Random Thoughts – Randocity!

Apple always seems to refuse law enforcement requests. Let’s understand why this is bad for Apple… and for Silicon Valley as a whole. Let’s see how this can be resolved.

Stubbornness

While Apple and other “Silicon Valley” companies may be stubborn in reducing encryption strength on phones, reduction of encryption strength isn’t strictly necessary for law enforcement to get what they need out of a phone device. In fact, it doesn’t really make sense to reduce encryption across all phone devices simply so law enforcement can gain access to a small number of computer devices in a small set of criminal cases.

That’s like using a sledgehammer to open a pea. Sure, it works, but not very well. Worse, these legal cases might not even be impacted by what’s found on the device. Making all phones vulnerable to potentially even worse crimes, such as identity theft and stealing money in order to prosecute a smaller number of crimes which might not be impacted by unlocking a phone doesn’t make sense.

There Are Solutions

Apple (and other phone manufacturers) should be required to partner with law enforcement to create a one-use unlocking system for law enforcement use. Federal law could even mandate that any non-law enforcement personnel who attempts to access the law enforcement mode of a phone would be in violation of federal law. Though, policing this might be somewhat difficult. It should be relatively easy to build and implement such one-use system. Such a system will be relatively easy to use (with the correct information) and be equally difficult to hack (without the correct information).

How this enforcement system would work is that Apple (or any phone vendor) would be required to build both law enforcement support web site and a law enforcement mode on the phone for law enforcement use only. This LE support server is naturally authentication protected. A verified law enforcement agent logs into Apple’s LE system and enters key information from/about a specific device along with their own Apple issued law enforcement ID number. Apple could even require law enforcement officers to have access to an iPhone themselves to use FaceID to verify their identity before access.

The device information from an evidence phone may include the iPhone’s IMEI (available on the SIMM tray), ICCID (if available), SEID (if available), serial number, phone number (if available) and then finally a valid federally issued warrant number. Apple’s validation system would then log in to a federal system and validate the warrant number. Once the warrant is validated and provided the required input data specific to the phone all match to the device (along with the Apple’s law enforcement ID), Apple will issue a one-time use unlocking code to the law enforcement agent. This code can then be used one time to unlock the device in Law Enforcement Mode (LEM).

To unlock an evidence device, the agent then boots the phone into LEM (needs to be built by Apple) and then manually enters an Apple-generated code into the phone’s interface along with their law enforcement ID. The law enforcement mode then allows setup and connection to a local WiFi network (if no data network is available), but only after entering a valid code. The code will then be verified by Apple’s servers and then the phone will be temporarily unlocked. Valid entry of a law enforcement code unlocks the device for a period of 24 hours for law enforcement use. There is no “lock out” when entering the wrong code when the phone is in “law enforcement mode” because these codes are far too complex to implement such a system. Though, the phone can reboot out of LEM after a number of wrong attempts. You simply can’t randomly guess these codes by trial and error. They are too complex and lengthy for this.

This specific one-use code allows unlocking the device one time only and only for a period of 24 hours. This means that phone will accept that specific code only once and never accept that specific code again. If law enforcement needs to unlock the phone again, they will have to go through the law enforcement process of having Apple generate a new code using the same input data which would then generate a new code, again, valid for only 24 hours.

A successfully used LE code will suspend all phone screen lock security for a period of 24 hours. This means that the only action need to get into a phone for up to 24 hours (even after having been powered off and back on) is by pressing the home key or swiping up. No touch ID or Face ID is needed when the phone is unlocked during this 24 hour period. This allows for use of this phone by multiple people for gathering evidence, downloading information or as needed by law enforcement. This mode also suspends all security around connecting and trusting iTunes. iTunes will also allow downloading data from the phone without going through its “trust” security. After 24 hours, the phone reboots, deletes LE configuration parameters (such as WiFi networks) and reverts back to its original locked and secured state.

