ATF says no law enforcement agency could unlock a defendant's iPhone, but Apple can "bypass the security software" if it chooses. Apple has created a police waiting list because of high demand.
Apple receives so many police demands to decrypt seized iPhones that it has created a "waiting list" to handle the deluge of requests, CNET has learned.
Court documents show that federal agents were so stymied by the encrypted iPhone 4S of a Kentucky man accused of distributing crack cocaine that they turned to Apple for decryption help last year.
An agent at the ATF, the federal Bureau of Alcohol, Tobacco, Firearms and Explosives, "contacted Apple to obtain assistance in unlocking the device," U.S. District Judge Karen Caldwell wrote in a recent opinion. But, she wrote, the ATF was "placed on a waiting list by the company."
A search warrant affidavit prepared by ATF agent Rob Maynard says that, for nearly three months last summer, he "attempted to locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S. But after each police agency responded by saying they "did not have the forensic capability," Maynard resorted to asking Cupertino.
Because the waiting list had grown so long, there would be at least a 7-week delay, Maynard says he was told by Joann Chang, a legal specialist in Apple's litigation group. It's unclear how long the process took, but it appears to have been at least four months.
The documents shed new light on the increasingly popular law enforcement practice of performing a forensic analysis on encrypted mobile devices -- a practice that can, when done without a warrant, raise Fourth Amendment concerns.
Last year, leaked training materials prepared by the Sacramento sheriff's office included a form that would require Apple to "assist law enforcement agents" with "bypassing the cell phone user's passcode so that the agents may search the iPhone." Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
Ginger Colbrun, ATF's public affairs chief, told CNET that "ATF cannot discuss specifics of ongoing investigations or litigation. ATF follows federal law and DOJ/department-wide policy on access to all communication devices."
In a separate case in Nevada last year, federal agents acknowledged to a judge that they were having trouble examining a seized iPhone and iPad because of password and encryption issues. And the Drug Enforcement Administration has been stymied by encryption used in Apple's iMessage chat service, according to an internal document obtained by CNET last month.
Bypassing Apple's security
The ATF's Maynard said in an affidavit for the Kentucky case that Apple "has the capabilities to bypass the security software" and "download the contents of the phone to an external memory device." Chang, the Apple legal specialist, told him that "once the Apple analyst bypasses the passcode, the data will be downloaded onto a USB external drive" and delivered to the ATF.
It's not clear whether that means Apple has created a backdoor for police -- which has been the topic of speculation in the past -- whether the company has custom hardware that's faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies when contacted this week by CNET.
Mobile device users should take this as a warning that Google and Apple can provide access to data stored on an encrypted device at least in some circumstances, says Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project.
"That is something that I don't think most people realize," Soghoian says. "Even if you turn on disk encryption with a password, these firms can and will provide the government with a way to get your data."
An August 2012 article in MIT Technology Review by Simson Garfinkel, an associate professor at the U.S. military's Naval Postgraduate School, says "Apple customers' content" is so well-protected that often "it's impossible for law enforcement to perform forensic examinations of devices seized from criminals."
That depends largely, however, on the length of the passphrase or password that someone selects to protect a modern iOS device. (Because the original iPhone and iPhone 3G did not use hardware encryption, they were protected only by a passcode that could be easily bypassed.)
Elcomsoft claims its iOS Forensic Toolkit can perform a brute-force cryptographic attack on a four-digit iOS 4 or iOS 5 passcode in 20 to 40 minutes. "Complex passcodes can be recovered, but require more time," the company's marketing literature says. But the iPhone 5 doesn't appear in Elcomsoft's list of devices that can be targeted.
Garfinkel estimates that if a user chooses a six-digit passcode, the maximum time required to guess the number would be 22 hours, while a nine-digit PIN would require two and a half years. A 10-digit PIN would take 25 years. Average times, of course, cut those maximum brute-force durations in half, and that could be whittled down much further if it's possible to guess PINs a suspect is more likely to use.
The Kentucky case began when the defendant, 24-year old Mark Edmond Brown, was spotted by Lexington cops smoking the tires of a black Ford F-450 at 3 a.m. behind Tolly-Ho, a 24-hour restaurant on South Broadway known for its quarter-pound burgers. Lexington police say they approached the pickup truck and noticed two pistols in his lap -- a .40-caliber Taurus and a .357-caliber Glock -- and recorded the serial numbers before returning them to him.
The next day, police chased a black Cadillac Deville and, when the driver stopped and fled, say they recovered the same Glock handgun they previously spotted in Brown's possession.
Two Lexington police officers and an ATF agent visited Brown shortly afterward, who said, according to law enforcement, he had just returned from hauling horses and was waiting for "some females" to show up. He reportedly claimed he had been to a party at a hotel with a girl, got drunk, and lost the firearm, which he had regularly used at Bud's Gun Shop's shooting range. He also reportedly claimed to have sold the black Cadillac for $500.
A search of the abandoned Cadillac turned up two marijuana cigarettes in the ashtray, the ATF claims.
About a month later, also at around 3 a.m., Lexington police showed up at the Tolly-Ho restaurant again. This time they came at the request of the restaurant's security guard, who blamed Brown and an acquaintance, Chasmagic Lawton, for making a disturbance before leaving in the black F-450 pickup.
A few minutes later, Lexington police spotted the F-450 at a Speedway gas station less than a mile away. Brown was arrested for disorderly conduct and intoxication, and Lawton was nowhere to be found. One police officer, Sgt. Todd Phillips, told the ATF that "this behavior was very out of the ordinary for Brown, who is regularly very compliant with law enforcement."
ATF agent Maynard eventually arrested Brown in April on charges of receiving a firearm while under indictment for another crime. During that federal arrest, Maynard discovered that Brown possessed a receipt from a Chick-Fil-A and a white iPhone 4S that was locked.
Maynard's initial search warrant asked for "all recoverable data" that would "show any relationship" between Brown and Lawton, on the suspicion that a contact called "Bra-Bra" was really Lawton. Brown's lawyer argued that the ATF took too long to search the iPhone, and asked the court to throw any evidence obtained from it.
Judge Caldwell granted Brown's request to suppress the results from a search of his earlier phone during the Speedway gas station arrest, in which police copied down the contact list from his phone without a warrant. But Caldwell would not throw out the results from the federal arrest and search conducted with a warrant: "The court finds nothing in the record to demonstrate any evidence of bad faith or unnecessary delay in procuring assistance from Apple to unlock the phone."
Lawton pleaded guilty last year to being a felon in possession of a firearm. Brown signed a written agreement last month pleading guilty to one count of conspiracy to distribute less than five kilograms of crack cocaine. The agreement permits him to appeal his prison sentence if it's more than 9 years. Sentencing has not yet taken place.