Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development

Feds Obtain Delay in Apple Hearing

FBI Testing New Technique to Unlock Shooter's iPhone
Feds Obtain Delay in Apple Hearing
Apple CEO Tim Cook speaks March 21 at the company's Cupertino campus.

This story has been updated.

See Also: Cyber Insurance Assessment Readiness Checklist

The Department of Justice has been granted a delay of a March 22 hearing relating to a court order compelling Apple to help the FBI unlock the iPhone 5C issued to San Bernardino shooter Syed Rizwan Farook. That's because it says it may have found a way to unlock the phone without Apple's assistance (see Apple Accuses DOJ of Constitutional, Technical Ignorance).

On March 21, the U.S. government submitted a document to the court saying that "an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," and that while testing was still required to ensure that it would work, if it did succeed then "it should eliminate the need for the assistance from Apple ... set forth in the ... [order] in this case."

Accordingly, the Justice Department filed a "motion to vacate" with the court, requesting that the March 22 hearing be delayed, in case the FBI can find another way to gain access to the iPhone. "The government proposes filing a status report with the court by April 5, 2016," the filing notes. That request was granted, with U.S. Magistrate Judge Sheri Pym canceling the hearing and ordering the Justice Department to "file a status report" by April 5.

Apple said it's premature to declare a victory in the dispute because it's possible authorities could come back in a few weeks and insist they still need help, according to the Associated Press.

Robert Cattanach, a former Justice Department attorney who handles cybersecurity cases for the law firm Dorsey & Whitney, told AP that the government would likely not have disclosed it had a lead unless it was almost certain the method would work. That's because the disclosure weakens the government's case by introducinng doubt that it could only access the phone with Apple's help, he said. "They've created ambiguity in a place where they've previously said there is none," he said.

Tim Cook on Protecting Privacy

The Justice Department's move followed Apple CEO Tim Cook taking to the stage March 21 at his company's Cupertino, Calif., campus to announce a range of new products, including a new iPhone and iPad. But first, he touched on the encryption debate "on everybody's mind," which kicked off after the FBI obtained the court order requiring Apple to help it unlock the iPhone 5C issued to the Faroook, the San Bernardino shooter (see Apple Accuses DOJ of Constitutional, Technical Ignorance).

"We need to decide, as a nation, how much power the government should have over our data and over our privacy," Cook said on stage. "We believe strongly that we have a responsibility to help you protect your data and protect your privacy. We owe it to our customers and we owe it to our country. This is an issue that affects all of us, and we will not shrink from our responsibility." (See Feds Counter Apple's Arguments Over iPhone 'Backdoor').

Farook's Dec. 2 workplace rampage, which the government has described as terrorism, left 14 people dead. Farook and his wife, Tashfeen Malik, were killed in a shootout with police. The bureau says it recovered Farook's phone from his car following the shootings.

While decrying the attacks, Cook vowed that Apple would fight the "dangerous" request, which he said was the equivalent of the FBI demanding that Apple "build a backdoor to the iPhone." And in Apple's latest legal filing, submitted to the court on March 15, the company's legal team has described the government's move as an attempt to "order private parties to do virtually anything the Justice Department and FBI can dream up," adding that "the [country's] founders would be appalled."

PR Campaign?

Regardless of the Justice Department's move to potentially withdraw the court order against Apple, some security and legal experts contend that the Justice Department had been running a carefully planned public relations campaign calculated to give the FBI the power to demand crypto backdoors from U.S. hardware and software manufacturers.

Information assurance consultant William Murray, for example, who's an associate professor at the U.S. Naval Postgraduate School, has criticized the Justice Department for the lack of "courtesy and respect" it has shown to Apple, in part by blindsiding the company with the court order (see Apple vs. FBI: Readers Debate).

"While government officials swear to uphold the Constitution, by design and intent, the Constitution limits their ability to 'govern.' It is to be expected that they will chafe under its restrictions. That is why we have courts and an adversarial system," he says. "Perhaps with the best motives and intent, and while perhaps within the limits of the Constitution and the law, the DoJ has gratuitously insulted and unnecessarily alarmed citizens."

Legal experts have said the case involving the court order against Apple might take several years - or more - to be resolved, unless of course, the Justice Department requests that Judge Pym withdraw her order against Apple.

Apple Pitches iPhone SE

Cook on March 21 announced Apple's forthcoming range of new products as the company battles a decline in worldwide iPhone sales. He announced that Apple would begin shipping later this month a new iPhone SE, which features a 4-inch screen and is meant to target customers who prefer a smaller and less expensive device.

As with all phones built since the iPhone 5S, the iPhone SE will also include the Touch ID fingerprint scanner, which is used to provide biometric access to the device, as well as to help create a unique, cryptographic key to secure data stored on the phone. That technology was not built into the iPhone 5C, and multiple information security experts have suggested that if it had been, then the late Farook's finger might have been used by the FBI to unlock the device.

Apple Patches 38 iOS Flaws

In other Apple security news, the company has released iOS 9.3, which patches 27 flaws in the 9.2.1 version of its mobile operating system. The new version also includes a fix for an iMessage encryption flaw discovered by a research team from Johns Hopkins University in Baltimore, led by cryptography professor Matthew E. Green. He and his team of graduate students have also published a paper that details a related attack in full.

The iMessage vulnerability, designated as CVE-2016-1788, could be abused by an attacker to obtain and decrypt any photos or videos sent using Apple's iMessage, the researchers say. "The attack is more interesting than just attachments and affected more than just iMessage," says Ian Miers, who was part of the research team, via Twitter. "Apple had to fix other apps, but won't say what."

Apple says that by targeting the vulnerability, "an attacker who is able to bypass Apple's certificate pinning, intercept TLS connections, inject messages and record encrypted attachment-type messages may be able to read attachments." Despite the dispassionate language and seeming caveats, however, multiple information security experts have labeled this vulnerability as posing a serious threat and warn that it can be exploited.

Green tells The Washington Post that his team's discovery of the Apple crypto flaw has direct and immediate implications for the Apple-FBI case.

"Even Apple, with all their skills - and they have terrific cryptographers - wasn't able to quite get this right," Green said. "So it scares me that we're having this conversation about adding back doors to encryption when we can't even get basic encryption right."

Apple: New Security Hire

In other developments, Apple has hired George Stathakopoulos, formerly of Amazon, as its new head of corporate information security, Reuters reports.

Stathakopoulos, who was Amazon's vice president of information security, also formerly served as Microsoft's general manager of product security. Apple, which didn't respond to a request for comment, hasn't officially confirmed Stathakopoulos's hiring. He reportedly began work at Apple earlier this month.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.