FBI rebuts criticism that it reset terrorist's iCloud password after attack

Even if it was a screw-up, Apple's still obligated to help access the iPhone; there may be more info there than a backup would include

iphone apple fbi passcode

The Federal Bureau of Investigation (FBI) today rebutted accounts in the media, and implications by Apple, that it or San Bernardino County messed up when the iCloud password for the iPhone used by Syed Rizwan Farook was reset days after a shooting that left 14 dead.

On Dec. 6, FBI investigators, with the approval of San Bernardino County and the assistance of its IT staff, reset the password of Farook's iCloud account. San Bernardino County owned the iPhone 5C, had supplied it to Farook for his job as a health inspector, and controlled Farook's iCloud account.

Forook, along with this wife, Tashfeen Malik, are accused of killing 14 in San Bernardino, Calif., on Dec. 2. They died four hours later in a shootout with police.

"A logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack," the FBI said today in a statement emailed to Computerworld.

Re/code first reported Sunday on the FBI's statement.

"[The FBI] was able to reset the password in order to provide immediate access to the iCloud backup data," the agency said in its statement.

After serving a search warrant on Apple, the FBI obtained the phone's last iCloud backup, dated Oct. 19.

But questions remain about what would have happened had the FBI and San Bernardino County not reset the iCloud account password on Dec. 6. If the iCloud Backup feature in iOS is enabled, the phone is supposed to automatically back up when it's connected to power and connected to an already-known Wi-Fi network, assuming there's enough space in the account and the iPhone's screen is locked.

Some have posited that had the phone been connected to a power outlet and a Wi-Fi network -- specifically a known network, such as one at Farook's residence -- it would have automatically backed up the appropriate content to iCloud.

According to reports, Apple executives speaking to an invite-only group of reporters Friday suggested that the FBI botched the job by resetting the device's iCloud password. It might have been possible to collect a new backup's contents if it had held off, they said.

Apple implied as much in a FAQ it published early Monday. "One of the strongest suggestions we offered [the FBI] was that they pair the phone to a previously joined network, which would allow them to back up the phone and get the data they are now asking for," Apple said. "Unfortunately, we learned that while the attacker's iPhone was in FBI custody the Apple ID password associated with the phone was changed. Changing this password meant the phone could no longer access iCloud services."

The FBI didn't directly contest that, but argued that there was probably more information on the iPhone 5C than could be gathered from an iCloud backup.

"It is unknown whether an additional iCloud backup of the phone after that date [of Oct. 19, 2015] -- if one had been technically possible -- would have yielded any data," the agency acknowledged. "[But] even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple's assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone."

The latter -- that there may be a wealth of information not included in the backup -- has been a point the Department of Justice (DOJ) has made repeatedly in its filings with the federal court that has ordered Apple to help investigators access the phone.

Authorities want Apple to create a modified version of iOS that disables an auto-erase feature -- triggered after 10 incorrect passcode entries -- and removes the forced delays between passcode guesses. The FBI would then conduct a brute-force passcode crack from a personal computer at high speeds to uncover the passcode -- which unlocks the device -- and so examine all the data there.

Apple must be the one that crafts such a tool since only updates signed by the company's digital certificate will be accepted by an iPhone.

Even if resetting the iCloud password was a mistake, the FBI said, Apple remains obligated to assist. "The reset of the iCloud account password does not impact Apple's ability to assist with the the court order under the All Writs Act," said the agency, referring to the 1789 law cited by the DOJ when it asked a federal judge to force Apple to help.

"As the government's pleadings state, the government's objective was, and still is, to extract as much evidence as possible from the phone," the FBI added. "Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains."

It's possible that Farook turned off the iCloud auto-backup at some point after Oct. 19, although he used the phone after that date, the FBI said. He may also not have charged it when a known Wi-Fi network was available.

Apple has said it will not comply with the court's order to assist the FBI because it would set what it called "a very dangerous precedent." Apple has until Friday to file its objections with the California federal court. That court has set a March 22 date for oral hearings, and will accept amicus briefs from interested parties until March 3.

This story, "FBI rebuts criticism that it reset terrorist's iCloud password after attack" was originally published by Computerworld.