Apple Says Apple ID Password on Shooter's iPhone Changed in Government Possession, Losing Access to Data

[Bonte]

Someone has probably suggested this at this point, but would it be possible for Apple to just unlock the phone themselves without releasing the tools they use to do so?

That's what the FBI is asking, a device to insert an update so that the phone can be hacked by brute force, it's only a 9 number combination. But if they do that then China, Russia, Saudi Arabia, Turkey, India, Pakistan etc kan ask the same and Apple can't say no to that.

This is in effect a backdoor, at first only in the hands of Apple but the same court can then demand that the FBI get's this ability. If Apple creates this there is no way to stop the FBI from getting it.

 

[jahall05]

So I'm wondering, did they change the password so they could access information via icloud.com? And they didn't know that changing the password would require it to also be changed in the settings app on the device?

I doubt it. To change the password you need the current password. They probably did it to prevent someone from remotely wiping the phone if anyone else had the password to it. It was his employer's phone technically as it was used for work. I am curious why they don't use MDM on their employees' phones...would have made it pretty easy to access the phone later on I would think.

 

[zmunkz]

How were they able to change the pw without access to the phone?

 

[macfacts]

How do you not see if a court order forces Apple to break into this iPhone 5C, it also provides both a precedent and a proof of concept that could be applied to any phone Apple has ever sold or currently sells...

I do understand that the backdoor can be applied to other iphones but that is only after the police have gone to a judge and he approves and after Apple digitally signs the special version of iOS. The FBI or hackers can't sign the iOS package themselves, only Apple can do that. Only Apple has the key.

The problem is really simple, most people don't trust the courts it seems and believe they themselves will be in court one day. Don't do illegal things and you won't be in court. Simple.

 

[Bonte]

Apple cannot unlock your phone. Yes I know, no one believes this, but it's true.

Its only a 9 number combination, that is easily cracked. It's protected because it doesn't allow flooding of combinations but the FBI is asking for a forced update to make this brute force hack possible.

 

[upnorth85]

This shows the gross incompetence of our federal government. Many other goof ups are "classified" to hide the gross waste of tax payer funds. It is bit rich of the government to pursue this when it has goofed up big time.

 

[jahall05]

My interpretation is that they would have changed the password back to Farook's original password, so the phone could authenticate and do the auto-backup. But since they never had the original password, that wasn't possible.

How does one change their Apple ID password without knowing the original password? You have to enter your password and then enter the new password you want to change it to...?

 

[Bonte]

How were they able to change the pw without access to the phone?

Probably they changed the password of his Apple account via de website to access his iCloud, problem was that there was no complete backup. That is why they got acces to his iCloud account but they should have waited for the phone to do a backup. (if that was even enabled)

 

[Mac 128]

How were they able to change the pw without access to the phone?

This article is a mess, but what can you expect from a blog. Proper journalistic sources indicate a county employee reset the account's Apple ID password, probably a standard procedure for any employee who has left the company. It actually doesn't change anything on the phone, but it does have the affect of orphaning the phone from the Apple ID, since the password can't be changed on the phone too. It also prevents anyone from logging into the phone from the outside with the old Apple ID and wiping the phone.

 

[IHelpId10t5]

brilliant and if government won't do it, may some hacker would as a public service.

We'll call it the "Dox clause." It should also be placed in any legislation associated with anti-encryption, warrantless wiretapping, or anti-net neutrality as well.

 

[gnasher729]

I get this part. I just think in this one case - what does it matter? Either Apple can assist them via the cloud or (if possible) through THAT device. I'm not talking about long term plans to make ALL phones with a backdoor. I just see little differenced in this specific case.

Apparently there is a rather old backup on iCloud, and Apple delivered that to the FBI. And I don't think Apple needs your password for that. Of course the FBI wants all data, including newer one. Now Apple had the great idea that you could make the iPhone backup its data to iCloud and then pick the data up on iCloud - no need to break into the phone at all. And that would have worked except some nincompoop changed the iCloud password. So that iPhone can't backup its data onto iCloud anymore. Unless you unlock it and enter the new iCloud password (but you can't unlock the phone). Or if you change the iCloud password back to the one that the phone knows (but they don't know the old password).

I assume that someone (not Apple) tried to recover the iCloud data and couldn't because they didn't know the password. But they could change the password, and then access the data with the changed password. Just like you would do if you forgot your password, you just reset the password, enter a new one, and get all the data. Apple could have done that without the password, and now the old password is gone.

 

[Thunderhawks]

How is Obama going to escape from this mess? Is someone going to accidentally destroy the phone?

If this problem gets solved as things usually get solved in America, somebody will shoot Tim Cook.

