Does Apple Have the Ability to Help FBI Unlock the Encrypted iPhone?
January 6th 2020, SAN FRANCISCO — Apple declined the request of helping the FBI decrypt two iPhones that investigators believe were owned by Mohammed Saeed Alshamrani, the man who is thought to have carried out the shooting attack that killed three people (Burke and Williams 2019) in December 2019 at Naval Air Station Pensacola, Florida (Williams 2020). Same as the reaction to a similar case happened in 2016 (Zetter 2016), Apple remains committed to its promise on protecting user privacy and cyber-security by claiming:
Creating a backdoor for the government also creates one for hackers and bad actors. It makes all iPhones less safe, full stop (Newman 2020).
This is the latest episode of the long-standing encryption debate between Apple and the FBI.
While there have been plenty of discussions focused on the conflict between individual privacy and public security, this article is more interested in another question: Does Apple have the ability to help the FBI unlock an encrypted iPhone?
It may sound incredible in the first place — The manufacturer, of course, can unlock its own devices! — But technically, that is simply not the truth. To understand the whole story, we need to introduce some basic knowledge about modern encryption.
Influenced by Hollywood, the public tends to believe that: 1. IT companies could hack their own products easily; 2. No encryption is unbreakable. Well, theoretically, both statements could be wrong.
As can be seen from Diagram-1, although the mathematics behind a modern encryption system may be extremely complicated, its basic idea could be actually quite simple:
Firstly, we all know from a computer perspective, all information, no matter documents, music or movies, can be represented as a string of digits composed by 0 and 1. At this stage, these numbers are called Plain Data.
Secondly, via some magic mathematical formulas, the Plain Data could be converted into a string of different numbers. The new numbers, we call them Encrypted Data. The process of converting Plain Data to Encrypted Data is called encryption.
Thirdly, there are two ways to convert any Encrypted Data back to Plain Data: 1. With a key such as a password or digital certificate; 2. By exhausting all possibilities (brute-force attack). An efficacious algorithm should ensure that the computation required by a brute-force attack will be extraordinarily larger than with a valid key. (Of course, there are more tricky and smarter methods existing, however, let’s just simplify the situation here.)
The security of an encryption algorithm stands on if the following statements are all true:
1. The computation of encryption can be accomplished in a reasonable time.
2. With a valid key, the computation of decryption is relatively small and can be accomplished quickly.
3. The computation of a brute-force attack will be extremely enormous and will consume an unacceptable amount of time.
Here, the ‘unacceptable amount of time’ could be 10 years, 100 years or even 1,000 years by top-level supercomputers.
So, if we need to secure some important data, by using some encryption algorithms, we could encrypt it within 5 seconds on my computer. Then when we want to use it, we could decrypt it with a valid key in 3 seconds. Meanwhile, someone was trying to hack it by a brute-force attack. By using a top-level supercomputer, it would still take 100 years to exhaust all possibilities. Then we can say our data is safe.
Do not doubt it: such encryption algorithms do exist and were published a long time ago that everybody can read them. If you do interested in understanding them in deep, you may read the book: Understanding Cryptography: A Textbook for Students and Practitioners (Paar and Pelzl 2009). That is out of the scope of this article.
Here is a highly simplified spurious example, just for demonstrating the basic idea of encryption and decryption algorithms:
Let’s say our plain data is 1 and our key is 100 and each calculation costs 1 second. Our algorithm is:
encrypted_data = plain_data x key -> encrypted_data = 100 (costs 1 second)If we are going to decrypt it with a valid key, then the calculation will be:
plain_data = encrypted_data / key -> plain_data = 1 (costs 1 second)But when someone wants to hack it without a key, then the encrypted data could be calculated from the combination of:
1 x 100 / 2 x 50 / 4 x 25 / 5 x 20 / 10 x 10 -> costs 5 secondsSo even based on such a simple algorithm, 1 second encryption leads to 5 seconds to be cracked. If we use a larger number as our key, the cracking time required could be increased exponentially.
In real world, encryption/decryption algorithms can be extremely complicated designed by some top-level mathematicians. These cryptography methods if implemented properly are simply unbreakable.
