Encryption

Will the FBI Share Its IPhone-Cracking Methods with Apple?

The two switch sides in the request for access, but the underlying issues are the same.

|

iPhone
Credit: magerleagues / photo on flickr

From a distance, it looks like the shoe is on the other foot, but it's really not. Now that the FBI, with the assistance of an undisclosed third party, has successfully cracked the security of the work iPhone of San Bernardino, California, terrorist Syed Farook, can Apple demand that the FBi show them how?

The story we all know by now is that the FBI and the Department of Justice had gone to federal court to try to force Apple to write code that would help weaken the phone's security and let them try to brute force their way through Farook's passcode. Apple resisted the demand, claiming that providing such information, even if it remained in Apple's hands, could potentially weaken the cybersecurity of all its customers' data, opening them up to potential hackers or cybersurveillance.

We don't know whether Apple would have won that fight in California because FBI withdrew its demand after figuring out on its own how to break into Farook's phone. But now the big question is whether the information will flow back in the other direction. Typically when the U.S. government uncovers a security vulnerability in the private sector, it has a process of letting these businesses know so that it can be fixed. But we have a surveillance security state where transparency and your privacy and cybersecurity ranks second behind the feds trying to keep its processes secret because of the war on terror. So we don't know whether the FBI will have to provide this info to Apple. Reuters explains:

The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.

Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. "There are no hard and fast rules," said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.

If a review is conducted, many security researchers expect that the White House group will not require the FBI to disclose the vulnerability it exploited.

Some experts said the FBI might be able to avoid a review entirely if, for instance, it got past the phone's encryption using a contractor's proprietary technology.

Explaining the policy in 2014, the Office of the Director of National Security said the government should disclose vulnerabilities "unless there is a clear national security or law enforcement need."

One analyst predicted that the FBI might not have to reveal the vulnerability if it required that physical possession of the phone was needed in order to crack it, because then that hacking method wouldn't be a threat to general phone users.

It creates an unusual tension because technically this is how we want the federal government to handle encryption in order to fight terrorism or major crimes. Nobody is arguing that the FBI doesn't have the authority to try to get access to the data on Farook's phone. The argument has been whether it could draft Apple to assist and to compromise its own security system. But once the FBI does it on its own (or with the help of a third party), there's still the matter of compromised security.

Though the dynamic is reversed, with the Apple requesting information from the FBI, the underlying issue remains the same: Can the government deliberately compromise the data security and privacy of American citizens simply by claiming it's necessary to fight crime and terrorism? Heaven knows they seem to be trying. Stay tuned. The FBI has agreed to help prosecutors in Arkansas attempt to gain access to another iPhone and an iPod to try to help solve a double homicide.

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

32 responses to “Will the FBI Share Its IPhone-Cracking Methods with Apple?

  1. …can Apple demand that the FBi show them how?

    That End User License Terms and Conditions document is more powerful that the United States Constitution, so you bet your Newton they can.

    1. HUMANCENTiPAD

  2. What’s the likelihood that Apple doesn’t already know how it was (likely) done?

    Note that in their pleadings, Apple never claimed it couldn’t be done, merely that they didn’t want to.

    1. If they don’t, it sounds like quite the opportunity to make some money for Mr. 3rd Party.

  3. I have no Apple products.I ask here,was this a older phone and are the newer one’s harder to crack? Did the firm that did crack it steal the information? Lastly,did they really crack the phone or is it B.S.? I look forward to the FBI crowing about all the information they found from this phone.

    1. They all run on the same operating system, so age of the phone doesn’t matter.

      1. Thank you.I need to get back to work.Have a good day

      2. Hardware versions are different, so the layers involved in the security change over time.

      3. The OS version changes almost every year. And just like desktops I’m sure these updates include security measures.

      4. This isn’t accurate sarc. First the Farook phone is a 5c, regardless of iOS version it does NOT have a secure enclave on its chip. Newer phones do. Second, it was running an older iOS. The latest 9.3 is supposed closing a lot of hole Apple knew about including some that would prevent even the requested cracking method for the Farook phone. So yes it matters. In the end though Nation State level resources can eventually crack anything…it merely requires a commitment to the level of effort.

        1. BTW Secure enclave is a physical location in the proc that holds a unique key which once loaded and tested has all external inlets destroyed at the factory…That chip then combines with a hash of the users passcode, then you have a crypto key un-retrievable.
          Smarter folks than I suggest that the only way at that point would be to grid down the chip very carefully and inspect its state with an electron scanning microscope.

          1. So you could scan the chip with an electron microscope, and build a duplicate crypto key on a molecular level?

            1. State inspection shouldn’t have to go to a molecular level. But basically yes. The theory is solid, the level of effort is the problem.

