Apple vs US Government

[DrazharLn]

Technical feasibility:

The FBI want a custom firmware for the iPhone that lets them try the PIN code as many times as they like - letting them brute force the phone.

They have physical access to the device, but can't load firmware of their own onto it (even if they could write their own patch) because the iPhone will only trust firmware updates if they're signed by apple.

So, apple could, if they liked, mod their current firmware to remove the PIN code attempt limit, but only on phones were IMEI=blah, for example. They then sign the code and give it to the FBI. The FBI can now load this code onto any iPhone they like, but it will only produce different behaviour for the target device.

The FBI can't change the firmware they get because if they do, the signature won't match and no phone will load it.

If IMEI numbers are stored in vulnerable storage, apple could choose a better unique identifier and/or push an update to all the other phones blacklisting the firmware update that they sent to the FBI.

Technically, this can be done in a limited way. The slippery slope comes from judicial/cultural precedent rather than technical vulnerability.

[Rusty Edge]

Technical feasibility:

The FBI want a custom firmware for the iPhone that lets them try the PIN code as many times as they like - letting them brute force the phone.

They have physical access to the device, but can't load firmware of their own onto it (even if they could write their own patch) because the iPhone will only trust firmware updates if they're signed by apple.

So, apple could, if they liked, mod their current firmware to remove the PIN code attempt limit, but only on phones were IMEI=blah, for example. They then sign the code and give it to the FBI. The FBI can now load this code onto any iPhone they like, but it will only produce different behaviour for the target device.

The FBI can't change the firmware they get because if they do, the signature won't match and no phone will load it.

If IMEI numbers are stored in vulnerable storage, apple could choose a better unique identifier and/or push an update to all the other phones blacklisting the firmware update that they sent to the FBI.

Technically, this can be done in a limited way. The slippery slope comes from judicial/cultural precedent rather than technical vulnerability.

Thank you for this explanation.

[DrazharLn]

You're welcome

[binTravkin]

There are quite a few good explanations on the Web on what is going on in this case.

Here are key points.
Q: Why has Apple done this in past but not now?

A1: New system. Strong encryption and borderline unhackable. The phone decides itself whether it wants to trust someone. Even Apple does not have "full access"to it unless they specially code such (and that's one of the things FBI is requesting).
A2: FBI screwed up. Apple can use an iCloud backup and get data out of that. For that to happen, Phone has to have original Apple ID and be connected to "trusted network" (like user's home WiFi). FBI blew both of those like a bunch of people from 20th century with no idea about security or phones.


Q: What does FBI request Apple to do?

A: To make iPhone hackable again. In short, the root of the debate as a whole is - "is strong encryption legal". FBI thinks it shouldn't although they are not explicitly saying it (I guess).

In short, FBI are acting like monkeys in porcelain shop.
They don't know what they are doing with what they have - blew both necessary technical parts that they could use.
They don't realize the super steep slippery slope that is guaranteed to happen (see RIM vs Saudi Arabia encryption case, others) if history is any measure.
They are using a super vague legal ground for it, which is probably long overdue for rehaul/stripping from U.S. legal code - the All Writs Act. This is another slippery slope all by itself.

And the best.
They are (purportedly) doing this because "there may be data on the iPhone which would help the investigation".
May. If not deleted, not never written down to it, not obtained already in other ways (e.g. calls are already available from operators) and not encrypted with additional keys which are outside of Apple's possibilities.