The LA Times reports despite having a cell phone that was owned by one of the two San Bernardino terrorist attackers, the FBI has been unable to decrypt the device. The head of the FBI James B. Comey told the Senate Intelligence Committee that after more than two months FBI technicians were unable to read the data. The brand and OS of the device has not been released.
Related Stories
Judge Orders Apple to Unlock iPhone Belonging to San Bernardino Shooter
Apple has been ordered to assist in the unlocking of an iPhone belonging to one of the San Bernardino shooters. This may require updating the firmware to bypass restrictions on PIN unlock attempts:
Apple must assist the FBI in unlocking the passcode-protected encrypted iPhone belonging to one of the San Bernardino shooters in California. US magistrate Sheri Pym says Cupertino must supply software that prevents the phone from automatically annihilating its user data when too many password attempts have been made.
The smartphone belonged to Syed Farook, who with his wife Tashfeen Malik shot and killed 14 coworkers on December 2. The couple died in a gun battle with police soon after. Cops have been unable to access Syed's iPhone 5C because they do not know the correct PIN, and will now gain the assistance of Apple, as ordered by Judge Pym [PDF] on Tuesday.
iOS 8 and above encrypts data on devices, requiring a four to six-digit PIN to unlock. After the first few wrong guesses, iOS waits a few minutes between accepting further PIN entry attempts, escalating to an hour's delay after the ninth failed login.
[...] Judge Pym wants Apple to come up with some magic software – perhaps a signed firmware update or something else loaded during boot-up – that will allow the FBI to safely brute-force the PIN entry without the device self-destructing. This code must only work on Farook's phone, identified by its serial numbers, and no other handset. The code must only be run on government or Apple property, and must not slow down the brute-forcing process.
Apple has five days to appeal or demonstrate that it cannot comply with the order. It is crucial to note that the central district court of California has not instructed Apple to crack its encryption – instead it wants Apple to provide a tool to effectively bypass the unlocking mechanism. "It's technically possible for Apple to hack a device's PIN, wipe, and other functions. Question is can they be legally forced to hack," said iOS security expert Jonathan Ździarski.
James Comey has been asked by President Trump to stay on as Director of the Federal Bureau of Investigation. Comey is three years into a ten-year term.
News at NYT (which broke the story), USA Today, Washington Post, CNN, and The Hill.
Here's the bulk of our extensive past coverage of FBI Director Comey's career (oldest first):
2014:
FBI Director Concerned about Encryption on Smartphones
F.B.I. Director Calls "Dark" Devices a Hindrance to Crime Solving
To FBI Director Comey: You Reap What You Sow!
2015:
F.B.I. Has No Doubt that North Korea Attacked Sony, says Director
FBI Chief Links Video Scrutiny of Police to Rise in Violent Crime
2016:
Apple Ordered by Judge to Help Decrypt San Bernadino Shooter's phone
FBI Unable to Decrypt California Terrorists' Cell Phone
FBI vs. Apple Encryption Fight Continues
New York Judge Sides with Apple Rather than FBI in Dispute over a Locked iPhone
Apple Lawyer and FBI Director Appear Before Congress
FBI Error Locked San Bernardino Attacker's iPhone
FBI's iPhone Hack Only Works on 5C and Older
Washington Post: The FBI Paid "Gray Hat(s)", Not Cellebrite, for iPhone Unlock
FBI Director Blames 'Viral Video Effect' for Spike in Violent Crime
FBI Recommends No Prosecution for Clinton
FBI Chief Calls for National Talk Over Encryption vs. Safety
(Score: 4, Insightful) by DeathMonkey on Wednesday February 10 2016, @08:52PM
Several months with physical access to the device. I'm sure it totally couldn't have been brute forced by now....
BS Detector Overload!
(Score: 4, Insightful) by frojack on Wednesday February 10 2016, @09:04PM
They are Dead Jim.
