Note To Readers: This report is based on the assumption that Apple is on the up-and-up about their refusal to create backdoor tools for the FBI. As we know, however, intelligence agencies are experts at disinformation, so for all we know it is possible that backdoors already exist and what we have witnessed this week insofar as the encryption debate is concerned could be a psy-op designed to convince the public that their encryption is unhackable by government agencies. From a security perspective, we must assume that no electronic device is safe from prying eyes, as most theories on these matters are based on publicly known technologies and do not take into account top secret developments with quantum computing or advanced DARPA initiatives.
Earlier this week Apple CEO Tim Cook wrote an open letter to the American public about the FBI’s attempts to compel the company to crack the iPhone of the San Bernadino Jihad attackers, saying that such a tool for the government is too dangerous to create. Google, Facebook and Twitter have now joined Apple in the phone encryption battle.
As explained by The Intercept, here’s a brief overview of what the FBI wants Apple to do:
The most obvious way to try and crack into your iPhone, and what the FBI is trying to do in the San Bernardino case, is to simply run through every possible passcode until the correct one is discovered and the phone is unlocked. This is known as a “brute force” attack.
One obstacle to testing all possible passcodes is that the iPhone intentionally slows down after you guess wrong a few times. An attacker can try four incorrect passcodes before she’s forced to wait one minute. If she continues to guess wrong, the time delay increases to five minutes, 15 minutes, and finally one hour. There’s even a setting to erase all data on the iPhone after 10 wrong guesses.
This is where the FBI’s requested backdoor comes into play. The FBI is demanding that Apple create a special version of the iPhone’s operating system, iOS, that removes the time delays and ignores the data erasure setting. The FBI could install this malicious software on the San Bernardino killer’s iPhone, brute force the passcode, unlock the phone, and access all of its data. And that process could hypothetically be repeated on anyone else’s iPhone.
The problem the FBI has is that the iPhone and other phones out there require a time-delay between passcode entries. Moreover, when a series of wrong passcodes is entered the delay is extended to as much as one hour, so even the fastest computer on the planet is rendered impotent while it waits for this delay to reset.
So the FBI is stuck using your iPhone to test passcodes. And it turns out that your iPhone is kind of slow at that: iPhones intentionally encrypt data in such a way that they must spend about 80 milliseconds doing the math needed to test a passcode, according to Apple. That limits them to testing 12.5 passcode guesses per second, which means that guessing a six-digit passcode would take, at most, just over 22 hours.
A six-digit passcode can be unlocked by the FBI in roughly a day. But according to the math behind the security feature, adding just 5 more digits could make hacking the phone in your lifetime almost impossible with current computing technologies (we’ll save quantum computing concepts for another time):
What if you use a longer passcode? Here’s how long the FBI would need:
- seven-digit passcodes will take up to 9.2 days, and on average 4.6 days, to crack
- eight-digit passcodes will take up to three months, and on average 46 days, to crack
- nine-digit passcodes will take up to 2.5 years, and on average 1.2 years, to crack
- 10-digit passcodes will take up to 25 years, and on average 12.6 years, to crack
- 11-digit passcodes will take up to 253 years, and on average 127 years, to crack
- 12-digit passcodes will take up to 2,536 years, and on average 1,268 years, to crack
- 13-digit passcodes will take up to 25,367 years, and on average 12,683 years, to crack
As The Intercept notes, remembering a totally random 11-digit passcode may seem like a daunting task, but anyone who was around before cell phone contact lists probably had at least five to ten different phone numbers memorized for family and close friends. This is essentially the same thing.
As a side note, using your phone’s fingerprint scanner as the primary mechanism for security is not sufficient.
First, a determined hacker, especially a state-sponsored one, could easily find a way to get your fingerprint, just as was done to Germany’s Minister of Defence in 2014 when hackers used internet photos of her hand to re-create her fingerprint. Second, and perhaps more importantly, a Virginia court has ruled you can be forced by police to unlock a phone or computer with your fingerprint – but not your password:
A Virginia state trial court held that a suspect “cannot be compelled [by the police] to produce his passcode to access his smartphone but he can be compelled to produce his fingerprint to do the same.”
Judge Frucci ruled that phone passwords were entitled to protection under the Fifth Amendment’s promise that no person “shall be compelled in any criminal case to be a witness against himself.”He stressed that the password existed only in the defendant’s mind, and thus compelling the defendant to provide a passcode constituted a testimonial communication. The Fifth Amendment protects against such compulsion.
We live in a brave new world, and while you may think you have nothing to hide, keep in mind that with the literal millions of laws on the books in the United States the average American commits three felonies per day. Thus, if a law enforcement agency were to target you, they would most certainly find evidence of wrong doing and you can be assured that your phone will be one of the first pieces of evidence they will target.