FBI Chief: Universal Encryption Would Paralyze Law Enforcement

FBI Director James Comey

FBI Director James Comey Alex Brandon/AP

FBI warns the world that Apple is making is one where the FBI can’t do its job. Apple says the FBI is seeking "dangerous power." Who’s right?

If the FBI can force Apple to build a special hack software for the iPhone at the center of the San Bernardino case, could the software put other iPhones at risk of attack and data theft?

Today, FBI Director James Comey told lawmakers that the special software that they are asking the company to make them “likely” could not be used on other phones. Comey also warned lawmakers that a “world with universal strong encryption” was one where the FBI could not do its job of protecting the American people.

Here’s the background: Last Friday, a California court issued an order telling Apple to create a new operating system for the iPhone 5C used by Syed Farook, one of the shooters in the San Bernardino terrorism case (the phone belongs to Farook’s employer, San Bernardino County.) The FBI requested a new operating system, derisively nicknamed by some FBIOS, to install on the phone in order to bypass two security features, enabling the FBI to unlock it.

Comey has pushed back against accusations that the bureau is using the San Bernardino case as a means to establish a new precedent and force Apple to break into more phones.

In the motion that Apple filed Thursday, they argue: “This is not a case about one isolated iPhone … Rather, this case is about the Department of Justice and the FBI seeking through the courts a dangerous power that Congress and the American people have withheld: the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe … No court has ever granted the government power to force companies like Apple to weaken its security systems to facilitate the government’s access to private individuals’ information.”

Is FBIOS a Dangerous Power?

Comey on Thursday told the House Intelligence Committee that FBIOS “likely” wouldn’t work on other phones because Farook’s 5C phone was unique.

“The combination of a 5C and this particular operating system is sufficiently unusual that it’s unlikely to be a trailblazer because of technology being the limiting principle” he said.

If true, that would undermine Apple’s claim that FBIOS is too dangerous to create.

Unfortunately, it’s “not exactly true,” according to Dan Guido, founder of the Trial of Bits information security consultancy, a hacker in residence for the NYU Tandon School of Engineering, and a former threat intelligence lead for the Federal Reserve.

“The modifications that the FBI would have Apple make would be easily portable to any other version of iOS. There is very little of iOS that differs between iPhone versions,” Guido told Defense One.

FBIOS would potentially work to break into other, but not all, iPhones. In an editorial on Sunday, Comey said that the danger of FBIOS to other phones was “limited and its value increasingly obsolete because the technology continues to evolve.”

Apple indeed has innovated its technology since the 5C, which would limit the damage that FBIOS could render onto consumers’ phones across the globe. Newer operating systems have a feature called the Secure Enclave, or SE. It’s literally a secure little enclave in your phone, a separate small computer contained inside the shell that serves as a data panic room.

When you interact with your phone’s TouchID, (if your phone is a version 6 or higher and has a TouchID) you’re interacting with the SE. It manages the phone’s encryption keys and you can’t get it to behave differently but uploading a new operating system to the phone. In phones that have an SE, it also manages the feature that makes the user wait to enter the passcodes after unsuccessful attempts, a defense against precisely the sort of brute force attack that the FBI is trying to run.

The presence of the SE on newer iPhones would mean that they would be protected from FBIOS, making FBIOS less dangerous to regular iPhone owners, which would help the FBI’s case. But that doesn’t mean that the newer iPhones would be impervious to newer versions of FBIOS or combination attacks, if the company was mandated to perform those on its own devices.

“Apple would have to make further modifications to those phones to achieve the same effect that the FBI wants,” Guido told Defense One. “But the level of difficulty we are talking about is not high and much of the legwork would already be done with the original modifications for the 5C.”

He outlines more of his thoughts on what this hack would look like in this blog post.

That’s why the particular legal tactic that the FBI is using in this case, the All Writs Act, is of such concern to many in the technology and legal community and to Apple. In its motion on Thursday, Apple said, “The All Writs Act does not support such sweeping use of judicial power, and the First and Fifth Amendments to the Constitution forbid it.”

The San Bernardino case isn’t the only case where FBI officials are asking Apple to make them special software to break into phones. In a letter from Apple attorney Marc Zwillinger to U.S. Magistrate Judge James Orenstein, the company showed that it’s facing nine orders in cases that involve newer operating systems. In fact, Apple is facing 12 other known cases where the FBI is attempting to use the All Writs Act to make it open phones, some of those phones are version 6 or higher. If the FBI is able to compel Apple to make FBIOS work for the 5C in the San Bernardino case, it could make them modify it, or devise a combo hack, against newer phones with an SE.

The New World

Both Apple and lawmakers say that technology is hurtling toward a future where even Apple won’t be able to break into their phones, even if ordered to do so.

The New York Times on Wednesday, quoting sources within Apple, said that the company was working to further upgrade the security of its devices to put consumer data permanently beyond the reach of law enforcement, or even the company itself.

Guido told Defense One that this would be “feasible” for Apple.

“They have already isolated all the important data within the Secure Enclave on newer phones. Now they need to secure it so that they cannot strip away the protections from the Secure Enclave,” he said. “If you have a 6-character or greater alphanumeric passcode then even the ‘FBiOS’ modifications would be unable to crack your phone,” he said.

At Thursday’s hearing, Comey told lawmakers that “a world of universal strong encryption,” was one where the FBI was paralyzed to protect people, an evocative and more pointed version of the director’s “going dark” argument.  

“When I hear corporations saying I want to take you to a world where no one can look at your stuff, part of me thinks that’s great, I don’t want anybody looking at my stuff… Law enforcement, which I’m part of, really does save people’s lives, rescue kids, rescue neighborhoods from terrorists, and we do that a whole lot through court orders that are search warrants; and we do it a whole lot through search warrants that are [for] mobile devices. We are going to move to a world where that is not possible anymore? The world will not end but it will be a different world than where we are today and where we were in 2014 and so we just have to make sure that the bureau explains to folks what the costs are,” he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.