Mistakes in the San Bernardino Case

Many sat before Congress yesterday and made their cases for and against a backdoor into the iPhone. Little was said, however, of the mistakes that led us here before Congress in the first place, and many inaccurate statements went unchallenged.

The most notable mistake the media has caught onto has been the blunder of changing the iCloud password on Farook’s account, and Comey acknowledged this mistake before Congress.

“As I understand from the experts, there was a mistake made in that 24 hours after the attack where the [San Bernardino] county at the FBI’s request took steps that made it hard—impossible—later to cause the phone to back up again to the iCloud,”

Comey’s statements appear to be consistent with court documents all suggesting that both Apple and the FBI believed the device would begin backing up to the cloud once it was connected to a known WiFi network. This essentially established that I nterference with evidence ultimately led to the destruction of the trusted relationship between the device and its iCloud account, which prevented evidence from being available. In other words, the mistake of trying to break into the safe caused the safe to lock down in a way that made it more difficult to get evidence out of it

Comey made an inaccurate statement to Congress, however, when he made the following statement, dismissing the notion that this essentially interfered with the evidence:

“The experts have told me I’d still be sitting here,” Comey said. “We would still be in litigation because the experts tell me there is no way we would have gotten everything off the phone from a backup. I have to take them at their word.”

This sentiment is similar to a letter from the FBI’s Los Angeles Field Office regarding the iCloud mistake:

 “Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains. Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phoen that would not be accessible without Apple’s assistance as required by the All Writs Act Order, since the iCloud backup does not contain everything on an iPhone.”

Comey’s naïveté in technology is quite obvious, by his use of words such as “backuppable”, and worse yet seemed to be supporting the notion, before Congress, that one should expect the director of a federal law enforcement branch to be technically inept – his admission, not mine.

As I wrote in a previous post, such statements only have two possibilities: Either these statements are inaccurate, and this action actually was reckless, or that the FBI has been misleading the CA magistrate and plans to file a second order to force Apple to image the contents of the device for them.  The short technical answer as to why this is, is because every leading forensics tool that supports iOS 9 collects the same information using Apple’s backup mechanism. This backup mechanism delivers virtually the same content as one can obtain through an iCloud backup: it does not include the caches from third party applications, which is the only other valuable piece of evidence FBI would be after. The only way to get to that would be to compel Apple a second time to image the complete file system of the device, and no such burden exists in the order that was originally presented to the CA magistrate.

More importantly than iCloud, however, is this: Both Comey’s statements and Sewell’s (legal counsel for Apple) imply that they both believed the iCloud backup would have worked. Sewell stated at a hearing before Congress on Tuesday that if FBI had not interfered with the device that, “the very information that the FBI is seeking would have been available and we could have pulled it down from the Cloud.”

This means that the device must have been seized powered on. It would have been the first thing that both organizations would have checked, in fact, before wasting time at these efforts. Had the device been discovered powered down, this technique wouldn’t have worked because the device will not connect to any known WiFi network until the passcode has first been entered. This is like second grade math for Apple, and they would have picked up on it immediately, ruling it out as a possibility. (NOTE: The phone will actually connect to attwifi before being unlocked, but this phone is Verizon, which does not offer a free hotspot service as part of their carrier bundle). Apple also made statements suggesting they saw the device’s authentication failure on the iCloud side, suggesting that the device was attempting to connect to iCloud, which would mean that the device was still authenticated by Farook.

The fact that the device appears to have been found on, but later turned off (or allowed to die) is the second, and much bigger mistake. Court documents and statements suggest that the phone was sat on for three days before the iCloud restore was attempted; this is more than enough time for the battery to die if not kept charged. As I wrote in yet another post, allowing the phone to be powered down eliminated five more ways data could have been retrieved from the device:

• Talking directly to Siri, and asking her to display call records, contacts, email, and other information.
• Capturing the network traffic traveling between the device and any providers of third party applications on the device, which could have not only yielded valuable data, but also information about which providers Farook’s phone stored data on (for subpoena).
• As Farook’s laptop is being reconstructed, should a pair record be recovered, could have been used to unlock the phone or download the data on it through a backup.
• If the iOS was 9.0.1 or lower, a known lock screen bypass bug would have potentially allowed them access to a significant amount of data on the device (data that is unlocked “after first user authentication”)
• Dozens of known vulnerabilities exist for older firmware that may have been able to penetrate the device with a PoC, that otherwise couldn’t be used if the encryption is locked. Simply reading Apple’s release notes would have provided contact information for a number of researchers and universities who likely had PoC exploit code they would have loaned to FBI.

Congress did not ask anyone about this, nor did they challenge Comey’s statements about the iCloud backup being irrelevant to their investigation. Quite the contrary, both mistakes put together have now interfered with six different techniques to obtain evidence off of the device.