The iPhone will also leave a notification for the owner of the phone that the phone has been unlocked and accessed by law enforcement (much the same as the note left in luggage by the TSA after it has been searched). If the phone still has Internet access, it will contact Apple and inform the Apple ID that the phone has been unlocked and accessed by law enforcement. This Internet notification can be suspended for up to 30 days to allow law enforcement time enough to get what they need before the system notifies the Apple ID owner of access to that device. Though, I’d recommend that Apple notify the owner right away of any access by law enforcement.

How to use the code

When a valid generated Apple law enforcement code is entered into the phone in LEM, the phone calculates the validity of the code based on an internal process that runs on the phone continuously. While the phone is validly being used by its owner, this process will periodically sync with Apple’s LE servers to ensure that an iPhone’s LEM process will work properly should the phone fall into the possession of law enforcement. This information will have to be spelled out and agreed to in Apple’s terms and conditions. Apple’s servers and the phone remain synchronized in the same way as RSA one-time keys remain synchronized (within a small calculable margin of error). Thus, it won’t need to synchronize often.

How to use Law Enforcement Mode

This mode can be brought up by anyone, but to unlock this mode fully, a valid Apple issued law enforcement ID and one-use code must be entered into an iPhone for the mode to unlock and allow setup of a WiFi network. Without entry of an Apple issued law enforcement ID number or because of successive incorrect entries, the phone will reboot out of LEM after a short period time.

Law Enforcement ID

A law enforcement ID must be generated by Apple and these IDs will synchronize to all Apple devices prior to falling under law enforcement possession. To keep this list small, it will remain compressed on the device until LEM successfully activates, at which time the file is decompressed for offline validation use. This means that a nefarious someone can’t simply get into this mode and start mucking about easily to gain entry to a random phone. It also means someone can’t request Apple issue a brand new ID on the spot. Even if Apple were to create a new ID, the phone would take up to 24 hours to synchronize… and that assumes that the phone still has data service (which it probably doesn’t). Without data service, the phone cannot synchronize new IDs. This is the importance of creating these IDs in advance.

Apple will also need to go through a validation process to ensure the law enforcement officer requesting an ID is a valid officer working for a legitimate law enforcement organization. This in-advance validation may require a PDF of the officer’s badge and number, an agency issued ID card and any other agency relevant information to ensure the officer is a valid LE officer or an officer of the court. This requires some effort on the part of Apple.

To get an Apple law enforcement ID, the department needing access must apply for such access with Apple under its law enforcement support site (to be created). Once an Apple law enforcement ID has been issued, within 24 hours the ID will sync to phones, thus activating the use of this ID with the phone’s LEM. These IDs should not be shared outside of any law enforcement department. IDs must be renewed periodically through a simple validation process, otherwise they will expire and fall off of the list. Manufacturers shouldn’t have to manage this list manually.

Such a system is relatively simple to build, but may take time to implement. Apple, however, may not be cool with developing such a law enforcement system on its own time and dime. This is where the government may need to step in and mandate such a law enforcement support system be built by phone manufacturers who insist on using overly strong encryption. While government(s) can legislate that companies reduce their encryption strength on their devices to avoid building a law enforcement system as described, instead I’d strongly recommend that companies be required to build a law enforcement support and unlocking system into their devices should they wish to continue using ever stronger encryption. Why compromise the security of all devices simply for a small number of law enforcement cases? Apple must meet law enforcement somewhere in the middle via technological means.

There is also no reason why Apple and other device manufacturers are denying access to law enforcement agents for phone devices when there are software and technical solutions that can see Apple and other manufacturers cooperate with law enforcement, but yet not “give away the farm”.

I don’t even work for Apple and I designed this functional system in under 30 minutes. There may be other considerations of which I am not aware within iOS or Android, but none of these considerations are insurmountable in this design. Every device that Apple has built can support such a mode. Google should also be required to build a similar system for its Android phones and devices.

Apple is simply not trying.

↩︎