Apple receives so many police demands to decrypt seized iPhones that it has created a “waiting list” to handle the deluge of requests, CNET has learned.
Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year.
An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, “contacted Apple to obtain assistance in unlocking the device,” U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was “placed on a waiting list by the company.”
A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he “attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock” an iPhone 4S. But after each police agency responded by saying they “did not have the forensic capability,” Maynard resorted to asking Cupertino.
Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple’s litigation group. It’s unclear how long the process took, but it appears to have been at least four months.
The documents shed new light on the increasingly popular law enforcement practice of performing a forensic analysis on encrypted mobile devices — a practice that can, when done without a warrant, raise Fourth Amendment concerns.
Last year, leaked training materials prepared by the Sacramento sheriff’s office included a form that would require Apple to “assist law enforcement agents” with “bypassing the cell phone user’s passcode so that the agents may search the iPhone.” Google takes a more privacy-protective approach: it “resets the password and further provides the reset password to law enforcement,” the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
Ginger Colbrun, ATF’s public affairs chief, told CNET that “ATF cannot discuss specifics of ongoing investigations or litigation. ATF follows federal law and DOJ/department-wide policy on access to all communication devices.”
In a separate case in Nevada last year, federal agents acknowledged to a judge that they were having trouble examining a seized iPhone and iPad because of password and encryption issues. And the Drug Enforcement Administration has been stymied by encryption used in Apple’s iMessage chat service, according to an internal document obtained by CNET last month.
The ATF’s Maynard said in an affidavit for the Kentucky case that Apple “has the capabilities to bypass the security software” and “download the contents of the phone to an external memory device.” Chang, the Apple legal specialist, told him that “once the Apple analyst bypasses the passcode, the data will be downloaded onto a USB external drive” and delivered to the ATF.
It’s not clear whether that means Apple has created a backdoor for police — which has been the topic of speculation in the past — whether the company has custom hardware that’s faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies when contacted this week by CNET.
Mobile device users should take this as a warning that Google and Apple can provide access to data stored on an encrypted device at least in some circumstances, says Christopher Soghoian, principal technologist with the ACLU’s Speech, Privacy and Technology Project.
“That is something that I don’t think most people realize,” Soghoian says. “Even if you turn on disk encryption with a password, these firms can and will provide the government with a way to get your data.”
An August 2012 article in MIT Technology Review by Simson Garfinkel, an associate professor at the U.S. military’s Naval Postgraduate School, says “Apple customers’ content” is so well-protected that often “it’s impossible for law enforcement to perform forensic examinations of devices seized from criminals.”
That depends largely, however, on the length of the passphrase or password that someone selects to protect a modern iOS device. (Because the original iPhone and iPhone 3G did not use hardware encryption, they were protected only by a passcode that could be easily bypassed.)
Elcomsoft claims its iOS Forensic Toolkit can perform a brute-force cryptographic attack on a four-digit iOS 4 or iOS 5 passcode in 20 to 40 minutes. “Complex passcodes can be recovered, but require more time,” the company’s marketing literature says. But the iPhone 5 doesn’t appear in Elcomsoft’s list of devices that can be targeted.
Garfinkel estimates that if a user chooses a six-digit passcode, the maximum time required to guess the number would be 22 hours, while a nine-digit PIN would require two and a half years. A 10-digit PIN would take 25 years. Average times, of course, cut those maximum brute-force durations in half, and that could be whittled down much further if it’s possible to guess PINs a suspect is more likely to use. …
You might use something like this to generate your password:
RANDOM.ORG offers true random numbers to anyone on the Internet. The randomness comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs.
But of course, any random numbers you downloaded over the Internet were probably intercepted.
Even if the random data is intended for a one-time download only, the random data can be compromised. Never use downloaded random data if security or legal issues are of concern. – http://randomnumber.org/download.htm
Here’s a quick secure random number generator:
I tend to support law abiding individuals using strong encryption in the super information age.