Terrorist changed iCloud password, disabled auto-backups on his iPhone
In an affidavit submitted by the Federal Bureau of Investigation (FBI) last week, an agent spelled out the steps his team took to access the content on the iPhone 5C used by Syed Rizwan Farook, who with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif. on Dec. 2, 2015. The two died in a shootout with police later that day.
The government has labeled the attack an act of terrorism, and has acquired a court order requiring Apple to help the FBI break the iPhone's passcode so that investigators can pull data from the device. Apple has contested the order.
The FBI's Christopher Pluhar, a supervisory special agent, said that Farook had changed his iCloud password several weeks before the attack, and with the device locked with a four-digit passcode, the FBI's forensics team was unable to get into the iPhone to extract its contents.
The mention of a four-digit passcode was important: If the FBI could circumvent the device's security safeguards, it would be able to "brute force" such a passcode in just hours.
The Department of Justice (DOJ) has demanded -- and a federal court has granted the request -- that Apple craft a special version of iOS that would disable the safeguards, then plant the code on Farook's iPhone. Apple has been asked to switch off the auto-destruct feature that wipes the phone after 10 incorrect passcode entries, remove the lengthening delays between each guess, and make it possible for the FBI to electronically bombard the iPhone with passcodes instead of having to manually enter them on the lock screen.
Pluhar added to the government's contention that it did not screw up by changing the password for Farook's employer-controlled iCloud account in an attempt to force the device to back up after the FBI found it in a vehicle used by Farook. By restoring the iCloud backup to other similar iPhones, the FBI acquired the contents of the last backup, which was dated Oct. 19, 2015.
But Farook had changed the iCloud password on Oct. 22 -- perhaps from the one assigned him by his employer, the San Bernardino County Department of Public Health, and the putative owner of the iCloud account -- just days after the last backup was successfully saved to Apple's servers. At the same time, he disabled the auto-backup feature of iOS 9, the DOJ claimed.
However, Pluhar had not said that, had, in fact, said nothing of auto-backup being switched off in his sworn statement.
According to the DOJ's brief, Apple's contention that if authorities had simply let the device reconnect to a known Wi-Fi network -- Farook's home network, for example -- and waited for a backup to initiate, was moot. The government cited the changed iCloud password, the disabling of auto-backup, and the fact that the phone was found powered off as reasons.
"A forced backup of Farook's iPhone was never going to be successful," the government claimed in its brief last week which rebutted Apple's objections to the court order.
The San Bernardino County Department of Public Health may not have had the iCloud password for the account Farook used, but it did have the ability to reset the password; it was that password reset that the FBI leveraged to access the Oct. 19 backup to iCloud.
But significant parts of the content on Farook's iPhone were not backed up to iCloud, said Pluhar. "Each of the restored exemplars [the target iPhones which were loaded with the Oct. 19 backup] includes restored settings, and those settings showed that, for example, iCloud back-ups for 'Mail,' 'Photos,' and 'Notes' were all turned off on the Subject Device," Pluhar said.
The FBI agent also contended that some data was available only on the iPhone, including the keyboard cache, a record of the recent keystrokes. "The keyboard cache, as one example, contains a list of recent keystrokes typed by the user on the touchscreen. From my training and my own experience, I know that data found in such areas can be critical to investigations," Pluhar swore.
Interestingly, Farook's iPhone had the remote-wipe feature of the "Find My iPhone" service disabled. "The remote-wipe function was not activated for the Subject Device," he said.
Remote-wipe is different than the auto-wipe the government has cited in its arguments that only Apple can get into Farook's phone. The former may be used by iPhone owners to delete all content on a device that has been lost or stolen, through the Find My iPhone location service, which is part of iCloud. The latter is connected to the device via its passcode, and when enabled, erases all content if 10 incorrect passcode guesses are tried.
The government has implied it does not know whether the auto-wipe function was switched on by Farook. When a user engages iOS's passcode, auto-wipe is off by default.
Pluhar's affidavit was just the latest in a long series of DOJ filings that have urged the court to compel Apple to assist the FBI, all which have argued that only with the Cupertino, Calif. company's help can investigators retrieve the iPhone's data.
A hearing before a federal magistrate on Apple's objections will be held March 22.