A tool Apple developed for companies could have prevented its looming showdown with the FBI.
At issue is the iPhone used by Syed Rizwan Farook, one of the shooters in a December attack in San Bernardino, Calif. Magistrate Sheri Pym of the U.S. District Court of Central California on Tuesday issued an order mandating that Apple give the FBI software to circumvent a standard iPhone security measure that deletes the key to decode the device’s data after 10 failed attempts to unlock it.
The order applies only to Farook’s iPhone 5C. But Apple CEO Tim Cook, in a public letter saying his company would fight it, argued that the federal government wants Apple “to build a backdoor to the iPhone.” The implications of the government’s demands, he wrote, are chilling.
“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone’s physical possession,” Cook wrote.
Cook’s letter has recast the encryption debate into a battle over government reach. But had Farook’s government employer, the San Bernardino County Public Health Department, installed a remote-management tool on the phone it issued Farook, the FBI would have access to the phone, and its case against Apple would be moot.
“If the county government had set up their county-owned devices properly, they could unlock this device themselves.” – Alex Kaloostian, senior instructor, FMC Training
Employers like Farook’s, public or private, can install Apple’s mobile-device management software for $20 and use it to remotely manage an unlimited number of iPhones. Key features in Apple’s MDM service allow administrators to change phone configuration settings without user interaction, such as remotely lock or wipe a phone, or clear its passcode.
Apple says it built MDM to help people “reset forgotten passwords,” but nothing would prevent a company or government agency from also using it to access a locked phone.
“The iOS MDM framework is quite powerful and can indeed clear the device passcode lock,” says Jon Oberheide, co-founder and chief technology officer of secure-access provider Duo Security.
“If the county government had set up their county-owned devices properly, they could unlock this device themselves,” adds Alex Kaloostian, a senior instructor at FMC Training, which specializes in teaching other companies how to manage corporate deployments of Apple’s Macs and iPhones. “Apple’s done [its] job, giving companies the tools they need.”
The San Bernadino County Public Health Department did not return calls for comment. Despite reaching out to several California municipalities and other states, none returned queries to determine if any of them had policies on using MDM services or other third-party apps enabling remote management for government-issued phones.
Security researcher Dan Guido has written an explanation of how Apple can technically comply with the FBI’s request without introducing the risks Cook raised in his public letter.
“In order to limit the risk of abuse, Apple can lock the customized version of iOS to only work on the specific recovered iPhone and perform all recovery on their own, without sharing the firmware image with the FBI,” Guido concludes.
Other security experts defend Apple’s encryption implementation. Becky Bace, chief strategist at the Center for Forensics, Information Technology, and Security at the University of South Alabama, says Apple has two main concerns in the case. The company is worried that the tool it builds for the FBI could be subsequently “too easily subverted into a backdoor,” she says, adding that Apple “would be loathe to sacrifice” the time and money it has spent on security and privacy mechanisms in its products.
Whether Apple should comply with the order is an issue that could be fought in other courts. Regardless of what happens, says Kaloostian, the FBI should note that its government friends at the San Bernardino County Public Health Department could have sidestepped the entire brouhaha by “properly” managing employee phones.
A lack of remote-management tool usage, he says, is “more the norm than the exception.”