Your iPhone may be small, but it has a clever amount of security built into it — and that's what makes it so hard for anyone, including the federal government, to access.
This is what the FBI wanted to do with the iPhone belonging to San Bernardino terrorism suspect Syed Farook. And the best way to break into an iPhone is to guess the passcode, which for most people is four-digits — or, for newer devices, six digits. (You can also use a custom alphanumeric password, but that's not the default.)
The FBI wanted to guess a bunch of passcodes until it guessed the right one. But this is what the bureau ran into:
You can try it on your iPhone now:
- After five incorrect guesses, your phone locks down for one minute.
- After nine incorrect guesses, it locks down for an hour.
- After 10 incorrect guesses, the phone deletes all its data — but this security features is turned off by default.
So even though the iPhone allows you to guess up to 12.5 pass codes per second, the default security makes it incredibly annoying and time-consuming to guess the passcode. But enabling the feature that self-deletes all of its data makes it virtually impossible for intruders to start guessing random passwords.
So the FBI wanted Apple to write software that disabled these features. That would look something like this:
Easy peasy. Even if a computer can only guess 12.5 passcodes per second, you could get through every six-digit possibility in just over 22 hours. For a four-digit passcode, you could get through every possibility in about 13 minutes.
Apple refused to do this, which is why the Justice Department filed a lawsuit to compel the company to help. But then the FBI came out and said it had found a way into Farook's phone, and dropped the suit.
How was it done?
We don't know.
My colleague Timothy B. Lee has a great collection of theories on how this might have been done — one of which involves "microscopic surgery" to extract the encryption key from the hardware. There were also reports that the FBI worked with the Israeli company Cellebrite, which reportedly signed a contract with the FBI in 2013. A law enforcement source said this isn't the outside group they worked with to hack the device Update: Bloomberg is now reporting that the FBI did indeed work with Cellebrite.
In case you're curious, here's the Cellebrite device that unlocks the iPhone:
Why it's scary that we don't know
As far as we know, the FBI has not told Apple how it got into Farook's phone. But in the cybersecurity world, experts believe the best-case scenario is to share security flaws so companies can protect consumers. The idea is that it's better for everyone to know about an open door, versus just a select few.
But already, the FBI has offered to help local enforcement agencies unlock phones, which hints they intend to hold onto this security flaw.
The FBI may be compelled to share this information under a new Obama administration process called the "equities review," which looks at whether security flaws it finds should be kept secret or shared, according to Bloomberg. But there is an exception for national security, and it's unclear whether this iPhone vulnerability would fall under that purview — because we don't know how the phone was hacked.
But whatever the method, those who work on cybersecurity are almost universally concerned. There is a way to break into your iPhone that someone out there knows about — and given that a third-party helped Apple, it's not just the FBI. But since the FBI hasn't disclosed the flaw, Apple users are not protected from it.
Correction: A previous version of this story incorrectly states that FBI Director James Comey told USA Today they did not work with Cellebrite. It was actually an anonymous law enforcement source — and now Bloomberg is reporting the FBI did indeed work with Cellebrite.