Now as you know how encryption works, another question may appear in your mind: If these security systems are so safe, why we still constantly read news about hackers and security issues around all these giant technology companies? Well, that leads to the keywords: ‘if implemented properly’…
In reality, there are three possibilities leading to security breaches:
1. Algorithm flaws
2. Implementation bugs
3. Back-doors
Algorithm flaws mean an algorithm could be proven to be wrong mathematically. Because nowadays all major algorithms are published and tested by top-level mathematicians world-widely. It is highly unlikely that a modern mainstream cryptography algorithm itself can be proven as flawed. If someone did identify such a flaw, well, it could be a rare remarkable academic achievement which was hard to be seen in decades.
Implementation bugs are the most common reason that an IT system can be hacked. It means when implementing some algorithm, the programmer made some mistakes. It is inevitable that people will make mistakes. Modern IT systems could be composed of millions of lines of code. If one programmer tends to make one mistake per 1,000 lines code, it usually means that there will be thousands of bugs in that system. Actually, such bugs are so common that every IT company including famous ones such as Microsoft, Google or Apple, is constantly pushing bug-fixes to your computer every day.
The back-door issue is completely at another level: It means that by design and on purpose, an IT system is preset with some mechanism which allows someone to operate (decrypt) your data without your awareness.
In most situations, the possibility of security issues caused by algorithm flaws could be ruled out. Then practically, security vulnerabilities are most likely to be caused by either implementation bugs or back-doors.
Back to the case of Apple vs. the FBI, when the FBI asked Apple to unlock an iPhone, technically what options does Apple really have?
Option one: Apple could unlock the phone by using some implementation bugs existing in their system. But this would lead to another question: If Apple admitted they had known the existence of such bug already, why they would not have it fixed in the first place?
Yes, every system has bugs. But there are some bugs existing in a system that its developer does not know is one thing. The developer does not fix some serious security problems on purpose would be a completely another thing. No company dares to admit something like that.
However, there does exist some organizations who can help their clients to hack an IT system by making use of some implementation bugs. Actually, in the case happened in 2016 (Zetter 2016), after had been refused by Apple, the FBI unlocked the phone successfully by hiring a 3rd-party company. This can work because usually there will be some delay between identifying a bug and having the bug fixed by the developer. If a hacker knows a bug, he or she could make use of it until the bug is fixed. However, because of conflict of interests, Apple could not be the developer and the 3rd-party in the same time (which is exactly the FBI asked Apple to be). If Apple knew some bug, they should fix it as soon as possible instead of using it to hack their own products.
Option two: Helps the FBI by using some preset back-door, if such a back-door existed. If Apple does not have such a back-door, then they could not help anyway. Even such a back-door did exist, by using it which means admitting the existence of the back-door publicly, would damage Apple’s reputation seriously. I do not think Apple will see this as an option.
Overall, as you can see from above analysis, although Mr. Cook said Apple is technically capable to hack their own devices in a public letter published in 2016 (Cook 2016), in practice, no matter Apple is willing or not, the company is impossible to help decrypt their own devices for anybody without ruining its brand.
Because of the challenge and complexity of explaining these technical details to the public, the legislators and even the US president Mr. Trump himself (Trump 2020), Apple is facing increasing pressure to cooperate with the law-executor. Such cooperation if were enforced by law, will damage individual freedom fundamentally. The public should understand and accept that encryption is a technology to protect data, no matter good data or bad data. It is impossible to invent an encryption method that it would be invulnerable when protecting good data meanwhile can be magically become vulnerable when protecting bad data.
Because all major technology companies are depending on encryption systems to protect themselves and their customers and more importantly they all understand the nature of this issue, Apple is not alone in this debate. Other giant players including Amazon, Google and Facebook are all standing with Apple and support its decision (Brewster 2016).
In the end, does Apple have the ability to help the FBI unlock the encrypted iPhone? I do not think so. Apple is impossible to do so without admitting either the existence of a back-door or some software bugs in their system. All these possibilities lead to some unacceptable consequences. The FBI is asking something Apple is incapable to do.
