FBI and DA – “Apple is being irresponsible”


A federal judge has ordered Apple to aid FBI investigators decrypting data on an iPhone used by Syed Rizwan Farook, one of the San Bernardino shooters.

Apple has provided resources and technical information in support of federal investigators but is not willing to design and develop software to circumvent security measures on the iPhone platform used to protect customer data and privacy.

The court order against Apple is novel because it compels the company to create a new forensic tool that provides the ability to break long standing encryption standards used worldwide by most computers and networks.

Not turn over information in Apple’s possession.

Apparently –

The FBI and a number of federal DA’s around the country have a large collection of devices (phones, tablets and computers) with encrypted data, that maybe valuable, but claim to have no method of de-crypting the data to know if it’s valuable or useless.

Using public outrage and fear generated by the San Bernardino attack –

The FBI and federal DA’s are attempting to place public pressure on Apple (Google, Microsoft, and others) to create methods to access encrypted data on devices.

Apple CEO Tim Cook said –

“the government’s request would imperil all iPhone owners”, a position supported by Google CEO Sundar Pichai. “The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers – including tens of millions of American citizens – from sophisticated hackers and cyber criminals”. Tim Cook is rightfully saying, be careful what you wish for.

The iPhone, other cellphones, tables and computers rely on the same encryption standards –

That are used by corporations and Government computer systems worldwide, the Internet and private networks.
If these encryption standards are compromised (with the best of intentions), improved encryption methods would be required at once to ensure safety and security.

The FBI claims the iPhone recovered from one of two shooters (who killed 14 people in San Bernardino) may contain critical information, without this information countless criminal prosecutions could be harmed.

At this point, the FBI and DA has no proof any useful information exists on the recovered iPhone.
District Attorney, Cyrus Vance was able to convince a federal judge that valuable information exists on the phone. Vance’s office claims to have 175 seized iPhones that remain inaccessible despite court orders allowing prosecutors to search the devices. Officials cite device security as the issue preventing them from knowing if useful information exists.

DA, Cyrus Vance called the iPhone the “first consumer product in history designed to be warrant proof”. “The San Bernardino attack, carried out by a young married couple apparently inspired by Islamic State, is the most visible example of how Silicon Valley’s decisions are thwarting criminal investigations and impeding public safety”. “The case is just part of a larger problem that encryption creates for more common crimes like homicide, sexual abuse and identity theft”.

Americans want terrorists found and attacks prevented

Shouldn’t Apple do everything within it’s power to aid the FBI?

If information on one iPhone could help wouldn’t that be wonderful?

No legal case lives in a vacuum

If Apple is forced to develop new software attempting to bypass even a few layers of device security –

  • Would this open a floodgate of law enforcement requests?
  • What about civil cases? Opening a phone to support a divorce or child custody battle?
  • What about requests from other nations?

These things won’t happen, it’s only a request for help with one iPhone –

  • Legal precedent builds over time as cases are won or lost in a court of law.
  • Major issues are decided base on a series of small decisions made in cases that build on each other (case law).
  • The crux of this round of encryption debate is if companies can be forced to not just provide available information but incur the cost and expense of creating new software designed for the sole purpose of circumventing even a few layers of device security to aid the government. If the answer is “yes”, the next logical step is to not provide device security or the ability to bypass all device security.
  • BlackBerry and other companies are required by laws in China and UAE to compromise security of devices by providing back doors into devices. This has lead to citizens purchasing phones out of the country or installing additional security software on devices.

For thousands of years encryption methods have existed –

To keep private information, private. As these methods were bypassed (decrypted), new methods have been invented attempting to keep information privacy.

The FBI and federal DA’s office seems to be saying “no resources exist within the federal government to de-crypt information on devices recovered from persons involved in a major terror attack within the USA”.

Really? Are you sure?

Has the DA's Office read the following? - 
1) NSA can break trillions of encrypted Web and VPN connections.
2) Feds plow resources into “groundbreaking” crypto-cracking program, Cryptologic Program has 35,000 employees.

The highly respected FBI can’t decrypt data without help from outside private companies?

Or, make a phone call to the NSA or DIA for help?

Am I the only one that finds this difficult to believe?

Perhaps,

  • The FBI and DA are attempting to gain public support for law enforcement to have manufacturer provided data access methods on all privately owned devices?
  • The FBI and DA are pointing out that new laws are needed requiring all devices with storage to provide un-tethered access to data when the device is under court order? A master key for any encryption methods.
  • Our federal government has deliberately selected the highest-profile domestic terrorism case in possibly a decade to raise the debate between information privacy .vs the government right to search
  • It’s easier to file a court order against Apple then ask and receive help from another federal department?

