Apple, FBI, and the Burden of Forensic Methodology

The best overview of the technical aspects of what the FBI is asking Apple to do is at Zdziarski’s blog starting on his February 18 post “Apple, FBI, and the Burden of Forensic Methodology” (linked above) and subsequent follow-up posts. The most frightening section there was:

FBI has asked to do this wirelessly (possibly remotely), which also means transit encryption, validation, certificate revocation, and so on.

I have seen virtually no commentary about this point, which I think is a big, big issue. With previous data extraction cases, Apple took extensive precautions, including requiring investigators to physically transport the iPhone to the Apple facility, and isolating the unit within a faraday cage. In other words, law enforcement had to have physical possession of the device. As many security researchers have pointed out in the past, with physical access it is almost guaranteed that the attacker will find some way to read some or all of the data stored on a device.

With an over-the-air attack tool, anyone who finds a way to bypass the supposed safeguards of the tool could target anyone at any time; they would not need physical access to the device. That makes it significantly easier for an attacker to bypass the security features and unlock the targeted iPhone. And once that happens they can do just about anything they want, including load malware, wipe the device, or do a data dump. With a sufficiently sophisticated tool paired with an over-the-air attack, the person might not even know that their iPhone has been hacked.