On Tuesday, the House Judiciary Committee met to have an open discussion over the balances between privacy and national security, especially as it pertains to the ongoing battle between Apple and the FBI.
During the hearing, which took place in two sessions and over five hours, members of Congress had a chance to question FBI Director James Comey over some of the specifics in the San Bernardino investigation at the heart of this discussion.
One of the questions raised over and over again was: Has the FBI exhausted all other technical avenues of unlocking the iPhone 5C used by San Bernardino gunman Syed Farook? And each time he was asked, Comey responded yes -- the agency had already tried everything it could and that is it why it asked a judge to issue an order compelling Apple to build special software that would allow the FBI hack the phone's passcode and get past the lock screen.
Most members of Congress seemed to accept Comey's answer. And with few exceptions, many of the questions asked of Comey -- and later of representatives from Apple, law enforcement and cybersecurity experts -- were untechnical in nature. The focal point of this hearing was on the policy implications of what the Department of Justice is asking Apple to do, not necessarily the technical details.
But congressman Darrell Issa (R-California) took a different approach. His questions to Comey were pointed and technical. Issa, who has written op-eds for Wired and The Los Angeles Times in support of Apple's position, raised the idea that the FBI hadn't really done everything it could, at a technical level, to break into Farook's iPhone.
The exchange, which starts at 1 hour and 21 minute mark in the hearing, is quite remarkable. After asking Comey to confirm that he was testifying that neither the FBI nor its contractors could get into the iPhone (Comey confirmed this), Issa began asking Comey about the research that had taken place to see if they could access the phone.
After getting Comey to admit that the FBI had not asked Apple for its source code (presumably so a contractor at the FBI's behest could make the code changes necessary), Issa moved into more technical questions for the director, specifically related to the iPhone 5C running iOS 9 (Quartz has a transcript of the exchange).
Issa: OK, let's go through the 5C running iOS 9. Does the 5C have a non-violatile memory in which all the encrypted data and selection switches for the phone settings are all located in that encrypted data?
Comey: I don't know.
Issa: Well, it does. Take my word for it for now. So that means that you can, in fact, remove from the phone all of its memory, all of its nonvolatile memory, its disk drive if you will, and set it over here and have a true copy of it to conduct infinite number of attacks on. Let's assume that you make an infinite number of copies once you have one copy, right?
Comey: I have no idea.
Issa: Let's go through what you asked. I'm doing this because I came out of the security business and this befuddles me that you haven't looked at the source code and you don't really understand the disk drive, at least to answer my dumb questions if you will.
There's only a memory and that memory -- that non-volatile memory sits here -- and there's a chip, and the chip does have an encryption code that was burned into it. And you can make 10,000 copies of this chip, this non-violatile memory hard drive, then you can perform the attacks as you want on it.
Now you asked specifically Apple to defeat the finger code so you can attack it automatically so you don't have to punch in codes. You've asked them to eliminate the 10 and destroy.
But you haven't ask as far as I know asked them, "OK if we make a thousand copies or two thousand copies of this and we put it with the chip and we run five tries, 00 through 04," and throw that image away and put another one in and do that 2,000 times, won't we have tried with a non-changing chip and an encryption code that is duplicated 2,000 times? Won't we have tried all 10,000 possible combinations in a matter of hours?
If you haven't asked that question, the question is: How can you come before this committee before a federal judge and demand that someone else invent something if you can't answer the questions that your people have tried this?
At this point, the questioning breaks down -- and Issa ends up running out of time. Regardless, Comey could not say that he or his people had done this.
An interesting idea but not really feasible
Issa's overall question -- had the FBI done everything technically feasible it could do to break into the phone? -- was good but broad. His proposed solution, however, was very specific: He believes the FBI could basically create a virtual copy of the iPhone as many times as it needs in order to brute-force the passcode. That way, every time it locks up or hits you with a delay, you just try again on another copy. It makes sense... on paper.
The problem here is that the storage chip (the "nonvolatile memory" Issa refers to) is encrypted in such a way that the encryption is tied directly to the CPU of the device. And that CPU has a unique device ID (UID). The UID is baked into the chip; it's specific the phone itself. In Apple's own security documentation, it describes the process that ties the UID to the PIN on a phone: "The passcode is entangled with the device’s UID, so brute-force attempts must be performed on the device under attack."
@JZdziarski https://t.co/oAiDfUVjRF see also page 11. Pretty sure Issa is wrong. pic.twitter.com/HgZTuoyjjO— Aaron Pressman (@ampressman) March 1, 2016
In other words, the passcode is a simple security feature that masks a more complex process -- it's not just checking a number. There's also a hardware component to it, and that means you can't simply copy the phone's memory to crack the passcode since the copy won't be running on the right hardware. The passcode will only work on the device itself.
So what about somehow extracting or copying the phone's UID? Good idea, but it's almost definitely a no-go. According to a security expert who preferred to remain anonymous, extracting the UID would likely be destroy the CPU (and thus the phone), and it wouldn't guarantee success because you would still need to crack other strong protections on the chip itself.
Of course, the FBI could still copy all the phone's memory and try to attack it without breaking the passcode, but then we're back where we started: The storage is encrypted with AES 256-bit encryption. So instead trying a bunch of passcodes, it would need to break into the much stronger encryption protecting the data.
With enormous computing power, It may be theoretically possible for the CIA or NSA to defeat some types of encryption, but nothing we definitively know suggests this is even an option.
This is not a solution
To recap, Issa had a good idea, but Apple (and others) has already thought of it, and it has designed iPhone protections specifically to close off that path of attack. It's also why you needn't worry about your data if you lose your (locked) iPhone; defeating those protections would require a level of technical engineering that's too burdensome for even the FBI.
It's good to ask whether the FBI has exhausted all technical avenues at its disposal, but once you break down the question to specifics, you start to realize that Apple really has tried to think of everything with respect to iPhone security. Which is why we're here in the first place.