FYI.

This story is over 5 years old.

Who Changed the San Bernardino Shooter’s iCloud Password?

Government agencies and Apple are pointing fingers over who is responsible for shutting iCloud data out of the San Bernardino investigation.
February 20, 2016, 8:00pm

Parties in the San Bernardino case are arguing over who is responsible for changing the iCloud password associated with a phone used by one of the shooters. Apple and San Bernardino County officials blame the FBI, but the FBI blames the San Bernardino County Department of Public Health—and the outcome of all the finger-pointing is crucial to Apple's case.

The iCloud password debate comes on the heels of a legal battle over another password associated with the phone—its lockscreen pincode. Apple has promised to fight a court order that asks the company to develop a new version of its iOS software that would enable the FBI to crack the phone's pincode. But the iCloud account used by San Bernardino shooter Syed Farook is also crucial to the government's investigation of the attack, and could become part of Apple's argument against creating new software.

Advertisement

In court documents, the FBI explained that it had access to iCloud backups of the phone up until October 19, 2015. Investigators have yet to obtain data from the last month and a half before the December 5 shooting. In a Friday court filing, the government claimed that it could not obtain the missing data because the iCloud password had been reset by the Health Department, which owned the phone and loaned it to Farook while he was an employee.

"Neither the owner nor the government knew the password to the iCloud account, and the owner, in an attempt to gain access to some information in the hours after the attack, was able to reset the password remotely, but that had the effect of eliminating the possibility of an auto-backup," the government wrote in its motion to compel.

In a conference call with journalists on Friday, Apple pounced on this admission. According to a BuzzFeed account of the call, Apple executives suggested that the creation of new iOS software would not be necessary had the iCloud password not been reset.

Predictably, the Health Department does not seem happy to be blamed for hindering the investigation into the murder of its own employees. A Twitter account for the county shuffled the blame back to the FBI on Friday, writing "The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request." Update: The county confirmed the tweet in an email to Motherboard.

Advertisement

The disagreement may seem inconsequential, but determining responsibility for the iCloud password reset could be a crucial component of the case.

"One of the factors that the court is going to analyze under the All Writs Act is whether there were alternative means for getting the information," EFF staff attorney Nate Cardozo told Motherboard. "The answer is probably yes. We don't know and have no way of knowing if auto-backups were turned off."

If the government had the opportunity to obtain a backup of the phone but blew it by resetting the iCloud password, the court may not force Apple to create a custom version of iOS for the FBI. Apple has opposed the court's order on the grounds that making these changes to iOS would affect all iPhone users. The FBI says the software would only be implemented on the work phone used by Farook, but Apple suggests that it could be used on all iPhones, creating a massive security problem for the company.

iOS offers two security features that keep iPhones from being unlocked by anyone except their owners — if a user enters the wrong pincode into the lock screen, there is a time delay that prevents the user from trying another guess immediately, and, if a user makes 10 incorrect guesses, the phone deletes its encryption key, locking it forever. The FBI is seeking changes to both features, so that it could make an unlimited number of pincode guesses without the hinderance of a time delay between attempts.

If the FBI had access to all the iCloud backups from Farook's phone, Apple may not have been asked to help break into the physical device itself. But an iCloud backup for the crucial timeframe surrounding the shooting was not made—and that's where the pincode and Apple come in.

Whether the Health Department is solely responsible for resetting the password or if it did so at the direction of the FBI, "The government certainly closed that door," Cardozo added. "There was a potential other avenue for getting the information off the device, which the government eliminated through an intentional act."

If the court agrees, it may not force Apple to create new software.