14 DAY TRIAL // As it stands today, the San Bernardino shooter's iPhone is about to become one of the most infamous devices in the history of tech, and certainly the most controversial.
By today, almost all of you are familiar with the fact that Apple has decided to fight a US court order that demanded that it help authorities decrypt the shooter's iPhone.
The court order was issued after authorities screwed up and reset the shooter's Apple ID account password, which would have allowed them to retrieve the phone's password without Apple's help, by extracting it from an iCloud backup.
Many people have come out and said that Apple would have broken the shooter's passcode if authorities had provided a simple warrant, since Apple did it before.
But haven't you wondered how Google would have reacted if the shooter was using Android? Let's explore a few scenarios. Actually, let's explore a few US legal procedures, as extracted from a report published by the Manhattan District Attorney's Office.
This report was put out last November, around two weeks before the San Bernardino shooting, and was an attempt to start an open discussion about the need of encryption backdoors and government-held encryption keys.
Ironically, the report included a step-by-step process of all the legal procedures law enforcement goes through when contacting Apple and Google in case they need assistance in unlocking devices that are subject of a crime and their owners are uncooperative (or dead in the San Bernardino case).
Procedures for unlocking iOS devices
We're going to be quoting a lot from the Manhattan District Attorney's Office "On Smartphone Encryption and Public Safety" report, but don't worry, the wording is in layman terms, and not legal mumbo-jumbo. This is what US law enforcement investigators are supposed to do in regards to Apple devices.
"For the iPhone 4, earlier versions of iPhones, and certain other Apple devices, forensic analysts can attempt to ascertain the device’s pass code by using “brute force,” i.e., by systematically trying combinations of passcodes (e.g., “1, 1, 1, 1,” “1,1,1,2,” “1,1,1,3,” . . .) until the correct one is found. The process may be time-consuming and, for the reasons discussed below, can be used effectively on only certain Apple devices."
Syed Rizwan Farook owned an iPhone 5C running iOS9, meaning the above procedures don't apply, but they are still something to keep in mind.
"With respect to the iPhone 4s and later models of iPhones and other Apple devices running iOS versions through iOS 7, “brute force” attempts may result in the contents of the device becoming permanently inaccessible once the maximum number of passcode attempts is reached," the report also adds.
"For these devices, law enforcement requires the assistance of Apple to obtain the devices’ contents safely. The prosecutor or investigator obtains a search warrant and an order (often referred to as an “unlock order”) instructing Apple to assist with extracting data from the device."
"The prosecutor or investigator then sends Apple a copy of the warrant, the unlock order, the device, and a blank external hard drive. Apple uses a proprietary method to extract data from the device, and sends a copy of the data to law enforcement on the external hard drive," the Manhattan District Attorney's Office explains.
"For Apple devices running iOS 8, Apple can no longer comply with unlock orders. iOS 8 prevents Apple from accessing data on the device unless Apple has the user’s passcode. But, Apple does not keep users’ passcodes."
The FBI knew it couldn't crack the shooter's phone, since it was running iOS9, where full-disk encryption is turned on by default, which would have compromised the data in case of too many failed password attempts. The court order was issued to force Apple in assisting the decryption process using new methods never used before. That's why the court order was used to begin with.
Tim Cook, Apple's CEO, has admitted that this could technically be possible, but he's not willing to follow through because this would set a legal precedent, and would effectively ruin iOS' bulletproof encryption myth for good (which many argue he did when admitting it was possible to do in the first place).
Procedures for unlocking Android devices
But now let's explore an alternative universe scenario in which the shooter used an Android. Let's see which Android versions would have forced the FBI to issue a similar court order against Google.
According to the Manhattan District Attorney's Office report, here's how authorities work with Google.
"There are a larger variety of Android devices than Apple devices. Forensic examiners are able to bypass passcodes on some of those devices using a variety of forensic techniques. For some other types of Android devices, Google can reset the passcodes when served with search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device."
Did you notice the "remotely" term? Interesting concept, right? But let's go on with the Android procedures.
"For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default full-disk encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction."
The state of full-disk encryption on Google devices is quite simple. Most of all Google-issued Nexus devices that run Android Lollipop 5.0 use full-disk encryption by default. According to Google's Marshmallow 6.0 OEM implementation guidelines, all devices, not necessarily Nexus, must have this feature turned on by default. This also means Samsung, LG, and the rest.
Full-disk encryption uses 128-bit AES keys that are stored on the device and not sent to Google-controlled servers. Some of today's most strongest crypto-ransomware uses this same type of encryption.
As Seagate explained a few years back, breaking a 128-bit AES key is nearly impossible. Seagate says that if we took all 7 billion people on Earth, gave them ten computers that could each check 1 billion key combinations per second, and would only need to check only 50% of all possible encryption keys, it would still take 77,000,000,000,000,000,000,000,000 years to break one device. Imagine that some Android devices can optionally use a 256-bit key if users desire so.
In both scenarios the device could be cracked, even if their companies would like to avoid it
To go around the encryption, some Android experts have suggested going directly to the device's manufacturer. These workarounds exist, even if not yet tested on Android 6.0. But theoretically, it could be done in Google's case just as Mr. Cook admitted it can be done in Apple's case.
The conclusion is that if the shooter decided to use any Android device (not necessarily a Nexus) running the latest Marshmallow 6.0 OS instead of his iPhone 5C with iOS9, then Google would be in the same predicament Apple is right now, facing a court order to break its own encryption system.
Apple has admitted that it can help the FBI, and there are some signs that the same can be done for Android's encryption, if Google decided to cooperate.