Late on Monday, the FBI announced that it had finally gained access to San Bernardino shooter Syed Rizwan Farook’s iPhone, effectively ending its month-long fight with Apple over unlocking the device.
Though international debate about encryption is far from over, this leaves both sides in somewhat uncomfortable positions. The FBI looks a little silly for making this into a federal case, and Apple’s device security — which has long been a selling point for its products — has taken a very public hit. Below, a quick explainer of what happened, and how each of these powerful American institutions has emerged from this long and exhausting brawl.
Funny you ask — that’s the question that every tech journalist in the world wants to answer. Last week, less than 24 hours before the Justice Department was set to face off with Apple lawyers in court, investigators asked to postpone the hearing because they were approached by an “outside party” who offered to help them get into the device.
Who that outside party is we do not know. But there are some pretty reasonable guesses. As Wired reported last week, the FBI has a sole source contract with the Israeli mobile forensic firm Cellebrite. Its website advertises that the company’s hackers can extract data from locked iPhones running any version of iOS up to 8.4.1. It’s possible that those forensic researchers could be exploiting a vulnerability that Apple has already patched in iOS 9.
There are a few other theories that could explain the FBI’s feat, but they get pretty deep in the technical weeds of how iOS stores memory. You can read about these theories here.
Technically, no. And it’s possible they have already signed a nondisclosure agreement with the outside party that helped them do it. If the FBI happens to take Apple to court over accessing a device again, it’s possible the details of this case could come up and become public information.
On a call with journalists last week, Apple lawyers acknowledged that the FBI’s sudden discovery of a break-in method was always a possibility, and one Apple was willing to accept. Indeed, as the company has pointed out in court filings, it is constantly fighting to keep up with the latest security advancements, and patching known vulnerabilities.
But any court order to weaken Apple’s systems, it argued, would make it significantly less secure, because that would make it more likely to be targeted by cybercriminals. Apple lawyers said they hoped the FBI would share its method for breaking into the device, but that there was no way to force it to do so.
But let’s face it: Even if the vulnerability that was exploited by the FBI’s hired hackers has already been patched in later versions of iOS, the fact that law enforcement could get into Farook’s phone makes Apple’s overall security look bad. And it further supports criticism from some cryptographers that Apple could’ve done more to prevent the FBI from even requesting the access it wanted in the San Bernardino case in the first place. Even though the court case was dropped, Apple was definitely cut down in the eyes of the privacy community, and probably the public.
It’s also worth noting that the third party the FBI hired did not report whatever vulnerability it discovered in iOS to Apple. According to a report by the New York Times last week, that could possibly be because unlike most major tech companies, Apple does not offer large sums of money in exchange for finding security errors in its code.
During the debates spurred by the San Bernardino court case, many privacy activists and members of Congress suggested the FBI simply wanted to set a legal precedent that gave it a court-mandated way to access encrypted information on the devices of terrorists and criminals.
But, as Electronic Frontier Foundation attorney Nate Cardozo told Yahoo News last week, it seems “the government was taken by surprise by the strength of Apple’s opposition and the amount of support they were able to garner in both the tech community and the civil liberties community.” In other words, if your court case is prompting journalists to ask President Obama what he thinks about a very controversial topic, you’re probably doing something that could be embarrassing for your organization.
Well, the federal magistrate assigned to the San Bernardino case is reportedly unfazed by unpredictable situations, even that time a plane crashed into her house in 2003 (no biggie). But the fact that the FBI repeatedly claimed it couldn’t unlock Farook’s phone without the help of Apple — only to say, “Whoops, never mind! We can!” the day before a trial — diminishes its argument in court. That is to say, any judge in any similar case in the future may be skeptical of those claims. The FBI lost a lot of legal credibility through this whole kerfuffle.
Hackers, maybe? Or, at least, discreet mobile forensic firms that are hired as private contractors by the government. And I would argue that the American people also won a small victory. An important and complicated issue pitting security and privacy interests against each other was debated pretty seriously in the public square. That may even push Congress to address the issue, however briefly.
Well, now that the FBI has learned its lesson, it’s likely to be much more secretive about any other access it pursues through third-party forensic labs. Consider the assertive tone of a statement released by a Justice Department spokesperson yesterday: “It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety, either with cooperation from relevant parties, or through the court system when cooperation fails. We will continue to pursue all available options for this mission, including seeking the cooperation of manufacturers and relying upon the creativity of both the public and private sectors.”
Chances are, they won’t be seeking the public’s sympathy next time.