Nothing much to be gained now that can't be gained by traffic analysis. Actual messages or emails are likely to be cryptic as well as encrypted, so its probably a huge waste of time.
But that that doesn't mean they can't milk it lobbying congress for a back door.
No, you are mistaken. I've always had this sig.
(Score: 2) by RedGreen on Wednesday February 10 2016, @10:50PM
Indeed and I am totally shocked that the it is for the children angle is not involved/exploited in this or the fossil McCain story earlier.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by RedGreen on Wednesday February 10 2016, @10:59PM
And I would if they ever do get the back doors into devices or encryption then only the real criminals will have the unbreakable shit then all our privacy will have been tossed aside for nothing.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Wednesday February 10 2016, @11:27PM
This. Win. We can't get it. Need laws to help us.
But also win 2. We did get in and found actionable Intel. We don't want it buried so say we have nothing.
They have nothing to gain saying they broke it. No laws needed if they can. And on rare chance they found something good it isn't good now that everyone knows.
(Score: 3, Insightful) by CirclesInSand on Thursday February 11 2016, @03:53AM
Brute forcing a disk isn't like brute forcing a factorization or brute forcing a password hash. The latter 2 you can verify correctness nearly instantly, but how do you write an algorithm that quickly determines if a disk is in a valid state?
(Score: 5, Funny) by Snotnose on Wednesday February 10 2016, @08:54PM
I've got a file of 10,000 4 digit PINs, think I can sell it to them?
When the dust settled America realized it was saved by a porn star.
(Score: 2) by bob_super on Wednesday February 10 2016, @10:12PM
Hear that knock at the door? You're clearly holding classified information, since your list probably includes the pentagon's chiefs' password.
You can try to run while they confirm it's in the list. You have 1234 seconds.
(Score: 3, Informative) by LoRdTAW on Thursday February 11 2016, @12:10AM
There is an easier way to narrow down the code. If they recovered the phone from the suspect, DON'T TOUCH THE SCREEN!
Why? Take your cell phone and hold it an angle until light glares off of it. If you use a swype pattern like on android or tap to unlock, there will be very noticeable pattern of prints. The only thing that can obfuscate that is if they play a game or swype around a lot after unlocking. But most casual users will unlock and check a few messages. If you have screen protector it gets worse as the plastic will become scratched/worn from the constant pattern and be more visible.
(Score: 2) by Snotnose on Thursday February 11 2016, @12:46AM
Love it when I steal a joke to make a funny and get marked +5 insightful :)
When the dust settled America realized it was saved by a porn star.
(Score: 2) by rob_on_earth on Thursday February 11 2016, @07:53AM
(Score: 5, Insightful) by goodie on Wednesday February 10 2016, @09:03PM
...that's just some made up crap to justify their "we need more money and control over all encryption keys from all device manufacturers because.... terrorists!" facade.
(Score: 4, Insightful) by takyon on Wednesday February 10 2016, @09:29PM
I'm not so sure.
The whole point of device encryption is to be able to thwart law enforcement and other nasties. In this case it appears to have worked as intended.
Now that the FBI has a topical and maybe [theintercept.com] not fake [theintercept.com] example, Director James Comey can be launched out onto the whine circuit once again.
The challenge will be for us to convince the ignorant public that it is just fine that the San Bernardino attacker's phone can't be accessed. Although as long as the public doesn't pay attention to either side of the debate, and encryption continues to work, maybe it doesn't matter.
Bottom line is that it's plausible rather than "just some made up crap". If the device encryption implementation is sound, the FBI shouldn't be able to get in, unless they have some great hacks [theintercept.com].
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by ledow on Wednesday February 10 2016, @10:18PM
It's not the first. Several high profile cases have fallen through in the US and the UK because of an inability to decrypt devices.
Remember, we're pretty sure - with the TrueCrypt audit - that any up-to-date port of the TrueCrypt code is pretty impregnable to anything but brute-force, and brute-force takes - basically - forever.
Nobody has yet decrypted the WikiLeaks "insurance" file, either.