A modern day wire tap with access to everything on a device

Compelled by new laws (with FCC enforcement), cellphone manufacturers could provide devices that allowed complete remote access. A modern day wire tap with access to everything on a device. Of course, these new devices would not be secure. If it is easy for one person to get in, it will be easy for others.

How is data on cellphones, computers and networks secured?

Most cellphones, computers and networks use many layers of security to ensure access is authorized, company and medical records are secure, online banking and shopping is safe. A number of encryption standards exist, one of the most popular is AES.

The Advanced Encryption Standard (AES) is a trusted encryption standard developed by two cryptographers, Joan Daemen and Vincent Rijmen, with funding from the U.S. National Institute of Standards and Technology (NIST) in 2001. The AES standard is complex math that can encrypt and decrypt data using a key. The key can be different sizes from 128-bits or a stronger key of 192, 256 or larger for even stronger encryption. AES is considered impervious to attacks with the exception of brute force methods which attempts to decrypt data by using all combinations of 128, 192, 256 or larger keys. AES encryption is used by the U.S. Government, many countries, companies and private citizens worldwide.

Apple uses encryption standards to keep customer data safe.

Apple did not design, create or fund the development of AES encryption standards used on the iPhone. Like many other computer companies they rely on industry standards to provide security features.

Does the DA Office understand a Dept of the Federal Government wrote the requirements and funded the development of encryption standard they are asking Apple to brake?

Data security on iPhones

Statistically, based on current encryption standards (AES, DES3, RSA, Blowfish, Twofish), available computing resources and limitless amounts of time; encryption keys can be found using a brute force method (trying every possible key combination to open a lock). Most do not have massive computing resources available or limitless amounts of time. Realistically, AES 256 is secure.

Apple iOS devices use an AES 256-bit crypto engine that encrypts device storage. The engine works in conjunction with a SHA-1 cryptographic hash function which is implemented in hardware to reduce overhead for cryptographic operations. As with most modern computers, each device contains a unique identifier (UID) fused into each processor that can be used as part of an AES 256-bit key. The UID is specific to the device and is not recorded anywhere outside the device. No software or firmware can read the UID directly. Only the results of an encryption and decryption operations can be read. The UID is unique and fixed in each device, it cannot be tampered with or bypassed, only the crypto engine can access it. As a result, data is cryptographically tied to a specific device and cannot be read by any other identifier or device.

Each data file on a device is associated with a specific security class that allows different level of accessibility. The encryption and decryption operations associated with each security class are based on a security key hierarchy that utilizes the device’s UID and passcode, plus a class key, file system key and per-file key. The per-file key is used to encrypt the file content. The class key is wrapped around the per-file key and stored in the file’s metadata. The file system key is used to encrypt the metadata. The UID and passcode protect the class key.

According to Apple documentation, a brute-force attack on a device that uses a nine-digit numerical passcode would require 2.5 years to try all possible combinations. iOS uses escalating time delays to help discourage brute force attacks. A six character passcode that uses numbers and lowercase letters would require 5.5 years to decrypt.

Most devices provide the ability for sensitive data to be erased automatically after a set number of failed passcode attempts. By default, Apple allows 10 failed attempts before customer data is erased.

Near impossible for Apple to decrypt customer data…

Even if Apple used resources to bypass three layers of device security –

a) device owners passcode

b) security attempt time delays

c) automatic erasing of customer data on failed access attempts

Any data files stored by the iPhone would be unreadable without the correct AES 256-bit key needed to decrypt each data file.

Two decryption methods exist without a Customer Passcode or Device UID…

1) Brute Force

To attempt every possible AES 256-bit key combination would require a dedicated, massive data center complex working 24/7/365 attempting each possible key then deciding if any data was decrypted. This approach could easily cost hundreds of millions of dollars to design, create and deploy. And, take years to decrypt the data.

2) Isolating an implementation imperfection or mathematical flaw in AES encryption

An implementation, weak key, or mathematical flaw has not yet been discovered for AES encryption. A number of proposals have surfaced but none have been proven to take less time then Brute Force. Such an error may never be found.

Regardless, to attempt the hunt for such an error would require the best mathematicians in the world. Assuming, for a moment, they were available, and willing to devote years to work on the project; the effort would require hundreds of millions of dollars to staff, design and develop the environment. Then years of effort to deploy, configure and make perhaps millions of failed attempts before either proving or disproving a weakness exists that could decrypt the data files.

