The FBI Can Probably Hack iPhone Encryption, And That’s Why It Can’t Use The All Writs Act

At the heart of the U.S. government's case against Apple was that it could not unlock the San Bernardino shooter's iPhone 5c without Apple's help. And yet that also appears to be its greatest weakness, leading the FBI to request a postponement of a court hearing Tuesday out of concern that it would not win, experts told International Business Times.

The FBI and tech giant Apple had been set to square off over whether the company should be required to build new software capable of unlocking the phone used by Syed Farook, a so-called backdoor to the iPhone's extensive encryption. Instead, the FBI revealed in a court filing Monday evening it may no longer need Apple’s assistance to open the iPhone now that an outside party has demonstrated “a possible method for unlocking Farook’s phone,” pending a presentation for the Justice Department.

Not only is that an indication the government believes a third party can break Apple’s encryption, but, experts said, it also seems to prove that the Justice Department will be unable to prove in court it has exhausted every resource as is required under the All Writs Act. The act is an old legal provision that gives investigators the power to issue “all writs necessary or appropriate in aid of their respective jurisdictions.” In this case, the All Writs Act would enable investigators to use millions of number combinations to unlock a passcode (where Apple currently caps the number of guesses at 10).

“I’m quite confident the FBI and Department of Justice have essentially practiced arguments and argued over their potential answers to particular questions ahead of this hearing,” said Stewart Baker, former assistant secretary for policy at the Department of Homeland Security. “I expect, in doing that, someone gave them an answer that gave them reason to pause. They need to make a concerted effort to get into this phone and be able to answer: ‘Do you believe you can’t get in?’”

Failure to answer in the affirmative could be enough to not only lose the case but also set a precedent that could hinder future cases where the government seeks to break encryption. Government lawyers would also have to contend with a Brooklyn judge’s February ruling, in an unrelated drug case, that the All Writs Act does not give the government the power to force Apple to break its own encryption. That decision is not legally binding in the San Bernardino, California, case, though it would inevitably influence the court proceedings, according to Brian Owsley, a former magistrate judge who has ruled on a number of electronic surveillance issues.

“If you’re any judge contemplating this issue going forward, including the San Bernardino judge, you would want to look at that decision,” said Owlsey, now an assistant professor of law at the University of North Texas at Dallas College of Law. “On one level you’re thinking, ‘Here’s a guy who has thought long and hard about this, so why would I want to reinvent the wheel?’ And now the FBI is risking two magistrate judges who disagree with the government’s case.”

But by dropping the case, it’s likely the FBI can also avoid discussing how it was able to crack the phone’s protection. The iPhone 5c, running on the iOS 9 operating system, was locked with a passcode that auto-erases the data on the phone after 10 incorrect guesses. The phone also employs a time delay that limits the phone to one password guess every 80 milliseconds, limiting the user to only eight or nine guesses every second (compared with the thousands or potentially millions of guesses required to break the passcode).

Now, it seems, investigators have found a way around that.

“Most people who have been following this technically realize there is a weakness in the encryption: Every time you guess incorrectly a few times, it’s supposed to make a recording that leads to the delay, which prevents you from guessing again,” said Matthew Green, a renowned cryptographer and assistant professor of computer science at Johns Hopkins University. “But there’s a way to overwrite that memory so the phone doesn’t realize you’ve made the limited 10 guesses … The idea is kind of like if you’re playing a video game and you die, but you restart the video game before saving the game.”

All it would take, Green suggested, is for the FBI to contract with a forensics firm that specializes in precisely taking apart the iPhone, manipulating the memory card, and putting it back together again. The FBI did not respond to messages seeking comment on this story.

Fourteen people were killed and 22 critically injured at a San Bernardino office party Dec. 2, 2015, when Farook and his wife, Tashfeen Malik, carried out a mass shooting that was later classified as an act of terrorism. It’s likely that all the attention surrounding the case has captivated cybersecurity researchers looking for a new challenge. Green and a team of researchers at Johns Hopkins University revealed Monday an encryption flaw in iMessage (previously considered unbreakable) that made it possible for hackers to decrypt videos and photos.

“The whole research community would be intrigued by a problem like this, so the minute the first headlines broke a few weeks ago there were people jumping into their iPhones,” said Jim Lewis, director and senior fellow of the strategic technologies program at the Center of Strategic and International Studies, before suggesting the U.S. National Security Agency would also be capable of breaking the encryption. “We don’t know who that somebody was, but the FBI just figured out how to connect the dots," Lewis said. "The idea that these encryption technologies are perfectly secure has been wrong all along.”