UPDATED: Someone Seriously Dropped the Ball During the San Bernardino Shooting Investigation
As if it is not embarrassing enough that the feds are begging (in the form of a court order) Apple to help them create a backdoor to access the accused San Bernardino shooter’s cell phone, we are now learning that a California county official reset the password remotely after federal authorities took possession of the device. [see below for UPDATE on this story, FBI now saying county worker was working under the direction of federal authorities] Regardless, Apple said the password reset meant that they could no longer recover information from the iPhone. In addition, the company contends that if authorities had taken the iPhone to a recognized Wi-Fi network, the phone would have automatically backed up to the iCloud.
This unfortunate and shocking revelation seems to indicate the ball was dropped in the first few critical days of this investigation. The apparent password reset resulted in a big set back for the FBI who have now been struggling for more than 2 months to gain access to the device’s contents. Most importantly, it raises questions about the FBI’s protocols and response in the immediate aftermath of the December 2015 terrorist attack at the Inland Regional Center in San Bernardino, California.
“This is a huge issue, from a forensic analysis standpoint, when there is a security incident like this, time is of the essence in order to secure the focal pieces of evidence,” Tony UcedaVelez, the CEO of VerSprite Security, a technology consulting firm, told LawNewz.com.
“Somebody messed up for sure. Somebody should have known that this could have been a possibility — that someone could try to change the password for the iPhone,” he continued.
A new DOJ court filing states, according to ABC News, “the owner [San Bernardino County Department of Public Health], in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup.”
The network reports “federal investigators only found out about the reset after it had occurred and that the county employee acted on his own, not on the orders of federal authorities.”
“I expect this was an attempt to keep a potential accomplice from logging in and deleting the cloud data. This could have been accomplished differently, and I expect Apple would have been able to set the password back to the original one if they were asked to do so within a short enough period of time, Apple would have been able to get the original “hashed” password from their backups,” Cyber security expert Clifford Neuman told LawNewz.com. Neuman is the director for the University of Southern California’s Center for Computer Systems Security
“It seems illogical and it seems to be a mess up on behalf of the investigators — that’s not good forensic handling,” UcedaVelez said.
Syed Farook, and his wife Tashfeen Malik, are accused of launching a deadly attack killing 14 county workers during a holiday party.
Now, the DOJ is asking Apple to help them create a program so they can access Farook’s cell phone. The Justice Department wants to essentially force the technology company to write software that would allow them to try millions of random password combinations. Right now, the most current iPhone operating system automatically erases after 10 password attempts. The DOJ is relying on the All Writs Act of 1789 as the legal justification for their demand.
[h/t and image via ABC News]
UPDATE 10 am 2/21/2016
The FBI released this statement (below). However, it still does not acknowledge that the reset of the password set back federal investigation (something most cyber experts say he would have done). Apple contends the reset limited their ability to access data on the phone:
“Recent media reports have suggested that technicians in the county of San Bernardino independently conducted analysis and took steps to reset the iCloud account password associated with the iPhone 5C that was recovered during a federal search following the attack in San Bernardino that killed 14 people and wounded 22 others on December 2, 2015. This is not true. FBI investigators worked cooperatively with the county of San Bernardino in order to exploit crucial data contained in the iCloud account associated with a county-issued iPhone that was assigned to the suspected terror suspect, Syed Rizwan Farook.
Since the iPhone 5C was locked when investigators seized it during the lawful search on December 3rd, a logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack. The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data. The reset of the iCloud account password does not impact Apple’s ability to assist with the the court order under the All Writs Act.
The last iCloud data backup of the iPhone 5C was 10/19 and, based on other evidence, investigators know that Syed Rizwan Farook had been using the phone after 10/19. It is unknown whether an additional iCloud backup of the phone after that date — if one had been technically possible — would have yielded any data.
Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains. Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone. As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.”