clock menu more-arrow no yes mobile

Filed under:

San Bernardino Suspect's Apple ID Password Was Changed After Shooting

Justice admits the change "eliminated the possibility" of backing up the device to iCloud.

Apple Inc.

The Apple ID password for one suspect in the December 2015 San Bernardino mass murder changed in the hours after the shootings — a development that may have frustrated law enforcement’s ability to recover crucial information about the attack from his iPhone, Apple claims.

The Justice Department revealed that detail in a footnote to Friday’s court filing, in which the U.S. Attorney’s Office asked a federal district court judge to order Apple to help the FBI extract information from suspect Syed Farook’s iPhone — as the court ordered earlier this week.

In the aftermath of the Dec. 2 mass shooting that left 14 people dead and another 22 injured, someone working for Farook’s employer, the San Bernardino County Department of Public Health, reset the Apple ID password remotely in an attempt to access information that stored on Farook’s iCloud account, according to court documents.

That decision “eliminated the possibility” of retrieving this information through a backup to iCloud, the Justice Department admitted. The two alleged attackers — Farook and his wife, Tashfeen Malik — were killed in a shootout with law enforcement.

One senior Apple executive says this set up the current legal impasse between the Cupertino technology giant and the federal government, though the conflict over the widening use of encryption on consumer devices and its potential impact on criminal investigations has been brewing for more than a year.

Apple provided the FBI with technical help after the attack, and advised law enforcement to try to extract data from Farook’s iPhone by connecting it to a wireless network overnight, which might have triggered an automatic iCloud backup. Once the information was stored in the cloud, Apple could have recovered it and surrendered it to law enforcement under subpoena, said the executive, speaking on condition of anonymity because of the pending court case.

That didn’t happen, because an iPhone isn’t authorized to sync or backup with iCloud until the new password is entered into the device. The iPhone needs to be unlocked for that to happen.

It’s not entirely clear whether Apple’s proposed solution would have worked.

The Justice Department noted in court papers that iCloud backups from Farook’s device ended on Oct. 19 — six weeks before the attack. That leaves a gap in information about whom Farook spoke with and where he went in the days leading up to the incident, and immediately after — details the FBI wants to fetch from Farook’s iPhone.

Earlier this week, a judge ordered Apple to develop software that would disable a security feature that renders the iPhone inaccessible after 10 failed attempts to enter a passcode. Turning off “auto erase” would allow the FBI to make thousands — or even millions — of attempts to unlock the device, in its search for information about the attack.

Apple Chief Executive Tim Cook has argued that such a request, while technically feasible for a software and hardware company, is both unprecedented and dangerous. It opens the door to a potential flood of requests from law enforcement in the U.S. — and elsewhere around the globe, by the governments of China, Russia and Iran — the Apple source warns.

The court will hear arguments in the government’s request on March 22.

This article originally appeared on