Yes, the feds can hack your iPhone. No, it isn’t easy.

February 18, 2016
Apple CEO Tim Cook speaks during an Apple event in San Francisco, California March 9, 2015.  REUTERS/Robert Galbraith (UNITED STATES  - Tags: SCIENCE TECHNOLOGY BUSINESS)

Apple Chief Executive Officer Tim Cook speaks during an Apple event in San Francisco, California, March 9, 2015. REUTERS/Robert Galbraith


The FBI wants Apple to give it the tools to break into the iPhone of the San Bernardino terrorist Syed Farook. In a brave display on the company home page, Apple Chief Executive Officer Tim Cook refused. He was right to say no. If the Feds really wanted to, they have the skills necessary to break into that phone. This fight isn’t about gathering information on a terrorist. It’s about setting a legal precedent.

That the FBI chose to push this issue with the San Bernardino case is telling. Few Americans, they are betting, care about Farook’s privacy. They must believe the public — and the courts — will support them here.

Cook said that Apple has helped the FBI during every step of its investigation. It has turned over all iPhone data that Farook backed up to the cloud. But the Feds want to access his phone and make sure they didn’t miss anything. To do this, they want Apple to build a backdoor into its own operating system.

Tashfeen Malik, (L), and Syed Farook are pictured passing through Chicago's O'Hare International Airport in this July 27, 2014 handout photo obtained by Reuters December 8, 2015.  U.S.-born Farook, 28, and his spouse, Malik, a native of Pakistan who lived in Saudi Arabia for more than 20 years, died in a shootout with police hours after a December 2, 2015 attack on a holiday party at the Inland Regional Center social services agency in San Bernardino, California about 60 miles (100 km) east of Los Angeles. REUTERS/US Customs and Border Protection/Handout via Reuters   THIS IMAGE HAS BEEN SUPPLIED BY A THIRD PARTY. IT IS DISTRIBUTED, EXACTLY AS RECEIVED BY REUTERS, AS A SERVICE TO CLIENTS. FOR EDITORIAL USE ONLY. NOT FOR SALE FOR MARKETING OR ADVERTISING CAMPAIGNS

Tashfeen Malik (L) and Syed Farook at Chicago’s O’Hare International Airport, July 27, 2014. REUTERS/U.S. Customs and Border Protection/Handout via Reuters

Apple’s iPhone, particularly the newer models, has sophisticated encryption technology, triggered by a PIN. Two specific security features make these smartphones particularly nasty to break into.

Cryptographic brute-force has long been one method of cracking any password. The hacker runs a program that spams every possible password combination at the encrypted device until it opens. Apple’s phones use either a four- or six-digit PIN. The four-digit PIN only allows for 9,999 different password combinations. The cracking program could run through those combinations in seconds.

The six-digit PIN allows for a million combinations, and is only available on iPhones running the iOS 9 operating system and above. Farook’s phone runs iOS 9. Still, a computer could run through all the possible combinations in less than a minute and break into the device — if it weren’t an iPhone.

Apple’s smartphones require users to enter passwords manually. That takes time. Worse for the would-be hacker is that the phone punishes you for failure. As any iPhone user who’s struggled to enter their PIN one-handed while, for example, walking along and chatting with a friend, knows, if you fail to enter your password too many times, the phone locks you out for a minute.

The phone is programmed so that the lock-out time increases after multiple failures. Six failed attempts pushes the lock-out time to five minutes. After the ninth failed attempt, users have to wait an hour before they can try again.

An iPhone 6 phone is seen on display at the Fifth Avenue Apple store on the first day of sales in Manhattan, New York September 19, 2014. Apple Inc's  latest phone lured throngs of gadget lovers, entrepreneurs and early adapters to its stores in New York, San Francisco and other cities around the world in the latest sign of strong initial demand for the new, larger generation of iPhones.  REUTERS/Adrees Latif (UNITED STATES - Tags: BUSINESS SCIENCE TECHNOLOGY TELECOMS)

An iPhone 6 phone on display at the Fifth Avenue Apple store on the first day of sales in Manhattan, New York, September 19, 2014. REUTERS/Adrees Latif

After the 10th failed attempt, the phone erases all its data. Meaning the cryptographic brute-force method just doesn’t work on iPhones, if you don’t manage to get lucky in the early going.

Data encryption has come a long way in the past five years. One reason is tech giants such as Apple and Google now issue over-the-air updates to patch security issues in real time. When a tech company finds a flaw in its software, it pushes out an update as soon as possible to plug the hole.

The FBI is now asking Apple to create a special operating system that can be sent to Farook’s phone either locally or by over-the-air delivery, and then used to bypass Apple’s time delay and system wipe. This would allow federal agents to guess at the password as many times as they want.

What the Feds have requested is possible with Farook’s older model iPhone 5C. On these phones, the operating system runs the security features and Apple could manipulate it through an update.

The FBI says it is asking for this new tool just to breach the phone of one terrorist. But both Apple and many security experts recognize that the specialized operating system could be used as a backdoor into any older model iPhone on the planet.

This backdoor would not work on newer iPhones, however. There, security features live on a separate computer within the phone, called the secure enclave. And the secure enclave is just that — secure. Manipulating the phone’s operating system will not help would-be crackers break in.

The use of a secure enclave is part of an advanced, smart design trend in encryption. It makes products so secure that even the manufacturer can’t bust into them. Yet some experts speculated that Apple may have left the iPhone’s enclave open for updates — and federal manipulation.

Washington, however, has other methods of extracting data from phones that don’t require passwords. The CIA, the National Security Agency and the FBI have been working on invasive and non-invasive methods of data extraction for more than a decade. Many security experts believe the intelligence agencies have devised unique solutions to problems just like the San Bernardino phone.

It’s possible, of course, for authorities to physically open the phone, pull out the computer chips and bombard them with lasers or radio frequencies to get at the information they need. But experts aren’t sure how much — if any — data would be lost in the process.

But this San Bernardino case isn’t about getting information off of a shooter’s phone. It’s about setting a legal precedent.

Cook and Apple are in a tricky position. One where Washington thinks that the American public will read the tech giant’s push-back as an endorsement of terrorism. Apple is betting the public and the courts are smarter than that.


We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

So the same US government that would not manage the NSA data without sharing with the world, same government that allows IRS managers to illegally view and misuse private data of American citizens thinks we will allow them access to a device ” just this once”?

Posted by Whiteyjohnson | Report as abusive

It has been possible for many years to create a long alphanumeric passcode on iPhones and iPads. It is only the default that is limited to 4 or 6 digits.

Posted by zaph | Report as abusive

I agree, the Feds are just trying to get a backdoor to the iphones. Its not about her, its about snooping into our private lives. Good move Apple!

Posted by Sherrymac | Report as abusive

Of course there’s the obvious point that Apple has already managed to sell a number of these phones with the encryption capabilities being a strong selling feature.
This type of malarky is a well-worn tactic, but usually employed by our US Congress .. you know the drill, we’ve seen this before.

Posted by Laster | Report as abusive

I think that allowing the FBI or any agency or entity to access what has become private information should not be allowed. The root cause should be pursued and that is well known and identified. There has been to many hours spent going off on tangents. However, if I were the victim I would probably think differently, but then the world I live in would have been already shattered and I would want selfless revenge.

Posted by Tmsi-Research | Report as abusive