Apple's fight with the FBI could trigger a password arms race

Apple’s dispute with the FBI over providing access to a mass shooter’s smartphone could lead device makers to require stronger passwords in future.

Much of the debate around the issue has suggested that the FBI is asking Apple to break its encryption in order to gain access to the contents of a smartphone used by one of the perpetrators of the December shootings in San Bernardino.

But the case is as much about passwords as it is about encryption. The FBI wants Apple to override a mechanism on the iPhone that could erase the data on the device after 10 failed password attempts. Using a computer program, investigators can try out thousands of passwords until they hit on the one that works, in what’s known as a brute force attack.

If Apple is forced to comply, the agency would be able to crack a four-digit PIN in a matter of minutes, said Robert Graham, owner of security research firm Errata Security.

Regardless of how strong the underlying encryption is, the security protections are only as strong as the password. It’s a clever move by the FBI, which would gain access the phone without tackling the much more challenging task of breaking the encryption.

It’s also a situation Apple might have avoided, by requiring stronger passwords sooner. But users still have the option to use a four-digit passcode that contains only numbers.

A six-digit PIN implemented in iOS 9 could take the FBI about 22 hours to crack, Graham wrote in a blog post. But if phone makers required users to create stronger passwords of six letters, or a combination of numbers and letters, they could take more than 300 years to crack.

Apple is fighting the request because, like many other tech firms, it doesn’t want to be in the business of deciding whether to hand its users’ data over to law enforcement. If smartphone makers require users to implement stronger passwords in future, they will make the FBI’s current strategy much harder.

Leave a Reply

%d bloggers like this: