As the saga around the San Bernardino iPhone continues, new details are trickling out in court documents about the phone and the government's investigation. Some of the details answer longstanding questions about the case while others raise more questions.
On Thursday, the government responded to Apple's motion to vacate, which the tech giant filed last month, asking the court to vacate an order that it create a special version of its operating system to help the FBI crack the password of a phone used by Syed Rizwan Farook. The government's main filing on Thursday was just 43 pages. But it also filed more than 400 additional pages of exhibits and other supporting documents. Here are a few of the new details we've learned.
The government and Apple have exchanged accusations over whether the government bungled its best chance of obtaining data from the phone after the FBI instructed a county worker to change the password for the phone's iCloud account after the shootings.
Apple says the government did wrong in changing the password. But according to an affidavit filed Thursday by Christopher Pluhar (.pdf), a supervisory special agent with the FBI, the iPhone was never going to backup to iCloud after the government seized it because Farook had apparently changed the password to the iCloud account on his own six weeks before the shootings occurred, disabling automated iCloud backups in the process. The last iCloud backup for the phone occurred on October 19. Three days later, on October 22, Farook or someone else used the Web-based password feature iForgot for the iCloud account. The iForgot function prompts a person to reset the iCloud password associated with the phone.
In the government's main filing, it asserts that in doing this, Farook disabled the automatic backup to iCloud.
"The evidence on Farook’s iCloud account suggests that he had already changed his iCloud password himself on October 22, 2015---shortly after the last backup---and that the autobackup feature was disabled. A forced backup of Farook’s iPhone was never going to be successful..."
According to Pluhar's attached affidavit, the iCloud logs that the government obtained from Apple show the “iForgot” Web-based password change feature was used for the account on October 22, but Pluhar doesn't claim that this disabled the iCloud backups. The government, however, insisted it did in its main court filing and cited Pluhar's affidavit as if he stated this.
Wired's Gadget Lab team conducted a test to see if resetting the password through the iForgot feature would indeed disable automated backups. After resetting the password, a prompt appeared on the phone asking for the new password in order to conduct a user-initiated backup to iCloud. When our tester clicked "cancel" on that prompt, the backup occurred anyway without requiring the new password. Automated backups that occur whenever the phone connects to a previously-known WiFi network to which it has connected in the past, also did not appear to be disabled by resetting the iCloud password.
Even if Farook hadn't changed his iCloud password, the phone was never going to do an automated backup to iCloud because when authorities found the device, it was already powered off.
According to government documents, a day after the shootings occurred, they found the phone in the center console of a Lexus vehicle Farook owned, after obtaining a warrant to search the vehicle. The fact that the phone was powered off means that the phone would not have been able to backup to iCloud until the correct passcode was entered into it.
"On a cold boot, the keys for data protection aren't in memory, so the phone won't connect to Wi-Fi, won't backup to iCloud, won't accept TouchID, won't do anything," says Dan Guido, CEO of Trail of Bits, a company that does extensive consulting on iOS security. "All that shit the FBI took for changing the iCloud password---it didn't matter, it wouldn't have worked anyway."
News reports have noted that if only San Bernardino County, which owns the iPhone in question, had installed a device management program on the phone, it could have remotely controlled the device---this includes remotely clearing the passcode that Farook had set for his phone.
It turns out the county had installed a remote-management program on the phone, but hadn't fully implemented it with remote management control, according to Pluhar's affidavit.
"I learned from [San Bernardino County Department of Health] personnel that the department had deployed a mobile device management (“MDM”) system to manage its recently issued fleet of iPhones, that the MDM system had not yet been fully implemented, and that the necessary MDM iOS application to provide remote administrative access had not been installed on the Subject Device," Pluhar wrote in his affidavit. "As a result, SBCDPH was not able to provide a method to gain physical access to the Subject Device without Farook’s passcode."
Although iOS 9, the version of the Apple operating system installed on Farook's phone, asks users by default to create a six-digit password, authorities say the phone's password they are trying to crack is just four digits long.
Pluhar notes that when authorities powered on the phone, "it presented a numerical keypad with a prompt for four digits."
The length of the password is significant because cracking a four-digit password is considerably faster and easier than cracking a six-digit password, especially if the latter is a complex alphanumeric password as opposed to one simply composed of numbers.
There are only about 10,000 different combinations a password-cracker has to try for a four-digit password. But with a six-digit passcode, there are about one million different combinations a password cracker would have to try to guess the correct one, according to Guido. A simple six-digit passcode composed of just numbers would take a couple of days to crack, but a more complex six-character password composed of letters and numbers could take more than five-and-a-half-years, according to Apple.
The government has argued that even if the phone had backed up data to iCloud, it would still need Apple's help to gain access to the phone to physically extract other data that doesn't get backed up to iCloud. In its latest filing, the government revealed what some of that forensic data might include.
"[W]ith iCloud back-ups of iOS devices (such as iPhones or iPads)," Pluhar writes in his affidavit, "device-level data, such as the device keyboard cache, typically does not get included in iCloud back-ups but can be obtained through extraction of data from the physical device. The keyboard cache, as one example, contains a list of recent keystrokes typed by the user on the touchscreen. From my training and my own experience, I know that data found in such areas can be critical to investigations."
Phone owners can also configure the settings on their phone apps to prevent them from sending data to iCloud during normal backups. "[B]ut the user data associated with apps excluded from iCloud back-ups by the user may still be obtained via physical device extraction," Pluhar notes. When authorities examined the settings for Farook's phone---settings that got recorded in the iCloud backup---the settings showed that iCloud back-ups for “Mail,” “Photos,” and “Notes” were all turned off on his phone.
April Glaser contributed to this report.
