On Thursday, Apple filed its response to the FBI’s request for help in hacking into the iPhone of Syed Farook, one of the two alleged terrorists who killed 14 people in the San Bernardino shooting of late last year.
As Motherboard anticipated, one of Apple’s main arguments is that complying with the FBI’s demands would violate its constitutional rights, particularly its First Amendment right to free speech. But Apple also argued that writing the code necessary to help the FBI crack the passcode on Farook’s phone would require “significant resources and effort.”
In particular, Apple estimates that it would need between six to ten engineers “dedicating a very substantial portion of their time for a minimum of two weeks, and likely as many as four weeks.”
Last week, the FBI requested that Apple remove from Farook’s iPhone a series of protections that prevent the FBI from guessing any possible passcode to unlock it, what’s technically known as a brute-force attack. Specifically, the FBI asked for a custom-built operating system that doesn’t get wiped after 10 wrong passcode guesses, and that doesn’t add time limits between guesses.
Apple called this custom operating system “GovtOS” and argued that creating this custom tool would be “unreasonably burdensome.” This is how Apple is trying to argue that the government doesn’t have a right to use the All Writs Act, an obscure 1789 statute that can be used to compel people or companies not involved in a crime to give the government assistance. There’s debate on how far the All Writs Act goes, but the Supreme Court has previously ruled it shouldn’t impose an “unreasonable burden.”
“The government is asking Apple to do something that, to my knowledge, Apple has never done before,” Erik Neuenschwander, Apple’s manager of user privacy, said in a declaration attached to the company’s motion to vacate, explaining that it’d be hard to predict exactly how long it would take for Apple engineers to actually make “GovtOS.”
“The government is asking Apple to do something that, to my knowledge, Apple has never done before.”
Apple stressed that complying with the FBI’s request is not just about disabling features or writing some new code, but it would require a complex and exhaustive process to create and test the new operating system for both quality assurance and security, because changing one feature in an operating system can potentially create unintended consequences.
And that wouldn’t be the end of it. Once the operating system is ready, Neuenschwander explained, Apple would also need to “develop and prepare detailed documentation” for the FBI to build its own brute force tool. And if the FBI wants to hack the phone at its own facilities rather than within Apple’s campus, the company would have to develop several security measures to transmit the operating system to the FBI, he added.
Finally, Apple said it would need to make sure the operating system is used correctly, and is later destroyed to avoid the possibility of it falling into the wrong hands—although Neuenschwander warned that it’s hard to make sure software gets really destroyed and can’t be used again.
Dan Guido, the CEO of cybersecurity firm Trail Of Bits, who has analyzed Apple’s operating system, agreed with Neuenschwander’s estimates on the time and manpower it would take to create the tool.
“Erik's testimony sounds about right,” he told me in an email. “They would definitely need a small team working for around a month to make sure it all works correctly.”