In fact, iOS has seen several security lapses lately that, while largely harmless to the average user, make it possible for well-resourced technicians to break into devices. In addition to checkm8, vulnerability broker Zerodium recently announced that due to a glut of iOS and Safari bugs it wouldn’t accept certain classes of Apple bug submissions for the next several months.
“There’s been a proliferation of iOS vulnerabilities recently,” says Johns Hopkins University cryptographer Matthew Green. “There was a brief period around 2015 when Apple’s security outpaced the commercially available exploit market, and that period seems to be over.”
It’s unclear exactly how the FBI got the passcodes it needed. But the agency’s success in cracking the iPhones in its possession seems to undermine its central argument that Apple and other companies allow criminals to “go dark” by providing strong encryption on consumer devices. As in 2016 with the San Bernardino case, agents got in eventually.
“Using a device with known security flaws, like the iPhone 7 Plus, or a device without the latest security features, like an iPhone 5 which lacks the Secure Enclave, is a straightforward way to ensure law enforcement can access your phone when needed,” adds Guido.
That may explain why the tenor of both Wray and Attorney General William Barr’s argument against encryption appeared to have shifted slightly. Rather than decrying the impossibility of gaining access, both Barr and Wray focused today on the investigatory costs of how long it took to do so. “The delay from getting into these devices didn’t just divert our personnel from other important work. It also seriously hampered this investigation,” said Wray. “Finally getting our hands on the evidence Alshamrani tried to keep from us is great, but we really needed it months ago, back in December, when the court issued its warrants.”
That timeline’s not quite right. Apple did respond to those early warrants, handing over what it describes as gigabytes of iCloud, account, and transactional data related to the case. The FBI didn’t tell Apple that there was a second iPhone, or that it was unable to access either device, until January 6. It’s unclear how much of the data the FBI found on Alshamrani’s devices had already been available through iCloud backups.
Despite the FBI’s repeated success in breaking into supposedly uncrackable iPhones, Barr insisted that Apple could design a back door that didn’t threaten to compromise iOS devices more broadly. “There is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement while maintaining very high standards of data security,” Barr said at today’s press conference. In fact, the landmark cryptography paper “Keys Under Doormats” by Bruce Schneier, among others, gives ample reasons why they can’t do that very thing.
Barr also signaled, though, that the Justice Department may no longer consider the courts as the best avenue to achieve that end. “The developments in this case demonstrate the need for a legislative solution,” he said, at another point suggesting that undermining encryption is a choice that Americans must make “through their representatives.”
Even so, all the FBI has proven today is that the choice remains moot. Weakening iOS encryption would threaten over 1 billion devices unilaterally. Why force that, when so many of them have vulnerabilities that sophisticated forensics labs can already exploit?
“I think the idea that iPhones are ‘unhackable’ is obsolete,” says Green. “I think we all need to adjust our expectations accordingly, particularly when governments demand that firms break or weaken their encryption.”
The Justice Department has more targets than just Apple; it has increasingly focused on Facebook’s encryption as an investigatory impediment as well. But as long as it’s this manageable to break into most iPhones, its complaints seem less urgent than ever.
This story has been updated with comment from Apple.
More Great WIRED Stories