The U.S. government has revealed that the terrorist at the center of the Apple-FBI controversy changed his iCloud password weeks before the attack.
Syed Rizwan Farook killed 14 people in San Bernardino, California on December 2 2015, along with his wife Tafsheen Malik. The unlocking of his iPhone has been at the center of a heated conflict between Apple and the FBI.
Apple-FBI conflict rumbles on
The FBI has now revealed how an agent tried to access information held on the iPhone 5C used by Farook. According to the government the attack was an act of terrorism, and a court order requires Apple to unlock the phone. Apple has so far refused to help.
According to FBI supervisory special agent Christopher Pluhar, Farook changed his iCloud password a few weeks before carrying out the attack. The iPhone 5C is locked with a passcode, so the agency cannot access the information.
The Department of Justice has asked Apple to write a special version of iOS that would disable the security safeguards, before planting it on the phone. Apple has also been asked to disable the feature that will automatically wipe the phone if 10 incorrect passcodes are entered, and allow the FBI to enter passcodes electronically rather than manually.
Farook changed iCloud password
Pluhar claims that it was not a mistake to change the password to Farook’s iCloud account. The FBI tried to make the iPHone backup after they found it in Farook’s vehicle. The FBI managed to retrieve a backup that was dated October 19 2015 by restoring the backup to other phones.
However Farook changed his password on October 22, and also disabled the auto-backup feature.
Apple says that if they had waited for the phone to connect to a known WiFi network, such as the one at Farook’s home, the backup would have initiated automatically. However the government said that the changed iCloud password, the fact that auto-backup was disabled, and the fact that it was found with zero battery as reasons why it had to act.
“A forced backup of Farook’s iPhone was never going to be successful,” the government claimed in its brief last week which rebutted Apple’s objections to the court order.
Next court hearing scheduled for March 22
Farook worked for the the San Bernardino County Department of Public Health, which may not have had the iCloud password for his account. However it was able to reset the password as the de-facto owner of the account, but significant amounts of information were missing.
“Each of the restored exemplars [the target iPhones which were loaded with the Oct. 19 backup] includes restored settings, and those settings showed that, for example, iCloud back-ups for ‘Mail,’ ‘Photos,’ and ‘Notes’ were all turned off on the Subject Device,” Pluhar said.
Pluhar claims that some data, including the keyboard cache, is only available on the handset. “The keyboard cache, as one example, contains a list of recent keystrokes typed by the user on the touchscreen. From my training and my own experience, I know that data found in such areas can be critical to investigations,” Pluhar swore.
The remote-wipe feature of the “Find My iPhone” service was disabled. The service means that the owner can wipe the device if it is lost or stolen. The auto-wipe service is different, and means that the device is wiped if 10 incorrect passcodes are entered.
Government investigators do not know if auto-wipe was enabled on Farook’s phone. On March 22 the case goes back to court, where a federal magistrate will hear Apple’s objections.