The whole point of encryption is that you can give your adversary your encrypted data. So long as you keep the key itself secret, it's no different to random data. Generally, compromises of encrypted systems like that require someone to put the password into a compromised device, or attack weaknesses in the implementation. Nobody has yet shown a viable (i.e. would work this century) attack on the actual algorithms that are recommended nowadays.
(Score: 2) by arslan on Wednesday February 10 2016, @10:47PM
Eh? If you're the owner of said cell phone device, how do you access it? Via a 4 digit pin... at most extend that to 6 digit. How hard is it to brute force? Fingerprints? Well how hard is it to lift it off the owner who is in their custody?
No this is a smokescreen to lobby for more privilege to further violate people's privacy and liberty.
(Score: 3, Insightful) by takyon on Wednesday February 10 2016, @10:56PM
http://androidforums.com/threads/phone-will-automatically-reset-to-factory-if-incorrect-pin-enter-10-times.863223/ [androidforums.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by kurenai.tsubasa on Wednesday February 10 2016, @11:12PM
I'm still of the opinion that there's a key-derivation function involved. If the FBI were serious about getting this data, they should just hire me and an expert hardware guy/girl to get me the disk image from hardware. We'd have it cracked in a week or two with a John the Ripper cluster.
(Score: 2) by pendorbound on Wednesday February 17 2016, @04:35PM
Assuming it's Apple, you're missing one key part of the crypto.
The 4, 6, whatever digit pin or passcode isn't the encryption key. There are 128-bit random numbers stored in the phone's Secure Element which encrypt different classes of information on the filesystem. You need those (whether by brute force or extraction) to decrypt anything. The base just-plain-filesystem key isn't enciphered with your key (or else the phone couldn't boot), but everything else is. All access to the flash chip is done *through* the security chip. The 128-bit secrets never leave that chip. When you unlock the device with your passcode, the Secure Element checks it, then uses it to decrypt the 128-bit keys for various classes of data. The decryption happens as a DMA read-through on the device where requests hit the secure element which reads the encrypted blocks from flash, decrypts them, and returns the decrypted blocks to the CPU.
If you de-solder the flash chip & try to attack that directly, you're brute forcing 128-bits for the base filesystem, then for each data class. Good luck with that.
The Secure Element is designed to be a highly secure, tamper resistant chip. There's a reasonable chance there are people at NSA who could extract keys from that chip. If they have that capability, they'd be sitting on it for the most covert of nation-state espionage, not some two-bit killed a bunch of people local terrorist. I'd bet every iPhone I've ever owned (original retail value) that "[you] and an expert hardware guy/girl" couldn't do squat to extract key material from the secure element.
It really is a Hard Problem, by design. If FBI says they can't break it, that suggests (but by no means proves) that there are no implementation bugs that break the security of the system. Absent such bugs, you either need the passcode (and you only get 10 tries before the secure element self-destructs), you need to brute force a bunch of 128-bit keys, or you need to be able to attack the secure element hardware directly. Anyone with the capability to attack the secure element is going to keep it as double secret probation top secret. They'd never waste the exploit on an in-the-open criminal prosecution where they'd have to disclose its existence in order to get anything admitted in court.
(Score: 1) by kurenai.tsubasa on Wednesday February 17 2016, @05:12PM
Who the fuck said the PIN was the crypto key? The one thing that's been fucking obvious was that there is an alphanumeric password involved. Now, if that's a smokescreen as well due to hardware crypto, then get the damned signing key for iOS, write a simple USB gadget OS—I think there's an option in Linux's make menuconfig to do just such a thing—and boot it up as a damned USB mass storage device. Problem fucking solved. Push it as an OTA update from a custom base station if you fucking have to.
Now somebody is going to lecture me on the intricacies of bootstrapping the hardware and bringing up some strange chipset that's not UHCI, OHCI, EHCI, or AHCI.
