Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Terrorist changed iCloud password, disabled auto-backups on his iPhone

Gregg Keizer | March 15, 2016
Government claims 'a forced backup...was never going to be successful,' as it again rebuts Apple's contention that it should have left the device alone.

According to the DOJ's brief, Apple's contention that if authorities had simply let the device reconnect to a known Wi-Fi network -- Farook's home network, for example -- and waited for a backup to initiate, was moot. The government cited the changed iCloud password, the disabling of auto-backup, and the fact that the phone was found powered off as reasons.

"A forced backup of Farook's iPhone was never going to be successful," the government claimed in its brief last week which rebutted Apple's objections to the court order.

The San Bernardino County Department of Public Health may not have had the iCloud password for the account Farook used, but it did have the ability to reset the password; it was that password reset that the FBI leveraged to access the Oct. 19 backup to iCloud.

But significant parts of the content on Farook's iPhone were not backed up to iCloud, said Pluhar. "Each of the restored exemplars [the target iPhones which were loaded with the Oct. 19 backup] includes restored settings, and those settings showed that, for example, iCloud back-ups for 'Mail,' 'Photos,' and 'Notes' were all turned off on the Subject Device," Pluhar said.

The FBI agent also contended that some data was available only on the iPhone, including the keyboard cache, a record of the recent keystrokes. "The keyboard cache, as one example, contains a list of recent keystrokes typed by the user on the touchscreen. From my training and my own experience, I know that data found in such areas can be critical to investigations," Pluhar swore.

Interestingly, Farook's iPhone had the remote-wipe feature of the "Find My iPhone" service disabled. "The remote-wipe function was not activated for the Subject Device," he said.

Remote-wipe is different than the auto-wipe the government has cited in its arguments that only Apple can get into Farook's phone. The former may be used by iPhone owners to delete all content on a device that has been lost or stolen, through the Find My iPhone location service, which is part of iCloud. The latter is connected to the device via its passcode, and when enabled, erases all content if 10 incorrect passcode guesses are tried.

The government has implied it does not know whether the auto-wipe function was switched on by Farook. When a user engages iOS's passcode, auto-wipe is off by default.

Pluhar's affidavit was just the latest in a long series of DOJ filings that have urged the court to compel Apple to assist the FBI, all which have argued that only with the Cupertino, Calif. company's help can investigators retrieve the iPhone's data.

A hearing before a federal magistrate on Apple's objections will be held March 22.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.