San Bernardino shooter’s Apple ID passcode changed in government custody

While discussing the San Bernardino shooter’s iPhone, Apple executives said the password changed while it was under the government custody.

The discussion about the San Bernardino shooter’s iPhone has monopolized media in this week, a US magistrate ordered Apple to help unlock the mobile device, but the company refused to do so.

A new shocking news is circulating on the Internet, according to unnamed Apple executives, the shooter’s Apple ID password changed while it was under government custody causing the block of the access.

The password associated with the Apple ID linked to the San Bernardino shooter’s iPhone was changed less than 24 hours after the feds took possession of the mobile device.

This circumstance made impossible to access a backup of the information the government was seeking.

According to Buzzfeed, the company executives revealed that Apple had been helping federal officials with the investigation when the password change was discovered.

According to Apple, it had been helping the FBI with the investigation since early January 2016, but it seems that the law enforcement contacted the company after attempting to access the iPhone.

“The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a backdoor. One of those methods would have involved connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup that might provide the FBI with information stored to  the device between the October 19th and the date of the incident.” states Buzzfeed.

“Apple sent trusted engineers to try that method, the executives said, but they were unable to do it. It was then that they discovered that the Apple ID password associated with the iPhone had been changed. (The FBI claimed earlier Friday that this was done by someone at the San Bernardino Health Department.)”

Just after the dramatic event, an unnamed San Bernardino police official has executed a procedure to reset the Apple ID Passcode associated with Farook’s iPhone.

By default, resetting the Apple ID passcode creates a new device ID linked to the iCloud account that will not automatically sync device data online. The synchronization must be manually configured by the user after he generated the new Apple ID password.

In the case of the terrorist’s iPhone the change of the settings was not possible because already locked and feds were not able to force the sync with Cloud even if they take the device to the known Wi-Fi range.

Now the unique possibility to access the iPhone data consists in pushing an iOS software update that forces the auto-backup of the iPhone to a third party server.

The executives explained that creating a backdoor access to Apple iOS devices represents a serious risk for the privacy of millions of users. It could be used to virtually target any Apple device and open the door to massive surveillance.

Pierluigi Paganini

(Security Affairs – Apple, iPhone)