Chris Welch at The Verge has an update on the Pensacola Naval Air Station shooting in which the gunman had a couple of iPhones, Attorney General William Barr and the FBI asked Apple to unlock them, and Apple said no. The FBI was finally able to get the data they needed without Apple’s help (likely using a GrayKey) and made some false claims (again) on how Apple could design their products, if only math was magical:
“Apple’s decision has dangerous consequences for the public safety and the national security and is, in my judgement, unacceptable,” Barr said. “Apple’s desire to provide privacy for its customers is understandable, but not at all costs. There is no reason why companies like Apple cannot design their consumer products and apps to allow for court-authorized access by law enforcement, while maintaining very high standards of data security. Striking this balance should not be left to corporate board rooms.”
Throughout the recent debates on encryption policy, Apple has insisted that it’s impossible to create a “backdoor” in the way that Barr describes since any such tool could fall into the wrong hands and dismantle the security of iPhones globally. The company has regularly handed over iCloud backup data where available, and according to a Reuters report from earlier this year, Apple abandoned plans to fully encrypt those backups due to FBI complaints. But it has steadfastly refused to compromise the local storage of iPhones. “Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data,” CEO Tim Cook said in 2016.
Apple’s design of the iPhone isn’t a decision to make the job of the FBI difficult, it’s the byproduct of a well designed and secure product. The fact that the FBI has such difficulty unlocking it should be a selling point for the iPhone. The fact they eventually can unlock it should be a motivation for Apple to double their efforts in encrypting and securing the device.
My guess is the GrayKey was used to access the device, and the passcode was likely a 4 or 6 digit numeric passcode, which only takes a few hours or days for a GrayKey to guess. Maybe this guy knew what he was doing and used a longer passcode; the FBI is never going to tell us, but if you are at all concerned about your local government accessing your iPhone, using long alphanumeric passcodes (at least 8 characters or longer) will take about a decade to guess (unless they get really lucky on the first guess).