Nobody's responded to my speculation that this is just a marketing ploy by Apple and a propaganda run by the FBI to build on the magification of computer systems. ZOMG! It's ENCRYPTION! PURE FUCKING MAGIC!
(Score: 2) by julian on Wednesday February 10 2016, @11:19PM
iOS can use alphanumerical passwords of arbitrary length, so it's not just a simple 4-6 digit PIN. And fingerprints are optional, but if the device is powered down first then the full password must be supplied once before the phone can then be unlocked with the fingerprint. Also, if you don't use the phone for a day, the fingerprint access is also revoked even if the phone is still on and you'll need to type in your password again. There's no backdoor or way around this.
(Score: 2) by martyb on Thursday February 11 2016, @02:22AM
This is something that I've often wondered about; because it seems so obvious, I suspect I must be missing something. Could someone who knows for certain please clarify for me?
At least for an iPhone, I was under the impression that Apple basically controlled the hardware and the software ecosystem. What is to keep them from sending an over-the-air update, targeted at a specific phone (They could use, for example, the MEID [wikipedia.org] or IMEI [wikipedia.org] number). Then, have THAT update, for THAT phone, reset the password to a known value. Or remove the password. Or change the maximum number of allowed failed passwords before device reset count. Or do something else to bypass the current lock.
As for Android, my understanding is that updates have to come via the handset manufacturer... but I have no idea whether or not something similar could be done.
I do not use an iPhone or Android phone, so I honestly have no idea. Do all such updates HAVE to be accepted by the user? Is there no way for an update to be forced onto a phone?
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @12:00PM
I would guess that when Apple said they would provide unbreakable encryption, they broke all backdoors (and the mechanism you mention is a backdoor).
for the simple reason that they can honestly tell judges now that they cannot break the encryption --- this is an advantage because it would cost them money to hide backdoors from users.
(Score: 2) by ledow on Thursday February 11 2016, @10:48AM
What the hell makes you think that they are using the lock-screen to secure the data?
An encrypted file can be created and stored on any system, and transferred to any other.
Again - they can have complete access to the phone, the entire encrypted file, and still not know what's in it. Unless you can witness, record or intercept the key-entry process (which the people convicted would be highly unlikely to do), you CANNOT decrypt the data.
An idiot using the 4-digit lock screen password to "secure" data, rather than just placing an encrypted file on the device, deserves everything they get!
(Score: 2) by arslan on Friday February 12 2016, @05:22AM
Did you read TFA? It kinda read like they did and I'm responding based on the TFA.
(Score: 3, Interesting) by KilroySmith on Wednesday February 10 2016, @09:21PM
The Zombie Times reports despite having the brain of one of the two San Bernardino terrorist attackers, the FBI has been unable to decode the device. The brand and OS of the device has not been released.
(Score: 3, Funny) by GungnirSniper on Wednesday February 10 2016, @09:37PM
That would be an odd sci-fi story.
In the future, a hostile regime murders people to scan their brains for their connections to dissidents. Only Matlock 3000, played by Chris Pine, can stop them. Directed by Lensflare Abrams. Coming Summer 2018.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 2) by DeathMonkey on Wednesday February 10 2016, @10:24PM
Duh, they've got to feed it to that blonde chick first!
(Score: 0) by Anonymous Coward on Wednesday February 10 2016, @09:26PM
I have seen the light! Only by giving our benevolent overseers the power to see whatever they want can we be safe. I kneel and rejoice that soon we will ALL be safe, and no child shall be harmed from this day forth. Praise Fibus!
(Score: 2) by takyon on Wednesday February 10 2016, @09:36PM
You're one of the good guys now.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 5, Insightful) by Anonymous Coward on Wednesday February 10 2016, @10:04PM
My apologies to LE, TLAs and anyone else involved in this endeavor but you brought this upon yourselves. Had you honored the 4th, 5th & 6th Amendments to the US Constitution this type of thing wouldn't be necessary. Alas, you feel that you can disregard our rights when it suits you ... or when you just feel lazy. The end result is that we need to protect ourselves from our government more often than we need to protect ourselves against terrorists.
