Lockdown: Apple could make it even tougher to hack Phones

February 24, 2016 by Michael Liedtke
Lockdown: Apple could make it even tougher to hack Phones
Protesters carry placards outside an Apple store Tuesday, Feb. 23, 2016, in Boston. Demonstrators are expected to gather in a number of cities Tuesday to protest the FBI obtaining a court order that requires Apple to make it easier to unlock an encrypted iPhone used by a gunman in December's shooting in San Bernardino, Calif. (AP Photo/Steven Senne)

Suppose the FBI wins its court battle and forces Apple to help unlock an iPhone used by one of the San Bernardino killers. That could open all iPhones up to potential government scrutiny—but it's not the end of the story.

Turns out there's a fair bit both individuals and Apple could do to FBI-proof their phones and shield private information from investigators and cybercriminals alike. Those measures include multiple passcodes and longer, more complex ones.

Of course, increased security typically comes at the expense of convenience. Most efforts to improve phone security would make the devices harder to use, perhaps by requiring you to remember more passwords.

Making it more difficult for law enforcement to crack open iPhones could also spur legal restrictions on phone security, something that neither Apple nor other technology companies want to see.

"They are walking a tightrope," says Mark Bartholomew, a law professor at the State University of New York at Buffalo who specializes in privacy and encryption issues. Requiring longer passcodes might annoy most Apple users, he says, while boosting phone security "sort of amplifies the whole argument that Apple is making things too difficult and frustrating officials."

A New York police officer stands outside the Apple Store on Fifth Avenue while monitoring a demonstration, Tuesday, Feb. 23, 2016, in New York. Protesters assembled in more than 30 cities around the world to lash out at the FBI for obtaining a court order that requires Apple to make it easier to unlock an encrypted iPhone used by a gunman in December's mass murders in California. (AP Photo/Julie Jacobson)

Apple had no comment on any future security measures. In a recent letter to customers, it noted that it has routinely built "progressively stronger protections" into its products because "cyberattacks have only become more frequent and more sophisticated."

In the current fight, the FBI aims to make Apple help it guess the on the work phone used by Syed Farook before he and his wife killed 14 people at an office party in December. The FBI wants Apple to create special software to disable security features that, among other things, render the iPhone unreadable after 10 incorrect guesses.

Apple has resisted, maintaining that software that opens a single iPhone could be exploited to hack into millions of other devices. The government insists that its precautions would prevent that, though security experts are doubtful.

Should the FBI prevail, it would take computers less than a day to guess a six-digit passcode consisting solely of numbers, the default type of passcode in the latest version of the iPhone operating system. Even with security features disabled, each passcode guess takes 80 milliseconds to process, limiting the FBI to 12.5 guesses per second.

For security-conscious individuals, the simplest protective move would be to use a passcode consisting of letters and numbers. Doing so would vastly increase the amount of time required to guess even short passcodes. Apple estimates it would take more than five years to try all combinations of a six-character passcode with numbers and lowercase letters. Adding capital letters to the mix would extend that further.

Lockdown: Apple could make it even tougher to hack Phones
A pedestrian walks by the Apple Store on Fifth Avenue while avoiding a small demonstration held along the sidewalk, Tuesday, Feb. 23, 2016, in New York. Protesters assembled in more than 30 cities around the world to lash out at the FBI for obtaining a court order that requires Apple to make it easier to unlock an encrypted iPhone used by a gunman in December's mass murders in California. (AP Photo/Julie Jacobson)

Changing to an alphanumeric code is as simple as going into the phone settings and choosing "Touch ID & Passcode," then "Passcode options."

Another option is simply to pick a much longer numeric code. An 11-character code consisting of randomly selected numbers—that means no references to birthdays or anniversaries that could be easily guessed—could take as long as 253 years to unlock.

But longer, more complex codes are harder to remember, and that's probably why Apple hasn't yet required their use. It could, however, easily do so. In fact, iPhones moved to six-digit passcodes from four last September.

Apple may have other tricks up its sleeve. For instance, the company could add additional layers of authentication that would thwart the security-bypassing software the FBI wants it to make, says computer security expert Jonathan Zdziarski.

Apple phones rely on a feature known as the "secure enclave" to manage all passcode operations. The software demanded by the FBI would alter the secure enclave, Zdziarski says. But the software couldn't do so if the secure enclave required the user passcode to approve any such changes.

