The FBI has shed more light on its involvement in what is shaping up to be the most controversial piece of evidence in the investigation of San Bernardino terror suspect Syed Rizwan Farook: his iCloud account password.
Hours after Farook’s iPhone was recovered by law enforcement, the password to his iCloud account was reset. The reset was an attempt to gain access to his account. It also likely prevented the iPhone from doing an auto-backup, which could have yielded useful information about Farook’s activity leading up to the shooting that killed 14 people and wounded 22 others.
That kicked off a round of finger pointing from Apple executives, the FBI, and San Bernardino County officials over who reset the iCloud password. In a statement issued in the wee hours of Sunday morning (you can read it below), the FBI confirmed it was working with San Bernardino County officials when the password was reset.
Apple executives said Friday that if the FBI hadn’t changed the iCloud password, it wouldn’t need to create a back door to the iPhone.
It sounds like the FBI screwed this whole process up.
Got all that? It’s a complicated situation.
In case you need catching up, here’s a breakdown of what’s happened so far:
- Last week the FBI asked Apple to create a back door for hacking the state-owned iPhone that belonged to Farook, a government worker.
- Apple CEO Tim Cook responded with a blistering letter denying the request. His argument was that creating the kind of back door the FBI wanted would create a “master key” others could use to hack into iPhones.
- The FBI responded with a motion from the Department of Justice on Friday compelling Apple to help anyway. In the motion, the FBI revealed that San Bernardino county officials had attempted to access the backups of Farook’s iCloud account by resetting his password hours after the phone was recovered.
- Apple held a call with reporters Friday afternoon and revealed that resetting the iCloud password effectively locked the iPhone maker out of accessing its backups. If the county didn’t reset the password, Apple would have likely been able to access the backup contents as it has done in past investigations without creating a back door to break the iPhone’s encryption.
- Late Friday night, San Bernardino county revealed that it had been acting at the FBI’s request to reset the iCloud password, which went against the FBI’s motion that was filed earlier that day and blamed a county official for the reset.
You can read the FBI’s full statement, which affirms that it was indeed working with San Bernardino county to reset the password, below:
STATEMENT TO ADDRESS MISLEADING REPORTS THAT THE COUNTY OF SAN BERNARDINO RESET TERROR SUSPECT’S IPHONE WITHOUT CONSENT OF THE FBI
Recent media reports have suggested that technicians in the county of San Bernardino independently conducted analysis and took steps to reset the iCloud account password associated with the iPhone 5C that was recovered during a federal search following the attack in San Bernardino that killed 14 people and wounded 22 others on December 2, 2015. This is not true. FBI investigators worked cooperatively with the county of San Bernardino in order to exploit crucial data contained in the iCloud account associated with a county-issued iPhone that was assigned to the suspected terror suspect, Syed Rizwan Farook.
Since the iPhone 5C was locked when investigators seized it during the lawful search on December 3rd, a logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack. The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data. The reset of the iCloud account password does not impact Apple’s ability to assist with the the court order under the All Writs Act.
The last iCloud data backup of the iPhone 5C was 10/19 and, based on other evidence, investigators know that Syed Rizwan Farook had been using the phone after 10/19. It is unknown whether an additional iCloud backup of the phone after that date — if one had been technically possible — would have yielded any data.
Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains. Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone. As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.