              (and i believe they would have no issue with brute forcing the passcode if they could, the NSA has computing power second to none)

  4. We don’t know whether Apple would have won that fight in California because FBI withdrew its demand after figuring out on its own how to break into Farook’s phone.

    Is there a cite for that, or even evidence that the question was asked or looked into? Did the FBI have that crack in its back pocket all along and only withdrew from the court case after it realized the precedentialness of “OMG! Terrorism!” wasn’t the slam dunk they thought it was going to be? Seems a little too convenient that the crack for this particular phone was just now developed independently of this particular case.

    1. They could also be lying about actually cracking the phone in order to save face and be able to back off without looking like they lost. What, you don’t think they’d do that?

      1. Maybe they got some goods on Tim Cook and he secretly gave into their demands. Notice the the FBI cracked the phone just as Apple came out with a new version of their OS.

        1. This has already been discussed several months ago. Tim couldn’t even give in to their demands anyway, it would require a team of iPhone devs. Many of which have publicly stated they would revolt. EVEN IF Tim had given in the new iOS is unrelated. And a change to it would not likely help the FBI crack newer phones…see above comment.

      2. It is my opinion that they cracked the phone, but are concerned that they may not with iDevice version X+1

        1. Goddamn keyboard… continued:

          So they withdrew their case… essentially putting it on ice for when they may NOT be able to crack it. There’s no doubt the Government wants to set the precedent, but I think they’re strategically waiting for the right moment.

          1. This is reasonable and that X+1 is iOS9 on iPhone6 and up. So if they get a new iPhone with all its updates they are well and truly screwed.

      3. That was my first thought and I see no reason to doubt it yet.

      4. They could also be lying about actually cracking the phone in order to save face and be able to back off without looking like they lost. What, you don’t think they’d do that?

        Being as conspiratorially minded/jaded as possible; push the encryption case(s) until someone pushes back, withdraw the straw men cases one by one until you solve a few without (or with) cracking encryption. Then, let your pro-encryption opponents swing away and fall on their face on the meaningless cases while kicking them in the nuts on ‘real’ cases where you can point and say ‘people died because encryption happens’.

    2. The FBI would have lost big time. There is precedent for applying the All Writs Act to make companies help the government, and three part test used in previous cases would fail on at least 2 counts.

      But go cry in your beer, Apple. The FBI owes you nothing.

      1. Well, it may be true that the FBI owes Apple nothing but Apples tax dollars (and remember they are the largest taxpayer in American history (arguably world history) were spent undermining their business and its products. Also, if the FBI ever wants to ensure that their OWN communications are secure they will cooperate with their vendors on such matters.

        As a practical matter I don’t doubt Apple knows exactly how the FBI did it. I would think they are looking for confirmation to make sure they got all the holes plugged. I also don’t doubt they could have done it themselves but hadn’t, which is exactly why they stood firm on this particular request. It was a request for something that does not exist. Hence forcing the employees of Apple into involuntary servitude (see 13 Amendment for why this is illegal).

      2. That’s a shitty view of the FBI’s job. It is the FBI who should be working for us and it is the FBI who, if they’re not a bunch of hypocrites, should be more concerned of the threat such a vulnerability represents instead of worrying about making it so they don’t have to work late on Fridays…

        I mean… it’s not like protecting the people and companies is part of their job or anything

        It’s not like entities that would love to utilize such a vulnerability exist… https://goo.gl/bNBTwt

  5. The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.

    So, no.

  6. What do you wanna bet the “undisclosed third party” has longish hair, parted in the middle and has a proclivity for junk food and fruit-flavored sodas? Nudge, nudge; wink, wink…

  7. I have serious doubts that the FBI has actually found another way to break into the phone. I think it’s more likely that they were no longer confident of getting their way in court and were afraid of setting a precedent against them. As soon as they feel like the winds have shifted and they are more confident of getting their way, they’ll be all like “Well, our other way didn’t turn out like we wanted, so we’re gonna go ahead and demand Apple’s help again.”

  8. FBI Boss: “What can we do to Apple as punishment in this case?”

    FBI Peon: They said something about not wanting to undermine consumer confidence, right?”

    FBI Boss: “Yeah?”

    FBI Peon: “Lets just tell everyone we figured it out and leak the methodology onto the internet.”

    FBI Boss: “Promotions for everyone!”

  9. One reporter, who seems to know his stuff, has carefully noted exactly what the FBI has said. The FBI has said they have the contents of the iPhone’s memory. Indeed, if I read correctly, the FBI says they have the phones ENCRYPTED data. This is more than they had before, but one sharp reporter notes that the data is still encrypted, even though they have it. FBI’s dropping of lawsuit was probably to save face, as it wasn’t looking strong under All Writs Act (my speculation on the saving face part).

Please to post comments

Comments are closed.