Apple’s Security Can be Bypassed?

iphone-unlock-thumbA judge has ordered Apple to comply with the FBI’s request to bypass the security features of an iPhone used by a San Bernadino terrorist. In an open letter, Apple CEO Tim Cook has explained that what the government is requesting threatens the security of all their customers. In effect, the FBI admits that they can not decrypt the data on an iPhone without knowing the phone’s passcode. The FBI knows that not even Apple can decrypt the data, however, they have surmised that if they can load a version of the iOS that does not include certain security features that defeat brute force password attacks, then they can crack the passcode, which might only take minutes in a best case scenario. They claim Apple can create a version of the iOS without these security features, load it on the iPhone in question, and then the FBI can attempt to brute-force guess the password.

Technology experts are warning that if Apple is forced to comply with this order it would have far-reaching consequences for the technology industry, privacy, and security. I am of the mind that the federal government does not have this authority at all, either at the legislative or executive level, much less a federal magistrate of a US District Court in California. It is an unreasonable, overreaching request of a technology company to share a method of bypassing security features in their own product. But there is plenty of discussion of that already. The question I’m surprised so few are asking is why the possibility even exists for Apple to defeat their own security functions?

The key point to consider is that the magistrate conceded that the FBI’s request may not be technically feasible and allowed Apple to respond if that is the case. Instead of stating that this request just isn’t technically possible as Apple has done in the past with other law enforcement requests, Tim Cook instead has vowed to fight this order. Which to me seems to imply that Apple COULD comply with the order. I found one article that describes a technically workable process by which Apple could comply with the FBI’s request. The article does speculate that newer iOS devices with a feature called the Secure Enclave may not be able to be hacked into in the process the FBI is requesting, but that is not certain. The iPhone 5C in question does NOT contain the Secure Enclave feature so that point is moot in this particular case, yet it does call into question the overall security of older iPhones and possibly newer iPhones pending the question of the security hardness of the Secure Enclave feature.

The reality is this: if Apple can technically comply with the FBI’s request, it means that a backdoor to iPhone security does, in fact, exist. Yes, it is a closely guarded secret by Apple, but in theory, this backdoor could be exploited if the secret key that Apple uses to sign their iOS updates is compromised. I would like to hear more about this from experts more versed in this topic than I am as well as an explanation from Apple if this backdoor does in fact exist.