Euro Security Watch with Mathew J. Schwartz

Encryption , Mobility , Technology

FBI's Zero-Day iPhone Hack: Many Questions Analyzing News Report on iPhone 5c PIN Crack
FBI's Zero-Day iPhone Hack: Many Questions

Who helped the FBI crack an iPhone 5c? The answer so far: Who knows?

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

Here's what we do know: The FBI says that it successfully unlocked an iPhone 5c used by one of the shooters involved in the Dec. 2 attack in San Bernardino, Calif., allowing it to conduct a digital forensic analysis of the device (see FBI Unlocks iPhone; Lawsuit Against Apple Dropped).

"I'm not believing a word of this until I see proof." 

To access the phone's contents, the FBI paid "professional hackers" a one-time, flat fee to purchase a zero-day flaw they'd found that was then used to create a piece of hardware that enabled the bureau "to crack the iPhone's four-digit personal identification number without triggering a security feature that would have erased all the data," The Washington Post reports, citing anonymous sources.

The optional security feature in question is built into recent generations of iOS, which can be set to delete the contents of the device after 10 failed PIN entries. According to court documents, the FBI says that it doesn't know if the feature was enabled on the targeted device, which was issued to San Bernardino shooter Syed Rizwan Farook. Hence the bureau wanted to play it safe by assuming the feature was activated.

Many Questions, Few Answers

But the Washington Post report leaves many questions unanswered: Which security researcher - or researchers - discovered the zero-day flaw? How much did the FBI pay both the zero-day flaw seller and whoever built the hardware that cracked the PIN code? Who provided the newspaper with the account? And what was their motivation? None of that has yet been revealed, with the Post's report citing only "people familiar with the matter." These same people reportedly also clarified that the FBI "did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested."

The FBI declined to comment on the Post report in particular, although pointed to recent "going dark" warnings sounded by bureau officials in speeches and congressional testimony. But one red flag with the report is that Cellebrite does sell a standalone phone-to-phone memory transfer and backup machine that matches the description of the hardware that was reportedly used by the FBI to access the iPhone.

Conflicting Reports

The scant - if not conflicting - details and sourcing attached to the Post's report has some information security experts voicing skepticism. "I'm not believing a word of this until I see proof," says Dan Guido, CEO of security research and incident response firm Trail of Bits, via Twitter. "Unidentified anonymous sources contradicting all prior evidence?"

Furthermore, who stands to gain from this news report? As Robert Graham, who heads the research firm Errata Security, notes via Twitter, all anonymous sources typically have one of three agendas: "a) personal politics b) government propaganda c) whistleblowing."

When it comes to cybersecurity reporting, propaganda often looms large. Indeed, it's a certainty that some "sources with knowledge of the investigation, speaking on condition of anonymity" will always blame Russia for any large bank breach or blame China for an APT attack, despite those assertions often later being proved wrong (see Report: Spammers Tied To JPMorgan Chase Hack).

FBI Director James Comey says he hasn't decided yet if the FBI, having used taxpayers' money to crack the iPhone 5c, will disclose the flaw to Apple so it can protect customers, given the upsides the new capability gives to investigators. But federal officials are reportedly set to consider the disclosure question in the coming weeks. Apple, meanwhile, has said it won't sue the Department of Justice in an attempt to obtain the vulnerability details.

The FBI/Apple Battle

The controversy began back in February when the FBI obtained a court order compelling Apple to help the bureau unlock the iPhone. Apple CEO Tim Cook fought the order in court, calling it "dangerous" and saying it would compel Apple to create a weak version of iOS - some dubbed it "FBiOS" - for the government, which would be impossible to control (see Apple Accuses DOJ of Constitutional, Technical Ignorance).

What, if anything, have FBI and Justice Department leaders learned from this experience? Do they think that attempting to legally compel Apple to create an "FBiOS" has helped or hurt the bureau's chances of working with other software and hardware developers? Does Comey think that playing hardball with the world's biggest technology company was worth it, given that CBS News reports that Farook's iPhone yielded no new insights?

Gear Heads, Rejoice

The FBI's moves have an obvious moral for anyone concerned with privacy and safeguarding their data: Buy a more recent-generation mobile device that includes strong crypto. Because in the wake of the FBI's moves against Apple, more manufacturers are creating communications systems with end-to-end encryption that they theoretically cannot crack (see Report: Apple Building iPhone It Can't Hack).

With that in mind, here's one final question: Will the FBI be able to buy its way out of future crypto conundrums?

The answer so far: Don't bet on it.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network