't open the shooter's encrypted phone. The agent painted the issue as a growing concern among law enforcement at all levels who can't access data on devices without their owner's credentials. It's essentially the same argument the FBI made two years ago when it demanded Apple help break into the phone of the San Bernardino shooter, a conflict that escalated into the courtroom.

[Swordmaker]

I wonder if they put him on a Cardiopulmonary bypass (heart/lung machine) and got a forced rhythm, if that would fool the touch sensor?

Maybe Mythbusters could try that sometime.

That might actually work, but it's way too late now. The TouchID won't work after a set period of time and requires the user to input the passcode to re-activate the TouchID. It can be a short a time as five hours, depending on how frequently the user actually touches the sensor normally.

[Swordmaker]

Really? Apple wouldn't help get into the San Bernardino shooter's phone and said it was impossible. Then the FBI paid a hacker who broke into it.

Apple did not say it was "Impossible." Apple refused to comply with an "All Writs Court Order" to create a FBiOS version of iOS they could install on the iPhone 5c that would bypass the count-down passcode lock-out which would erase the data on the phone and then GIVE them the new OS which would unlock the entire class of iOS devices.

Not only was this an impermissible use of the All Writs Order under law, which is supposed to be used only to require a business to do something it ALREADY DOES in its normal course of business (Apple does not make custom operating systems), it cannot be used to force a business to destroy its business model. In addition, there was existing FEDERAL LAW prohibiting the courts from ordering any telecommunications carrier or manufacturer from bypassing any security or encryption installed on a device, software, or system to aid any law enforcement agency or department. This Law, passed by Congress in 1993, had already been tested by a case brought before the US Supreme Court and found constitutional. . .and in fact was passed to ASSIST law enforcement, but as part of a compromise to prevent the Courts from second guessing technology development. Apple was RIGHT to refuse.

[FreedomPoster]

Yes, but you seem to be missing the point - they can’t unlock the phone, either.

[Swordmaker]

Someone will sell you an app that double-encrypts your phone. Get in with the Apple key, and the FBI will still have to get past a PGP-equivalent that is beyond the capabilities of even the NSA.

The iPhone 5s and above already encrypts the data to a 256bit AES standard. . . and it's the best encryption there is available. There is no need for double data encryption on an iPhone. Such double encryption is not worth doing. . . It's a waste of resources.

PGP-equivalent is what you need for Android phones.

The only reason you'd want a PGP app on an iPhone is to encrypt and decrypt mail.

[Swordmaker]

It is not hard. Clone the hard drive on the phone, then start a brute force hack on the clone. After 10 tries, the clone self-destructs. Rinse and repeat. Most phones are only secured with a 4 digit locking code, so it is not a big deal.

The Key is not that simple, nor is it on the hard drive. The passcode only unlocks the AES encryption key, and is used to build part of the Encryption Key each time it is entered in a SECURE PART OF THE IOD DEVICE. So, Flick, passcode is only a portion of the encryption key, and even then it is the only the one-way HASH of the passcode which is calculated in a secure part of the iPhone that is then used as part of the key, entangled by an algorithm in the rest of the key. . . and that KEY is NOT four digits but can be larger than 144 characters in size.

It's a 256 bit AES encryption. . .and Apple allows up to 256 characters for the passcode and you can use every single one of the 223 characters on the virtual keyboard in your passcode. Such a brute force, try every key method of trying to break a 256 bit AES encryption can, and most likely will, take longer than the Universe has to yet to live. See my post above about the calculations using just a 16 character passcode.

[Tammy8]

https://www.washingtonpost.com/news/wonk/wp/2016/02/17/how-long-it-takes-to-crack-an-iphone/?utm_term=.4f5eaf478a05

[Yaelle]

I’m sorry, then. I don’t understand the tech. My bad. I thought Apple COULD unlock the phone but it would potentially unlock ALL phones and iPhones would no longer be encryption protected. And that there was no legal way to force them to, anyway.

I believe that a compromise solution will be found one day.

[Kartographer]

If it just take prints to unlock then I say get a pair of these and make a quick trip to the morgue:

After all the SOB is burning in hell and he don't need and fingers to do that.

[Swordmaker]

I have an iPod———are you saying that my little 4 digit password is not known by Apple?

Nope, it's not. Why would they care?

I would suggest you use a six digit code at the very least.

Instead of 10,000 possible passcodes, that's 1 million possible passcodes. If you could try one every two seconds it would take 5 ½ hours to try 10,000 if the system allowed you to do it without bricking the phone... but more than 23 days to try one million passcodes working day in and day out.

[CurlyDave]

...I don’t want all phones to have a key to unencrypt. But for the manufacturer to hand over an opened phone under warrant doesn’t mean that the law abiding phone owners don’t have encrypted phones...

If anyone, even the manufacturer, has employees who know how to unencrypt the phone, sufficient money will break that information loose.

What happens when the Chinese offer $10 Billion for that information?

Apple is very smart to make it unbreakable by Apple. Keeps them out of all sorts of court battles.

And, a law that US sold phones have to have keys given to the government just means that the real bad guys will buy foreign phones and the technological lead will transfer from the US to somewhere else. Do you really want that?

[Swordmaker]

The tech already exists to unlock the phone by Apple so yeah, it could be hacked even today.

Uh, actually, no, it doesn't. Apple does not have the key to unlock iOS devices post iPhone 5c. They will not even try. They will honor search warrants for data they have on the iCloud that may have been uploaded they can reach. But even that is limited.

