Wednesday, March 30, 2016

Apple Demands The FBI Tell It How They Cracked the iPhone Encryption (AAPL)

From the Los Angeles Times:
Apple Inc. refused to give the FBI software the agency desperately wanted. Now Apple is the one that needs the FBI's assistance.

The FBI announced Monday that it managed to unlock an iPhone 5c belonging to one of the San Bernardino shooters without the help of Apple. And the agency has shown no interest in telling Apple how it skirted the phone's security features, leaving the tech giant guessing about a vulnerability that could compromise millions of devices.

"One way or another, Apple needs to figure out the details," said Justin Olsson, product counsel at security software maker AVG Technologies. "The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices."

But that's not how it's playing out so far. The situation illuminates a process that usually takes place in secret: Governments regularly develop or purchase hacking techniques for law enforcement and counterterrorism efforts, and put them to use without telling affected companies.

What's different in this case is that the world has been watching from the start. After Syed Rizwan Farook and his wife killed 14 people in December, the government publicly sought a court order to compel Apple to unlock Farook's work phone. Apple opposed that order, heightening long-standing tensions between Silicon Valley and law enforcement.

Now that the FBI has dropped its case against Apple, there's a new ethical dilemma: Should tech companies be made aware of flaws in their products, or should law enforcement be able to deploy those bugs as crime-fighting tools?

It's unclear whether the FBI's hacking technique will work on other versions of the iPhone, though a law enforcement official who spoke on the condition of anonymity said its applications were limited.
Some news outlets citing anonymous sources have identified Israeli police technology maker Cellebrite as the undisclosed third party helping the government, but neither the company nor the FBI has confirmed those reports.

A source who is unauthorized to discuss the case told The Times the FBI was provided with the ability to incorrectly guess more than 10 passwords without permanently rendering the phone's data inaccessible. That allowed the agency to use software to run through potential pass codes until it landed on the correct one. It is not clear what info, if any, was gleaned from the phone.

Attorneys for Apple are researching legal tactics to compel the government to turn over the specifics, but the company had no update on its progress Tuesday.

The FBI could argue that the most crucial information is part of a nondisclosure agreement, solely in the hands of the outside party that assisted the agency, or cannot be released until the investigation is complete.

Many experts agree that the government faces no obvious legal obligation to provide information to Apple. But authorities, like professional security researchers, have recognized that a world in which computers are crucial in commerce and communications shouldn't be riddled with technical security flaws.

Even the White House's cybersecurity coordinator has acknowledged there are times when more people could be harmed by an unfixed security issue than helped by the government covertly using the loophole as part of an investigation.

A secretive White House-led procedure governs whether companies get notified of potential flaws....MORE

UPDATED--"FBI hacks into gunman’s iPhone without Apple’s help"
UPDATE: "'Apple likely can’t force FBI to disclose how it got data from seized iPhone' (AAPL)"

See also the boy geniuses at BGR:

How Apple could force the FBI to explain San Bernardino iPhone hack
Apple beat the FBI this week, as it avoided a legal battle against the law enforcement agency over creating a backdoor into the San Bernardino iPhone. The war on encryption isn’t over yet, as both parties aren’t necessarily happy with this temporary solution. For the FBI, accessing the iPhone belonging to one of the San Bernardino shooters is crucial, but doesn’t solve its bigger problem: spying on encrypted communications or devices. Apple, on the other hand, is reportedly working on beefing up iPhone security. But for now, it has one other problem: the world knows there is a way to get peek at the data stored on an encrypted iPhone without knowing the PIN or password.

The FBI did not say whether it’ll share the vulnerability it discovered and successfully used on the San Bernardino iPhone 5c, with the help of an unnamed security company. But Apple might be able to use other legal cases that involve iPhones to force the Bureau to explain the hack.

It all hinges on the U.S. Department of Justice’s case in New York against Apple, Reuters reports. If prosecutors ask the court to force Apple to unlock the iPhone, Apple could push the government to reveal how it accessed the iPhone 5c.

The DOJ will tell the court over the next two weeks whether it’ll continue its bid to force Apple to help out in the Brooklyn case. A federal judge already ruled that he did not have the authority to order Apple to help the agency in the Brooklyn case, but the DOJ appealed that decision to a district court judge.

In light of the San Bernardino iPhone hack, the DOJ agreed with Apple to delay the briefing deadlines in the Brooklyn case until April 11th. Even if the government decides to halt its proceedings against Apple, the Cupertino-based company will still be able to pursue legal discovery in any other case where the FBI wants to use evidence obtained from an iPhone without Apple’s help.
In fact, the FBI might have a hard time keeping the technology a secret. Reuters says that other law enforcement officials in the country are looking for support to unlock iPhones seized in criminal investigations....MORE