References
- Linforth, Pete. 2018. “Image on Pixabay — Cyber Security, Protection.” Photo Library. Pixabay. May 14, 2018. https://pixabay.com/illustrations/cyber-security-protection-technology-3400657/.
- Williams, Pete. 2020. “FBI Seeks Apple’s Help Unlocking Phones of Suspected Pensacola Gunman.” News Agency. NBC News. January 7, 2020. https://www.nbcnews.com/news/us-news/fbi-seeks-apple-s-help-unlocking-phones-suspected-pensacola-naval-n1111636.
- Burke, Minyvonne, and Pete Williams. 2019. “Saudi Air Force Member Who Killed 3 at U.S. Navy Base Had Watched Mass-Shooting Videos.” News Agency. NBC News. December 8, 2019. https://www.nbcnews.com/news/us-news/saudi-air-force-member-who-killed-3-u-s-navy-n1097641.
- Newman, Lily. 2020. “This Apple-FBI Fight Is Different From the Last One.” Wired, January 16, 2020. https://www.wired.com/story/apple-fbi-iphone-encryption-pensacola/.
- Zetter, Kim. 2016. “Apple’s FBI Battle Is Complicated. Here’s What’s Really Going On.” Wired, February 18, 2016. https://www.wired.com/2016/02/apples-fbi-battle-is-complicated-heres-whats-really-going-on/.
- “Document Icons — Icons8.” n.d. Free Design Resources. Icons8. Accessed February 13, 2020. https://icons8.com/icons/set/document. [Document icon](https://icons8.com/icons/set/document) icon by [Icons8](https://icons8.com).
- Freepik. n.d. “Launch Free Vector Icons Designed by Freepik.” Free Design Resources. Flaticon. Accessed February 13, 2020. https://www.flaticon.com/search?word=rocket. Icons made by [Freepik](https://www.flaticon.com/authors/freepik “Freepik”) from [www.flaticon.com](https://www.flaticon.com/ “Flaticon”).
- “Music Icons — Icons8.” n.d. Free Design Resources. Icons8. Accessed February 13, 2020. https://icons8.com/icons/set/audio. [Music icon](https://icons8.com/icons/set/music) icon by [Icons8](https://icons8.com).
- “Key Icons — Icons8.” n.d. Free Design Resources. Icons8. Accessed February 15, 2020. https://icons8.com. [Key icon](https://icons8.com/icons/set/key--v1) icon by [Icons8](https://icons8.com).
- Freepik. n.d. “Snail Free Vector Icons Designed by Freepik.” Free Design Resources. Flaticon. Accessed February 13, 2020. https://www.flaticon.com/search?word=slow. Icons made by [Freepik](https://www.flaticon.com/authors/freepik “Freepik”) from [www.flaticon.com](https://www.flaticon.com/ “Flaticon”).
- Freepik. n.d. “Video Free Vector Icons Designed by Freepik.” Free Design Resources. Flaticon. Accessed February 13, 2020. https://www.flaticon.com/free-icons/video. Icons made by [Freepik](https://www.flaticon.com/authors/freepik “Freepik”) from [www.flaticon.com](https://www.flaticon.com/ “Flaticon”).
- Paar, Christof, and Jan Pelzl. 2009. Understanding Cryptography: A Textbook for Students and Practitioners. Springer Science & Business Media.
- Cook, Tim. 2016. “A Message to Our Customers.” Corporation Website. Apple. February 16, 2016. http://www.apple.com/customer-letter/.
- Trump, Donald. 2020. “The Tweet from US President Mr Donald J. Trump on Apple Rejecting FBI.” Social Media. Twitter. January 15, 2020. https://twitter.com/realdonaldtrump/status/1217228960964038658.
- Brewster, Thomas. 2016. “Amazon, Google, Facebook On Apple Battle: FBI Wants Us All To Hack Our Own Products.” News Agency. Forbes. March 3, 2016. https://www.forbes.com/sites/thomasbrewster/2016/03/03/apple-amicus-brief-fbi-security-fear/.