Enough mental patients running around with guns to solve issues THEIR way, since the government isn't doing anything about it.

 

[macfacts]

That's what the FBI is asking, a device to insert an update so that the phone can be hacked by brute force, it's only a 9 number combination. But if they do that then China, Russia, Saudi Arabia, Turkey, India, Pakistan etc kan ask the same and Apple can't say no to that.

This is in effect a backdoor, at first only in the hands of Apple but the same court can then demand that the FBI get's this ability. If Apple creates this there is no way to stop the FBI from getting it.

If Apple wants to do business in China or India, they have to follow the laws in those countries, including court orders.

Do you know the Chinese Government already has the iOS source code? Given by Apple because they do business in China. Do you know what stops them from hacking all iphones world wide? The Chinese Government doesn't have the keys needed to digitally sign a iOS package. Only Apple has that.

 

[Mac 128]

Probably they changed the password of his Apple account via de website to access his iCloud, problem was that there was no complete backup. That is why they got acces to his iCloud account but they should have waited for the phone to do a backup. (if that was even enabled)

Apple evidently stated they were surprised that when they tried to do the automatic backup overnight at the county facility in which he worked, that they were surprised it didn't work. That almost implies to me that Apple has a way to enable iCloud backup remotely using the Apple ID. I don't pretend to understand how iCloud works entirely, but I do know in order to restore a phone you have to turn off Find My iPhone. Maybe as long as that was on, Apple could send remote commands for iCloud functions? Or maybe the guy had turned off wifi, using only LTE, in which case the backups would have stopped. I would think at a minimum, Apple would be able to see the last reported iCloud setting associated with the phone ... In other words, they would have possibly known whether iCloud backup settings were on or off. Wifi can be turned on and off from the lock screen.

 

[Rigby]

you'd have to make sure they're encrypted with a strong password, and also not have the password saved anywhere.

Itunes backups could (potentially) be brute forced because no stepping exists in iTunes if the wrong password is entered; it could be attempted repeatedly.

iTunes uses a computationally expensive hash function (10,000 rounds of PBKDF2) to derive the key from the password. Unless you use an easy to guess or short password, it is not possible to brute force it in practical time.

There must be a reason Apple suggested it first (idea #2 according to the FBI)

They were probably hoping that the user didn't enable encryption in iTunes (it's off by default and most people probably don't care to enable it).

 

[Bonte]

Apple evidently stated they were surprised that when they tried to do the automatic backup overnight at the county facility in which he worked, that they were surprised it didn't work. That almost implies to me that Apple has a way to enable iCloud backup remotely using the Apple ID. I don't pretend to understand how iCloud works entirely, but I do know in order to restore a phone you have to turn off Find My iPhone. Maybe as long as that was on, Apple could send remote commands for iCloud functions? Or maybe the guy had turned off wifi, using only LTE, in which case the backups would have stopped. I would think at a minimum, Apple would be able to see the last reported iCloud setting associated with the phone ... In other words, they would have possibly known whether iCloud backup settings were on or off. Wifi can be turned on from the lock screen.

If they changed his Apple ID the FBI could access the iCloud data, no problem except that there was a week missing. Apple proposed to use the autobackup feature when connected to a trusted wifi network but that didn't work because the password was changed by the company when he left.

 

[gnasher729]

How do you not see if a court order forces Apple to break into this iPhone 5C, it also provides both a precedent and a proof of concept that could be applied to any phone Apple has ever sold or currently sells...

Apple _could_ break into this phone, send the FBI a _huge_ bill (you need a highly paid specialist to do this work, it has to be thorougly tested because you probably have only one go and any bug in this software could permantly prevent any access to the phone, it has to be done in an absolutely safe environment totally separated from the internet to make sure nothing leaks out), and then thorougly destroy everything. Crush the computer that was used to develop this hack. No backups, obviously.

And if the FBI then comes with 10 more phones, Apple takes the first one, the same engineer writes the same code, the same huge bill, and then the second phone, with the same huge bill... After all, even if Apple can be forced to support the FBI in the investigation of a crime (which Apple thinks the FBI can't), surely Apple cannot be forced to support the FBI in the investigation of crimes that haven't yet happened.

 

[Tycho24]

So the FBI screwed up and Apple has to pay the price... Sigh.