Finally, if broken, AES encryption would no longer be widely used in the world. A new secure encryption method would be required to prevent unauthorized access to devices and data. Perhaps, starting with TwoFish.

Security and encryption is not unique to Apple devices, it is necessary on all computer devices…

Most understand that credit cards, bank accounts, social security numbers, driver licenses and passport information need to be kept secure. Worldwide infrastructure (Power, Water, Manufacturing, and Travel) must be secure.

Almost every computer device relies on encryption standards for data protection, and access control worldwide.

The complex math used to keep information secure on computers and networks is what the FBI and federal DA are asking Apple to circumvent. Apple didn’t invent AES encryption but assuming they were able to create a team willing to attempt this task –

  • Wouldn’t this direction cause new encryption software to be developed with even better security?
  • What if the developers of “better security” encryption software were outside federal jurisdiction? Then what?

Is their a better approach to this problem?
That doesn’t ask Apple (Google and others) to endanger encryption and security standards?

Can we agree –

  • Fear mongering the public into allowing our constitutional freedoms to be eroded, after thousands died protecting these rights; May not be the best approach to this problem?
  • That anything provided by a device manufacturer (Apple, Google, etc) to decrypt data is at best a very temporary solution that will be defeated because demand exists for protection and privacy on devices?

What if –

  • The federal government used its technical talent and massive computing resources to decrypt (what maybe important) data before issuing court orders to private companies?
  • Then kept this ability to decrypt data private and secure?
  • For emergency use only in critical times involving National Security?

This worked for the Polish Cipher Bureau, French and British Intelligence that broke the German Enigma code and carefully used the ability to help end WWII.

Do we have a right to security and privacy?

If we have a right to security and privacy of our devices, our communications. If we have the right to tools to defend ourselves from the government and criminals. Don’t we also need to accept these same tools can be used for evil?

It is the responsibility of law enforcement to enforce US laws. To carry out investigations attempting to discover people breaking the law or planning to break the law within the privacy limits that exist within the law.

Law Enforcement is not allowed to break the law in its attempt to discover unlawful acts or when enforcing the law. While some may not support the idea of security and privacy, it is a personal freedom that many Americans have died providing, protecting and defending.

What the FBI is requesting maybe illegal and specifically forbidden by congress

Has the Federal DA or FBI read the “Communication Assistance for Law Enforcement Act” (CALEA Law)?

Section 103: Assistance Capability Requirements

(b) LIMITATIONS

(1) DESIGN OF FEATURES AND SYSTEMS CONFIGURATIONS.—This title does not authorize any law enforcement agency or officer—

(A) to require any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services; or

(B) to prohibit the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.

(2) INFORMATION SERVICES; PRIVATE NETWORKS AND INTER-CONNECTION SERVICES AND FACILITIES.—The requirements of subsection (a) do not apply to—

(A) information services; or

(B) equipment, facilities, or services that support the transport or switching of communications for private networks or for the sole purpose of interconnecting telecommunications carriers.

(3) ENCRYPTION.—A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.


Apple has multiple legal defenses

Per 103(b)(1)(A) the government doesn’t have the authority to require any specific designs or system configurations. However, the FBI is demanding Apple design and create new software that theoretically could modify every device.

Per 103(b)(3) that the device is encrypted by the customer when they setup their device pin code the first time. Apple is specifically not responsible for “decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer.”

Per 103(b)(3) Apple has stated they do not have the keys required to decrypt the device. Apple did not provided the encryption standard or method used, the US Government funded the development of AES encryption.

Congress explicitly denied the FBI the authority via CALEA legislation, and refused to re-legislate the issue despite repeated hearings where the FBI director has repeatedly expressed a “need” for this authority.

The Math – 

That provides worldwide computer safety and security, that is largely taken for granted, is at risk due to a court order. If our best encryption methods are broken, will the data gained from one iPhone be worth risking the safety and security of the worlds networks and computer systems?

Perhaps, Apple is being responsible.

In America, personal freedoms were gained by courage and sacrifice of those before us.

Isn’t each generation entrusted to be vigilant of government attempts to over step its authorities?

While understanding it is normal for Government and Law Enforcement to always seek more power, each of us has a responsibility to  vote for government that does not seek  to weaken the freedoms of the many because of the crimes of the few.

Isn’t it true that Laws and Law Enforcement will never be able to guarantee Public Safety by reducing personal freedoms and increased electronic severance?

Aren’t we all responsible and given the right of self protection?

A good example would be the Paris Train Attack that was stopped, not by Law Enforcement, but Citizens taking risks to save not only their lives but the lives of others.

Leave a comment