A federal judge in California has ordered Apple to help the FBI brute-force hack its way into the encrypted iPhone of one of the San Bernardino shooters, according to both the Associated Press and The Washington Post.
This is one of the biggest developments in the ongoing battle over encryption between tech companies and law enforcement, and is sure to be a developing story. Here’s what we know so far.
If you have a passcode on your iPhone, it’s encrypted. When you unlock an encrypted phone, you are asked to type a four- or six-key passcode to unlock it. If you fail 10 times in a row, the phone automatically deletes the phone's encryption key.
The federal judge ordered Apple to disable this feature on the phone, which will allow the FBI to “brute force” its way in, meaning it can try every single possible combination of passcode until one works.
“It’ll be slow, potentially,” Matthew Green, a cryptographer at Johns Hopkins University, told me. “If the passcode is strong. Fast if it’s four digits.” If the phone was locked down with both letters and numbers—if you want, Apple allows you to use a password with letters and numbers instead of just a passcode—it could take years.
This is a clever way around the inconvenient fact that it’s widely believed to be impossible to break into the phone in any other way. The encryption key that would decrypt data stored on the phone, including the shooter’s messages and photos, is also stored on the device itself.
There are all sorts of questions raised by this order. Most importantly for the FBI and Apple is whether it’s even possible for Apple to override the autowipe feature. “Industry officials” that the Washington Post spoke to suggested that it’s not:
“According to industry officials, Apple cannot unilaterally dismantle or override the 10-tries-and-wipe feature. Only the user or person who controls the phone’s settings can do so. The company could theoretically write new software to bypass the feature, but likely would see that as a “backdoor” or a weakening of device security and would resist it, said the officials, who spoke on the condition of anonymity to discuss a sensitive matter.”
Second: If Apple is both able and, more importantly, willing to pull this off, what does it mean for the rest of us? The iPhone's security features are some of the most common, and most essential, forms of encryption for many, many people at this point. If Apple creates an exploit that makes it possible to brute force a phone’s unlock screen, it’s possible law enforcement will commonly ask for this type of thing in the future. And if such an exploit ever made it out into the wild, well, then hackers might be able to use it, too.
“Once they develop this firmware, you could reuse it on lots of phones,” Green said. “I assume it’s a test case.”
As I mentioned, this is going to be a very big story over the coming weeks and months. We'll have more on the topic as things unfold.