"This is probably the best way to lock down a device," Zdziarski says.

Apple could also require a second passcode whenever the phone boots up; without it, the phone wouldn't run any software, including the tool the FBI is requesting. "It would be like putting a steel door on the phone," Zdziarski says. Currently, iPhones automatically load the operating system before asking for a passcode.

For now, Apple CEO Tim Cook is focusing on winning the current battle with the FBI in a Southern California federal court while also trying to sway public opinion in the company's favor. The skirmish could go all the way to the U.S. Supreme Court.

In the meantime, Apple is probably already working on improvements for the next version of the iPhone that it will probably announce in June and release in September.

Explore further: Q&A: A look at the Apple vs US Justice Dept. court fight

Related Stories

Q&A: A look at the Apple vs US Justice Dept. court fight

February 17, 2016

A U.S. magistrate judge has ordered Apple to help the FBI break into a work-issued iPhone used by a gunman in the mass shooting in San Bernardino, California. Apple chief executive Tim Cook immediately objected, setting the ...

Protests planned across US to back Apple in battle with FBI

February 21, 2016

Protesters are preparing to assemble in more than 30 cities to lash out at the FBI for obtaining a court order that requires Apple to make it easier to unlock an encrypted iPhone used by a gunman in December's mass shootings ...

Experts: The FBI's iPhone-unlocking plan for Apple is risky

February 22, 2016

In its battle with Apple over an extremist's iPhone, the FBI says neither the company nor anyone else has anything to fear. Although they want to compel assistance from Apple to unlock a phone used by San Bernardino mass ...

Recommended for you

Inferring urban travel patterns from cellphone data

August 29, 2016

In making decisions about infrastructure development and resource allocation, city planners rely on models of how people move through their cities, on foot, in cars, and on public transportation. Those models are largely ...

How machine learning can help with voice disorders

August 29, 2016

There's no human instinct more basic than speech, and yet, for many people, talking can be taxing. 1 in 14 working-age Americans suffer from voice disorders that are often associated with abnormal vocal behaviors - some of ...

Sponge creates steam using ambient sunlight

August 22, 2016

How do you boil water? Eschewing the traditional kettle and flame, MIT engineers have invented a bubble-wrapped, sponge-like device that soaks up natural sunlight and heats water to boiling temperatures, generating steam ...

8 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Iochroma
not rated yet Feb 24, 2016
Gov't boobs will not win this, even if they win this battle.
They should sit down and STFU.
kochevnik
3 / 5 (2) Feb 24, 2016
People worship psychopaths, so they rule. There is a psychopathy test but people prefer eating shiyte and let Soros do the decision making
obama_socks
1 / 5 (1) Feb 24, 2016
@Koch
Soros is old and doesn't have very much time left. He can't take his wealth with him, and in due time he will pay for his sins. But don't hold your breath waiting for him to reform his ways. Soros and Otto are very similar...evil to the extreme.
I thought that Soros had dual citizenship with the US and Israel, but he only has it with US and Hungary. Big let-down.
obama_socks
1 / 5 (1) Feb 24, 2016
Gov't boobs will not win this, even if they win this battle.
They should sit down and STFU.

They have government jobs and they think that they're invincible. If Apple doesn't win this, millions of people will stop using Apple products if they have been compromised.
IronhorseA
1 / 5 (2) Feb 25, 2016
Gov't boobs will not win this, even if they win this battle.
They should sit down and STFU.

They have government jobs and they think that they're invincible. If Apple doesn't win this, millions of people will stop using Apple products if they have been compromised.


One less tool for terrorists to easily get a hold of.
freeiam
not rated yet Feb 25, 2016
Its important to note that the secure enclave isn't altered by the proposed firmware update.
The point is that the number of tries and passcode entry delay is currently done by software while it should be handled by the secure enclave itself (for example by an internal timer and false passcode entry count).
Apple will implement that in a next step, but it will take some time because it has to be done in its VHDL design.
gkam
2.3 / 5 (3) Feb 27, 2016
Big Brother has NO right to my private dealings.

Do NOT let them win this.
gkam
2.3 / 5 (3) Feb 27, 2016
Having served in "electronic reconnaissance" in the service, I understand what they can do. Having served as Deputy Foreperson on a Federal Criminal Grand Jury for 24 months in 70 sessions, I know what they will do with it.

Do not let them!

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.