Apple’s dispute with the FBI over providing access to a mass shooter's smartphone could lead device makers to require stronger passwords in future.
Much of the debate around the issue has suggested that the FBI is asking Apple to break its encryption in order to gain access to the contents of a smartphone used by one of the perpetrators of the December shootings in San Bernardino.
But the case is as much about passwords as it is about encryption. The FBI wants Apple to override a mechanism on the iPhone that could erase the data on the device after 10 failed password attempts. Using a computer program, investigators can try out thousands of passwords until they hit on the one that works, in what’s known as a brute force attack.
If Apple is forced to comply, the agency would be able to crack a four-digit PIN in a matter of minutes, said Robert Graham, owner of security research firm Errata Security.
Regardless of how strong the underlying encryption is, the security protections are only as strong as the password. It’s a clever move by the FBI, which would gain access the phone without tackling the much more challenging task of breaking the encryption.
It’s also a situation Apple might have avoided, by requiring stronger passwords sooner. But users still have the option to use a four-digit passcode that contains only numbers.
A six-digit PIN implemented in iOS 9 could take the FBI about 22 hours to crack, Graham wrote in a blog post. But if phone makers required users to create stronger passwords of six letters, or a combination of numbers and letters, they could take more than 300 years to crack.
Apple is fighting the request because, like many other tech firms, it doesn’t want to be in the business of deciding whether to hand its users’ data over to law enforcement. If smartphone makers require users to implement stronger passwords in future, they will make the FBI’s current strategy much harder.
The FBI's request for Apple to help break the password protection on the iPhone 5C in question is "relatively straightforward," said Amit Sethi, senior principal consultant for Cigital, a security-as-a-service vendor.
The 5C doesn't come with Apple's Secure Enclave chip-based encryption included with newer models, making it easier to defeat the password security, Sethi said by email.
"In this case, Apple can probably create a modified version of iOS that will only run on that particular device that will allow law enforcement to brute force the PIN/password used to protect the device," he said. "Even if that version of iOS gets in the wrong hands, it should not be usable on any other devices."
Sign up for CIO Asia eNewsletters.