Apple says investigators ruined best way to access terrorist data

A backup feature might have provided the FBI with a way to access data from the iPhone of a San Bernardino terrorist. But a change to the Apple iCloud password foiled that idea.

Sean Hollister Senior Editor / Reviews
When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.
Connie Guglielmo SVP, AI Edit Strategy
Connie Guglielmo is a senior vice president focused on AI edit strategy for CNET, a Red Ventures company. Previously, she was editor in chief of CNET, overseeing an award-winning team of reporters, editors and photojournalists producing original content about what's new, different and worth your attention. A veteran business-tech journalist, she's worked at MacWeek, Wired, Upside, Interactive Week, Bloomberg News and Forbes covering Apple and the big tech companies. She covets her original nail from the HP garage, a Mac the Knife mug from MacWEEK, her pre-Version 1.0 iPod, a desk chair from Next Computer and a tie-dyed BMUG T-shirt. She believes facts matter.
Expertise I've been fortunate to work my entire career in Silicon Valley, from the early days of the Mac to the boom/bust dot-com era to the current age of the internet, and interviewed notable executives including Steve Jobs. Credentials
  • Member of the board, UCLA Daily Bruin Alumni Network; advisory board, Center for Ethical Leadership in the Media
Sean Hollister
Connie Guglielmo
4 min read
Enlarge Image

Apple CEO Time Cook: "We have no sympathy for terrorists...But now the government has asked us for something we simply do not have, and something we consider too dangerous to create."

James Martin/CNET

There might have been an easier way.

According to senior Apple executives on Friday, the FBI might have been able to obtain data from an iPhone 5C belonging to Syed Farook, one of the San Bernardino terrorists, by connecting it to a familiar Wi-Fi network and having it create a new backup on Apple's iCloud service.

The idea was foiled, the executives say, because the password to the terrorist's iCloud account was reset shortly after the FBI took possession of the phone. That meant iCloud and the iPhone couldn't recognize each other, the executives said.

The FBI challenged Apple's characterization over the weekend, saying that even if the password hadn't been changed, it still needs access to the iPhone itself. "We know that direct data extraction from an iOS device often provides more data than an iCloud backup contains."

The password reset is the newest wrinkle in the standoff between the government and Apple, which received a court order this week compelling it to create a custom version of its iOS operating system that bypasses security features on the iPhone. Apple rejected the order, saying it will fight the government's request -- all the way to the Supreme Court, if necessary -- because it means creating a "master key" for all phones that will undermine privacy and security.

On Friday, the Department of Justice derided Apple, writing in a 35-page filing that the company's refusal to comply with the court "appears to be based on its concern for its business model and public brand marketing strategy." US presidential hopeful Donald Trump also weighed in, calling for a boycott of the iPhone if Apple doesn't comply. Meanwhile, tech industry leaders, including the CEOs of Google and Twitter, and privacy advocates, including Edward Snowden, have voiced their support for the company.

Apple already provided the FBI with access to Farook's iCloud backups through mid-October, when he apparently stopped iCloud to back up the iPhone provided to him by his employers. (Farook and his wife destroyed their personal phones before their attacks.) The data left on the phone is encrypted with 256-bit AES security, the same standard used to protect US government computers. That encryption makes a brute-force attack on the iPhone 5C by the FBI nearly impossible. Such an attack includes trying numerous passwords until the right one is found.

One of the FBI's key arguments for forcing Apple to unlock the phone is that agents believe Farook intentionally stopped backing up his work phone to Apple's iCloud service to keep some information secret, according to the February 16, 40-page DOJ request (embedded below) that led to the court order.

In January, while assisting the FBI and the DOJ with the ongoing investigation, Apple engineers suggested a simpler idea than bypassing the iPhone's passcode security. They recommended that the iPhone be connected to a known Wi-Fi network, such as one in Farook's home or workplace, and plugged into a power source so it could automatically create a new iCloud backup overnight. If successful, that backup might have contained the missing information between the October backup and December 2, when the San Bernardino massacre occurred.

It wasn't clear whether the auto-backup idea would work, but the FBI never got the chance to try, Apple said.

The FBI told CBS News on Friday that someone with San Bernardino County (Farook's employer, which actually owned the phone) remotely reset the password on Farook's account in the hours after the attack. In a tweet, San Bernardino County officials confirmed they changed the password on the iCloud account, saying the FBI asked them to.

The FBI confirmed it asked the county to reset the password for the iCloud account, but that it's goal is not just to access information stored in Apple's service. "Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple's assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone," the FBI said in an e-mailed statement.

"The government's objective was, and still is, to extract as much evidence as possible from the phone," the agency said.

According to senior Apple executives, the password reset meant that someone would need to log in to the phone and enter the new password before it could sync with Apple's iCloud servers again. That wouldn't be possible without knowing Farook's iPhone passcode, which is the very thing the FBI hopes to obtain by compelling Apple to modify its iOS software and bypass its own security features.

In the court order, a federal judge offered Apple the ability to use "an alternate technological means," if one existed, to provide the FBI with access to Farook's iPhone data. According to Apple, the auto-backup scheme was the best idea to date.

On Tuesday, Apple CEO Tim Cook said company engineers had been advising the FBI and cooperating with the investigation but that the call to rewrite iOS would create a "backdoor" into the iPhone that hackers and malicious governments could use to undermine the privacy and security of all iPhone users. The company on Friday asked for a three-day extension to file its appeal to the court order, and the deadline has reportedly been moved to February 26.

"We have no sympathy for terrorists," Cook wrote in an open letter to customers explaining Apple's decision to challenge the court's order. "But now the government has asked us for something we simply do not have, and something we consider too dangerous to create."

CNET's Terry Collins contributed to this report.

Update, February 21 at 3:58 p.m. PT: Adds comments from FBI.