Here is what Apple has to say on iOS data retrieval for Law Enforcement:

I. Extracting Data from Passcode Locked iOS Devices

For all devices running iOS 8.0 and later versions, Apple is unable to perform an iOS device data extraction as the data typically sought by law enforcement is encrypted, and Apple does not possess the encryption key. All iPhone 6 and later device models are manufactured running iOS 8.0 or a later version of iOS.

For devices running iOS 4 through iOS 7, Apple may, depending on the status of the device, perform iOS data extractions, pursuant to California's Electronic Communications Privacy Act (CalECPA, California Penal Code sections 1546-1546.4). In order for Apple to perform an iOS data extraction for a device that meets these criteria, law enforcement should obtain a search warrant issued upon a showing of probable cause under CalECPA. Apart from CalECPA, Apple has not identified any established legal authority which requires Apple to extract data as a third-party in a law enforcement investigation. . .

. . .

Q: Can Apple provide me with the passcode of an iOS device that is currently locked?

A: No, Apple does not have access to a user’s passcode.

Source: Legal Process Guidelines—Government & Law Enforcement within the United States—Apple PDF

They don't own the data on a user's device so they have no right to unlock it. . .

[Swordmaker]

Did they ever successfully get into the San Bernadino phone? What the straight info there? I’ve seen some here saying some Israeli company did it quickly and easily. Not sure if thats true at all.

They said they did. . . and found exactly what I predicted they would, given that the terrorist was a devout Muslim who would not steal his employer's property. There was nothing on the iPhone 5c, aside from a few incoming calls from his wife, other than business calls, mails, and messages having to do with customer service for San Bernardino County. There had to be a reason it was not destroyed with their burner phones. . . and that was he would not use that iPhone, which belonged to his employer, for anything not business, just as he would not steal it by destroying it. As a devout Muslim, he had to be ritually clean when he killed the infidels. . . and that meant to him, without sin. Stealing was a sin.

The method the Israeli firm use was a complete duplication of the iPhone 5c in every aspect including all the encryption portions. . . they essentially made 10,000 virtual copies of the terrorist's iPhone and then tried every possible passcode until they hit the correct one. That's why it cost $1 million and six months to crack it.

Keep in mind that this was an iPhone 5c that did not have the superior hardware and OS that was put into iOS 8 and the iPhone 5s, 6, and later. It was far easier to gain access to the secure areas on the 4s, 5, and 5C, than on later iPhones. . . which is what this approach will work on.

[Swordmaker]

so they have the killer’s body so they have his subcutaneous tissue to open the phone.

After death, that tissue changes rapidly. . . it loses elasticity and desiccates. Also, after just a few hours, the TouchID will no longer operate without first inputting the user's passcode to reactivate it. The amount of time is dependent on how frequently the user normally accesses the TouchID. It can be as short as five hours or as long as 24 hours.

[Swordmaker]

Which the new iPhone X has.

And the facial ID data never leaves the iPhone X. . . and it's not an image. it's a one-way hash of the 3D data.

[Stanwood_Dave]

I guess FBI will have to put up a fight with the phone manufacturer to unlock everything. It took a while, but I think that finally happened with the husband-wife Muslim murderers in the Pacific northwest, 2015, San Bernardino, California Mass shooting.

You are mistaken, thinking the manufacturer would help the police. They never did, even with the courts involved. The police got access via hiring a hacking group, and paying the big $$$$$$$. rumor has it $250,000.000. possible a little more.

Just saying.

[Coronal]

As has been previously stated, dead fingers won’t work.

[DesertRhino]

Very interesting. Thanks!

[Swordmaker]

You are mistaken, thinking the manufacturer would help the police. They never did, even with the courts involved. The police got access via hiring a hacking group, and paying the big $$$$$$$. rumor has it $250,000.000. possible a little more.

Just saying.

It was $1 million. . . and they were able to unlock just that single iPhone. They then started offering a package of unlocking to police and government agencies around to world to unlock that generation of iPhones. One iPhone for $25,000, Six iPhones for $100,000, etc. Then several months later, the company itself got HACKED and all their hacking tools and techniques were stolen by hackers. KARMA. LOL! The techniques were put out for anyone to use... but it required lots of hardware to do it. . . and would only work if you had the hardware. It was not a software hack.

It essentially required making multiple virtual copies of the iPhone to be broken into and then trying the potential passcodes. . . that's why it was so expensive. It really only would work on four digit passcodes or on six digit numeric passcodes that they might have hints were something easily guessable. Otherwise, it quickly became uneconomical on the six digit to do. One million virtual iPhones is crazy to try.

[Drago]

You are mistaken, thinking the manufacturer would help the police. They never did, even with the courts involved. The police got access via hiring a hacking group, and paying the big $$$$$$$. rumor has it $250,000.000. possible a little more.

----------------

And that was an older iPhone (4s?)...newer iPhones not susceptible to that hack. And now iPhone "X" is facial recognition only (passcode when that is turned off)...is the FBI going to force you to look at your phone? Keep your eyes closed...won't unlock w/eyes closed.

[Yaelle]

No, I don’t want any of those scenarios. Of course I prefer Apple and other phones to have proprietary privacy tech and no one subject to international tech blackmail. But this is new territory for human technological ethics and if there were a way t9 still allow search and seizure for criminals, while NOT compromising all the th8ngs you both mentioned, I am for it.

Just as I am for the death penalty for convicted criminals who have by their own actions demonstrated they don’t deserve to breathe air here any more, so I am for Gd given privacy to be removed from those whose heinous acts have removed their natural rights.