Just how much evidence mismanagement is required before Congress or the courts will throw this case out of court? Should we be setting a precedent to breathe such a dangerous forensics tool into existence for reasons that only exist because evidence was mishandled, causing the device to lock down?

Directory Comey made the statement – twice – to Congress yesterday; namely that the FBI has attempted every possibility of unlocking the device on their own, and is even willing to accept input from any experts. Yet several possibilities have come to light that have not yet been explored:

• As one of my Twitter followers pointed out, is there no security camera footage of Farook ever unlocking his phone with the passcode? It didn’t have a fingerprint reader, so if FBI hasn’t already done so, they should be visiting his workplace, his favorite coffee shop, and any other surveillance video to see if they can peep him typing in the pin. Cameras are everywhere today.
• Imaging the NAND flash of the device and trying ten passcodes at a time; when the device wipes, re-flash the NAND with the original image and try again. This technique is done in kiosks in Chinese malls to upgrade your 16 GB iPhone to 128GB for about $60 US. $60 for ten tries, they could pay retail and still get this done for $60,000.
• There’s a mod-chip for the Wii that lets you wire up what they call a NAND emulator. This seems to be used to let you play the same save states over and over again, so you can cheat the games. While an iPhone NAND is likely more complicated than the Wii’s 512 MB chip, research into a NAND emulator in computing could yield a solution for not only iPhone, but also any other type of solid state device.
• Deconstruct the chip on the device to read the fuse bank where the UID is stored. This UID is used to calculate what ultimately holds up Apple’s entire tiered encryption structure. If FBI can extract this UID, they can reverse engineer the rest of Apple’s encryption and then brute force it against the pin on a fast computer.
• Attempt to isolate the hardware-based encryption off of the silicon, and feed encrypt/decrypt requests directly through it; this may or may not be possible depending on how the bus endpoints are encrypted. If FBI can coerce the encryption mechanism, they can perform an on-chip brute force while bypassing Apple’s operating system.
• Borrow time on the NSA/CIA supercomputing clusters to attempt to brute force the encryption of one or more of the individually encrypted files on the device. The directory structure itself is accessible without the pin, only the file content will be encrypted. Take the files that are most critical to break and attack the encryption directly.

In addition to these three things (which, admittedly have some level of risk to go with them), FBI has clearly not been open to talking to security researchers. No one (including myself) has come forward to say they’ve been approached. If they really wanted into this phone, they would be contacting every contributor listed in Apple’s iOS security release notes (for example: this iOS 9.2.1 update) and asking if they could loan their proofs of concept to work on this older version of firmware running on Farook’s device (said to be 9.0.x). There are dozens of critical code execution vulnerabilities that have been patched by Apple since 9.0, and it’s conceivable that some of them could potentially be used to gain code execution on the device.

Whether or not all of these techniques are feasible, the government hasn’t demonstrated that they’ve looked into any of them. When discussing matters of burden in the court system, and the enormous burden that this order places on Apple (which Apple, if anything, has understated), some of these approaches would be considered comparable, or even less of a burden. There is also a “necessity” prong to the AWA suggesting that it can only even be considered if there’s no other way. This clearly isn’t the case here

So the following is clear:

• Not every avenue there is to get into this device has been attempted
• The current predicament was created by mishandling of evidence

Congress is now interested in their role in all of this. My recommendation to Congress is to protect the civil liberties of Americans and instead launch an investigation into the mishandling of this evidence.

UPDATE: On March 9, additional testimony given by Stacey Perino, an electronics engineer with the FBI, indicating that the device was seized in a powered-down state. This now adds a significant amount of confusion to this case. As you’ve just read in this article, quotes by both Comey (FBI) and Sewell (Apple) clearly state that the backup would have likely worked had the password not been changed – Apple came right out and said it definitely would have worked. Had the device been seized “off”, then both organizations would be well aware that the device would in no way connect to a Wi-Fi access point in the state it was in. This would have been glaringly obvious to FBI, but especially to Apple’s engineers assisting them. Why, then, would Apple direct FBI to go to Farook’s place of business to attempt an iCloud backup at all? There would have been no point whatsoever.

There is a very clear contradiction between what was told to Congress last Tuesday by both Apple and FBI, and what has been filed with the courts today. Unfortunately, this raises more questions than it answers. The only way this could definitively be answered would be for Verizon and/or Apple to provide their system records identifying when the phone was last active on their network. If this happened to be October 22, which is when Farook supposedly disabled backups (note: the day right after the 9.1 update was released), then there is clearly no additional evidence on the device worth obtaining. If it was last seen on the network around the date and time it was seized, then this would raise some additional questions about its power state.

Ultimately, it can’t be both. Either Apple and FBI were completely wrong in their testimony before Congress, or the device wasn’t already off when it was seized. This is a critical question that really should be answered.