Crime & Justice

FBI statement: Agency allowed reset of terrorist's iCloud password

CUPERTINO, CA - SEPTEMBER 09:  Apple Senior Vice President of Worldwide Marketing Phil Schiller announcees the new iPhone 6 during an Apple special event at the Flint Center for the Performing Arts on September 9, 2014 in Cupertino, California. Apple unveiled the two new iPhones the iPhone 6 and iPhone 6 Plus.  (Photo by Justin Sullivan/Getty Images)
CUPERTINO, CA - SEPTEMBER 09: Apple Senior Vice President of Worldwide Marketing Phil Schiller announcees the new iPhone 6 during an Apple special event at the Flint Center for the Performing Arts on September 9, 2014 in Cupertino, California. Apple unveiled the two new iPhones the iPhone 6 and iPhone 6 Plus. (Photo by Justin Sullivan/Getty Images)
Justin Sullivan/Getty Images

In a statement released late Saturday night, the FBI says it was working in conjunction with San Bernardino County when the iCloud password of San Bernardino shooter Syed Farook was changed, contesting reports that county workers altered the password on their own.

"This is not true. FBI investigators worked cooperatively with the county of San Bernardino in order to exploit crucial data contained in the iCloud account associated with a county-issued iPhone that was assigned to the suspected terror suspect, Syed Rizwan Farook," the statement sent to KPCC reads.

The FBI statement also says that since Farook's phone was already locked when it was seized during the search on Dec. 3, 2015, "a logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack. The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data.  The reset of the iCloud account password does not impact Apple’s ability to assist with the the court order under the All Writs Act." 

The statement reinforces a Friday night tweet from the San Bernardino County Twitter feed noting that Farook's iCloud password had indeed been changed.

Tweet

The rest of the statement reads as follows:

"The last iCloud data backup of the iPhone 5C was 10/19 and, based on other evidence, investigators know that Syed Rizwan Farook had been using the phone after 10/19.  It is unknown whether an additional iCloud backup of the phone after that date -- if one had been technically possible -- would have yielded any data. 

Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains.  Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple's assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone.  As the government's pleadings state, the government's objective was, and still is, to extract as much evidence as possible from the phone."