(Score: 0) by Anonymous Coward on Wednesday February 10 2016, @10:11PM
Sure, it's perfectly reasonable that given months of time, terrorism-tier budgets, and world-class experts they were unable to try all 10k possibilities. I know the governments tech. is generally outdated, but managing less than 7 attempts per-hour is abysmal.
(Score: 2) by kurenai.tsubasa on Thursday February 11 2016, @01:02AM
Pretty much. All I want to know is why they just can't get the damned disk image. Jfyi the pin is only a temporary unlock and can't be used on first boot. The real passcode is typical alphanumerical passphrase space, John the Ripper fodder basically.
As always, never mistake incompetence for malice.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @04:50PM
The commenter who wrote "I've got a file of 10,000 4 digit PINs, think I can sell it to them?" was joking. Both Android and IOS permit longer PINs as well as passphrases constructed from a larger character set.
(Score: 5, Insightful) by VLM on Wednesday February 10 2016, @10:32PM
I don't understand why they bother.
The phone-modem-rf-deck is extensively logged by the telco. The .gov just has to ask for the logs of where the phone was vs time, legacy technology phone calls and old fashioned SMS messages, all that is logged. Probably more.
The guys social media accounts are all stored on the social media service servers. You ask facebook for his facebook account info, not his phone.
Anything cloudy like dropbox or gmail, again you don't ask his phone you ask the servers.
Pix? All online. Music he's purchased (well, OK a little far fetched). Again online.
Is it possible to do anything at all on a smart phone thats not being logged and cataloged and tagged and monitored and investigated?
Its like those people who think GPS receivers tell the government where you are, or who think a mere tape drive is a 1960s computer. I don't understand what if anything they expect to find that's not already in a file at NSA HQ.
You might have my hard drive, but you'll never access my files because you don't know my bluetooth pairing password for my keyboard.
I know its all propaganda, but even if they "win" what do they expect to do with phone data if they already have all the server side data?
(Score: 2) by M. Baranczak on Thursday February 11 2016, @02:23AM
If the phone was communicating with a server that's not in the US, or a friendly country, then getting the server logs might be difficult. And if they ran everything through an overseas VPN then there's no way to get logs for anything, not even TLA-friendly services like Google or FB, because you have no idea who the phone was talking to or what accounts it was using.
No, that's not a good enough reason to mandate the Orwell backdoors on everything, but at least I can see why they'd want to.
(Score: 2) by RamiK on Thursday February 11 2016, @03:51PM
Because if the terrorist were using Telegram*, the FBI wouldn't know what they were saying and to whom without access to the phone's storage.
*Telegram being my guess. Signal being my personal preference. Here's a fuller of end-to-end, secure messaging apps: https://www.eff.org/secure-messaging-scorecard [eff.org]
compiling...
(Score: 2) by cellocgw on Wednesday February 10 2016, @10:38PM
They kept trying to decrypt with Rot-13, but the clever terrorists used Rot-42 (having read THGTTG)
Physicist, cellist, former OTTer (1190) resume: https://app.box.com/witthoftresume
(Score: 3, Informative) by jasassin on Wednesday February 10 2016, @10:42PM
I have never owned a smart phone. I've read all these posts about 4 digit pins. There must be a phone that allows a passphrase to access? Why bother with encryption if there are only 10k passwords? The device could permanently lock after five or ten failed attempts (requiring a factory reset whiping all data).
Anyone with the fancy new iPhone or Samsung Galaxy/Nexus, or some other phone I don't know about, care to elaborate?
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 0) by Anonymous Coward on Wednesday February 10 2016, @11:45PM
The fancy iphone allows up to a 6 digit password. I immediately rolled mine back to 4 digits because muscle memory is more important to me than an extra two degrees of security.
Some android phones allow for drawing connecting links on a 3x3 grid.