(not understanding all the upvotes)
I'd be VERY VERY VERY VERY VERY happy, were this comment true.
However... it is NOT!
The FBI screwed up... & they want ALL of us to pay the price, by giving up our freedom and liberty forever.
That's not a price that Apple can pay for us- it is something we'd lose & never get back.
While Apple is indeed fighting the good fight for us; WE are the ones standing to lose something, NOT them.
The government wants a secret backdoor that they could then exploit ANY time, with or without just cause... eroding privacy, freedom, and civil liberties in America; not trade secrets of Apple.
This is an attack on US (we the people).
I find it sad & bemusing that was somehow missed by so many... & they see this as a fight where it's Apple vs DOJ, NOT what it actually is: DOJ vs "the people".... whilst attempting to use Apple as a weapon.

 

[Bonte]

If Apple wants to do business in China or India, they have to follow the laws in those countries, including court orders.

So Apple needs to cooperate with the investigation to behead a women who had sex outside marriage? The better option seems to me to increase security so this question can't be asked, that is why Apple doesn't want to cooperate with this backdoor, it would change everything.

 

[Designer Dale]

How did the password change?

According to Reuters, The FBI asked County officials to change it.

http://www.reuters.com/article/us-apple-encryption-doj-idUSKCN0VS2FT

"San Bernardino County reset the password on the iCloud account at the request of the FBI, said county spokesman David Wert."

"The government first disclosed the identification change in a footnote to its filing Friday. The Apple executives said that the reset occurred before Apple was consulted. The Justice Department declined to comment on that contention"

Note: An iCloud account can be modified from any computer or device with Internet access.

Dale

 

[gavroche]

I'm surprised no-one is discussing an entirely different possibility:
1) The US Government already has a method of hacking in to this and other phones, and really doesn't need Apple's help...
2) They proposed this lawsuit trying to "compel" Apple into finding a way to hack in in order to give potential future targets a false sense of security thinking that they are safe from hacking...
3) That it's a win win for both parties. Apple gets lots of free media coverage about how 'secure' their devices are, as well as lots of credit for taking the moral/ethical high ground. The government gets lots of criminals and terrorists to think they can use these devices as a safe method of not being accessible.
4) When governments are involved (especially when dealing with the kinds of agencies involved), the information we see publicly is often not the real issue or all of the issue.

Just my opinion...

P.S. I understand the argument that Apple makes that if it creates a back door, other governments can compel its use in whatever circumstances they deem necessary (and that those reasons might not be as altruistic as those in the current case). But i see a large flaw in that argument. Those other foreign countries don't need to wait until a back door has been created to compel its use. They could likewise compel its creation to begin with, just as this government is currently trying to do (as Apple has basically not denied its ability to do what is being asked, just that it should not). This naive argument assumes that only one government, the US government, has the ability or audacity to compel a company to do something.

 

[Rigby]

How does one change their Apple ID password without knowing the original password? You have to enter your password and then enter the new password you want to change it to...?

They reset the password in the same way as someone who forgot their password can reset it if they can provide certain information.

 

[Arndroid]

Maybe I'm confused - and I probably am having read it quickly. But if Apple could have helped them before the password change but won't after - really - what's the difference. Not that I'm saying that Apple should help the FBI. But how genuine is their statement? You're either going to break into someone's phone or not. What difference does it make if the password has been changed?

Apple can't break into a phone to retrieve data. However due to the nature of iCloud that data is not encrypted. This is not a secret or something being hidden. It is a trade off for the convenience of cloud backups. Since that data is stored on apple's servers they share the data with law enforcement when presented with a proper warrant. They have always disclosed this.

If you want to avoid that then you should only back up to your own encrypted computer. In this case the password change made it impossible for a locked device to continue to backup to iCloud. Apple didn't do anything different before and after the password change. Because the county changed the password the potential for more recent data to be uploaded to the cloud became impossible. Thus there was and is no additional data for Apple to share.
[doublepost=1455987964][/doublepost]

ITS ONLY ONE PHONE, HOW MANY DIED... SMARTEN UP.... DON'T GET STUPID ON US

This just in but they solved the case already.

 

[Rogifan]

I get this part. I just think in this one case - what does it matter? Either Apple can assist them via the cloud or (if possible) through THAT device. I'm not talking about long term plans to make ALL phones with a backdoor. I just see little differenced in this specific case.

But Apple is saying if they do it once they've told the world they can do it and if it's asked for once it will be asked for again. It's basically opening a Pandora's box that Apple doesn't want to open. One question I have is, how much valuable information is even on this device? The guy destroyed his personal phone, and computer hard drives can't be found. Why would he not have destroyed this work phone too if it contained information about the crime, connections with terrorist organizations, etc.

 

[dennysanders]

How does one change their Apple ID password without knowing the original password? You have to enter your password and then enter the new password you want to change it to...?

or you can try answering security questions or sending yourself a reset password email. maybe they had access to his email account.