How an Apple passcode has foiled the FBI

Four numbers hardly seem like a foolproof way to protect a smartphone.

But that's likely what has stumped federal law enforcement, who have been unable to break into the iPhone 5C used by one of the San Bernardino shooters. That has led to a standoff between Apple and the FBI over the agency's right to access the device's contents — and its power to compel Apple to help it do so.

Password-protecting an iPhone seemed unnecessary in the early smartphone days, when most devices contained little more than contacts and music. But as smartphones evolved into powerful mini-computers storing troves of personal, location and financial data, the need to safeguard them has soared.

Phones today are better protected than they've ever been.

"You have to go out of your way to not have a passcode," said Eric Burger, director of the Georgetown University Center for Secure Communications. "We're much better off."

The increased use of passwords may be keeping out hackers or jealous boyfriends, but now authorities are finding themselves locked out, too.

The FBI's dilemma in the San Bernardino terror investigation has demonstrated how powerful these digital locks can be and could prompt more people to use them.

"The tools of the good guys have gotten a lot more powerful, stronger and with a lot more capability," Burger said.

The problem is the tools are available to everyone, including terrorists.

As smartphone theft blossomed worldwide, consumers were urged to turn on features enabling them to identify the real-time location of the phone and delete its contents over the Internet.

Smartphone makers even require a passcode, at minimum, if users want to use their phones as mobile wallets that store digital copies of credit cards.

"It's your banking information, who you had lunch with, where you've been," Burger said. "People are realizing criminals are using that information to clear out your bank account."

Apple added an extra layer of security in 2013 when it introduced Touch ID, a fingerprint scanner that allows users to unlock their phones by pressing their fingerprint to the home button.

Last year, Apple upped its security even more and remains the toughest device for outsiders to penetrate.

It increased the default passcode length to six characters from four, making them more difficult to crack.

Join the conversation on Facebook >>

Apple also has deterred hackers from making multiple guesses. A security setting wipes an iPhone's data clean after 10 incorrect tries.

That limit is what's stymieing FBI officials, who fear that if they keep trying to break into San Bernardino shooter Syed Rizwan Farook's iPhone 5C, they risk destroying all the content they're after.

Other smartphone companies have touted their phones' security options in recent years. Samsung's Knox feature locks data under a separate password into a harder-to-access layer of the smartphone. Microsoft pitches a phone to business customers that gives corporate officials new powers to secure employees' devices.

Cybersecurity experts applauded the efforts because in 2013 just 47% of U.S. adult Internet users locked their device in some fashion, according to a Consumer Reports survey. The numbers are much higher now, experts say.

"The real issue with security is still not so much about bits and bytes," Burger said. "It's about how to make it easier for users to use and help them understand why it's important."

Law enforcement has found ways around smartphone passcodes. Courts have regularly ordered Apple to turn over iPhone user data backed up on the cloud. And law enforcement authorities can exploit loopholes in Google's Android operating system to access data on phones running that software.

But "Apple is highly unique in the way it limits access to the area of the phone where information is stored," said Michael Harris, chief marketing officer at Guidance Software, a forensic software vendor.

That's what pushed the Silicon Valley giant to the center of the debate for a back door into smartphones.

Apple should have the capability to develop one, experts said, but the company's history with guarding consumers' data from outside entities shows it's probably headed in a different direction.

paresh.dave@latimes.com

Twitter: @peard33

FULL COVERAGE: Terror attack in San Bernardino >>

MORE ON APPLE VS. THE FBI

In San Bernardino, where terrorists struck, residents debate FBI vs. Apple

Court order in San Bernardino case could force Apple to jeopardize phone security

Editorial: The FBI wants Apple to pry into your iPhone

Copyright © 2016, Los Angeles Times
68°