Apple had so far seemed to be in possession of the ultimate trump card in this situation: since iOS 8, it has been able to simply shrug and say that iPhones are encrypted and Apple doesn’t have the key. Even if a court ordered it to break into an iPhone, it would be unable to do so.
But while this is correct, security company Trail of Bits has described in a blog post how Apple could still make it possible for the FBI to hack into the phone …
It’s already possible to hook up an iPhone to a device which tries to brute-force the passcode by simply starting at 0000 and working through to 9999. The problem for the FBI is that iOS has a couple of security systems designed to defeat this.
First, you can set your iPhone to automatically erase all data after 10 failed passcode attempts (Settings > Touch ID & Passcode > Erase Data). Any tech-savvy terrorist or criminal is going to have this turned on.
Second, iOS enforces increasing delays between failed passcode attempts:
1-4 attempts: no delay
5 attempts: 1 minute
6 attempts: 5 minutes
7-8 attempts: 15 minutes
9 attempts: 1 hour
This explains why the FBI’s attempts to gain access in this way have still not succeeded some two months after they began.
But, argues Trail of Bits, it would be possible to put the iPhone into DFU mode and then overwrite the firmware with a version that has neither the auto-erase mode nor delays between passcode attempts. The FBI could then trivially brute-force its way into the phone.
The FBI can’t overwrite the firmware because the device checks for a valid Apple signature. The FBI doesn’t have this. But Apple does. Apple could thus create signed firmware without the protections designed to defeat brute-force attacks, and hand the phone back to the FBI.
All this supposes that iPhone is only protected by a 4-digit passcode, however. If a complex password was used, no-one in the FBI would live long enough to gain access.
Trail of Bits goes on to argue that the Secure Enclave would further complicate things on some devices. This wouldn’t apply in this particular case – as the iPhone 5c doesn’t have a Secure Enclave – but the company suggests that on later devices this would prevent Apple changing the firmware on a locked phone, and that the Secure Enclave itself cannot be overwritten without effectively erasing the device.
Others, however, have said this part of the blog post isn’t accurate. John Kelly, head of info security at Square, who previous worked for Apple on embedded security and thus presumably knows his stuff, says that it is perfectly possible for Apple to overwrite the Secure Enclave firmware without preventing access.
@AriX I have no clue where they got the idea that changing SPE firmware will destroy keys. SPE FW is just a signed blob on iOS System Part
All of which means that Apple can no longer rely on claiming that it cannot assist law enforcement agencies to break into iPhones: it will instead have to fight in court on the merits of the argument that it should not do so. That’s going to be a tough argument to win, but Apple appears determined – and I think the company is absolutely right in its stance.