Ain't set seen a phone that allows an actual passphrase.
(Score: 4, Informative) by hemocyanin on Wednesday February 10 2016, @11:53PM
I have this on my android and I think I plot 8 points, but still, this just comes down to a number if you were to plot 0-8 on the points. That's a pretty limited passcode.
I do use signal though which lets you use an arbitrary passcode, does end-to-end encryption on texts exchanged with other signal users, and encrypts the contents of any texts stored on the phone. There's also encrypted phone calling but that tends to turn my phone into a skillet.
(Score: 3, Informative) by Tork on Wednesday February 10 2016, @11:54PM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 3, Informative) by J053 on Wednesday February 10 2016, @11:58PM
(Score: 2) by opinionated_science on Thursday February 11 2016, @12:34AM
i have nexus 6p. Any way to assign different levels of access to different fingers? Or perhaps a way in which there can be an alternative password to indicate duress?
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @04:01AM
Only a minority in the world would use long passphrases to lock their phones and how many of them are more dangerous to you than the other bunch? How many of these would be stopped by the FBI being able to unlock their phones?
And if these minority of a minority of a minority are not caught and carry out their crimes how many would they kill compared to how many the police and FBI have killed without good cause?
They already caught the criminals responsible, no need to decrypt phones. Maybe others are out there. So what? If the FBI is really interested in crime prevention they should stop more crooks from blowing up the economy. That causes more harm and deaths.
(Score: 2) by Tork on Thursday February 11 2016, @04:26AM
Yeah but how many people use arbitrarily-long passphrases...
I don't know, but I can tell you I started using a long password when the fingerprint reader came along.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2, Insightful) by DannyB on Wednesday February 10 2016, @11:03PM
From TFA: (the friendly article)
> The brand and OS of the device has not been released.
Maybe they are fearful that everyone will rush to buy that particular kind of device. Therefore the brand and OS must remain a state secret. Because . . . Terrorists!
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @08:52AM
The funny thing is, now only the terrorists and FBI know the brand and OS.
(Score: 0) by Anonymous Coward on Wednesday February 10 2016, @11:27PM
1234?
(Score: 0) by Anonymous Coward on Thursday February 11 2016, @01:20AM
So the FBI can't do its job unless we give them full access to the GPS trackers (smart phones) that most of us carry around? How much is that going to reduce my chances of being killed by a terrorist? From 1 in 10 million to 1 in 11 million? And what are my chances of getting killed by a cop?
(Score: 1) by redneckmother on Thursday February 11 2016, @03:42AM
Uh, 50/50?
Mas cerveza por favor.
(Score: 1, Informative) by Anonymous Coward on Thursday February 11 2016, @01:26AM
They have every single call placed via the devices from the pen registers at the NSA.
That's the important shit. The only thing on there they would get from decrypting it might be some nudes they snapped before going on a rampage in a gun-free zone.
This is just more bullshit released right at the same time that Senator McCain is calling for a prohibition of end-to-end encryption. [soylentnews.org]
Go read the Hilary Clinton emails. They will open your eyes to the way this shit gets done. She's got shit in there like, "I want to put this message out on the news, and it would be great if it came from a retired general, or ex-CIA". Just lists and lists of propaganda and social engineering to push their fucked up Anti-American agendas.
I'm beginning to think that the politicians are the terrorists.
(Score: 1) by redneckmother on Thursday February 11 2016, @03:45AM
You ain't slow, but you ain't fast.
Mas cerveza por favor.
(Score: 2) by MostCynical on Thursday February 11 2016, @01:53AM
my GPS is off on my phone. It chews the battery, and I don't usually need to get from anywhere to somewhere I haven't been. How long before I am a suspect for the 'crime' of not letting fb, google, TLAs et al know where I am?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by hemocyanin on Thursday February 11 2016, @04:22AM
Unless you've traced out the power input to the GPS, broke the connection and soldered in a physical on/off switch, your GPS is on, just not logging data to a spot you have direct access to.