FBI Can Unlock iPhone Without Apple’s Help

Federal authorities have cancelled the court hearing with Apple, saying an ‘outside party’ has shown a potential way to crack Syed Farook’s phone

A court hearing designed to force Apple into compromising its security systems for the iPhone was cancelled recently at the request of federal authorities saying they potentially had another way into the San Bernardino shooter’s phone.

An Apple loss in the San Bernardino encryption case risks creating a world in which we can no longer trust the gadgets that track how we drive, when we’re home and whether the door is locked

The astonishing reversal kicks the can down the road in what had become the climax of a two-year battle over digital privacy between the US government and Silicon Valley. At the same time, the standoff between Apple and the Department of Justice drew so much attention that policymakers or another court may weigh in soon regardless.

The government has until 5 April to determine whether it wants to pursue the case. Apple’s attorneys, in a conference call with reporters, said they do not consider the development a legal victory and warned they could be back in the same situation in two weeks. The attorneys spoke on the condition of not being quoted by name.

The company’s lawyers said they were as surprised as anyone and learned of the development in an afternoon phone call.

The government’s potential solution raises its own questions: if investigators figure out a way to hack into the device without Apple’s help, are they obligated to show Apple the security flaw they used to get inside? Attorneys for Apple, which almost assuredly would then patch such a flaw, said they would demand the government share their methods if they successfully get inside the phone.

Recently US magistrate judge Sheri Pym stayed her previous order that Apple help the government crack the passcode on the iPhone used by San Bernardino gunman Syed Farook, citing “uncertainty” on the part of the government.

In its filing, the justice department said it might have a different way to break into device – something cryptographers, leading data security experts and even Edward Snowden have said was possible without placing the cybersecurity of all iPhone users at risk through creating what Apple derisively calls “GovtOS”.

Nevertheless, the government has stated repeatedly, under oath, that Apple alone had the technical ability to get inside the device. The government wanted Apple to use an official Apple software update to turn off some security features, including one that can cause the phone to wipe its storage if someone enters the wrong passcode 10 times.

The justice department request comes after more than a month of heated insistence that the only way the FBI could examine a locked iPhone used by the gunman was for Apple to write new software that would be missing some of its operating system’s security features.

US investigators said they have continued to look for new ways into the iPhone 5C used by Farook since the justice department took Apple to court. In 2014, Apple updated its iPhone software such that it could no longer download data from locked devices without the user’s passcode, which Apple does not know.

The White House, which has stood by the justice department in its feud with Apple, did not immediately comment on the reversal. The forensic standstill caused many to question the FBI’s technical chops.

A law enforcement official who would not agree to be quoted by name said that the FBI was approached by an “outside party” unaffiliated with the government who offered a prospective path into the phone that would not require Apple’s assistance. The official refused to identify the party, and said that many people outside government had approached the FBI seeking to lend technical expertise.

The government said it would like to test the method and then file a report with the court.

Susan Landau, a cybersecurity expert who in a recent congressional hearing lambasted the FBI for its poor understanding of digital forensics, said she “certainly” felt that the unexpected development demonstrated her point. Landau also said she was not the “outside party” who provided the potential breakthrough.
“The FBI has been viewing security as an impedance rather than a necessity. That the bureau may not need Apple’s help to access the phone points up what’s been true in this case all along: the FBI needs to strengthen its own technological capabilities,” said Landau, a professor at Worcester Polytechnic Institute in Massachusetts. 

The law enforcement official did not answer the Guardian’s question about what the apparently unsolicited outside guidance indicates about the FBI’s competence in digital investigations. James Comey, the FBI director who has made law enforcement access to encrypted communications a national issue, told Congress that sometimes the FBI does not have technical expertise to match its pop culture portrayal as high-tech wizards.

Although the justice department had told the court that Apple had the “exclusive technical means” to provide the FBI with access to the locked phone, a second law enforcement official, who also would not be named, insisted the sudden breakthrough did not contradict the government’s earlier assurances.

“The arguments in our pleading were that we needed Apple’s assistance as a last resort, as the FBI’s efforts to date had not been successful”, the official said. The official would not say if the “outside party” was solicited by the government or offered an unsolicited technical suggestion.

But attorney Alex Abdo of the American Civil Liberties Union, which filed a brief supporting Apple, lambasted the government’s reversal.

“This suggests that the FBI either doesn’t understand the technology well enough or wasn’t telling us the full truth earlier when it said that only Apple could break into the phone. Either possibility is disconcerting.”

On the one hand, the delay short-circuits a massive privacy battle between America’s most valuable company and its government that had been building for two years. National media were already descending Monday on southern California for the hearing in the federal courthouse in Riverside.

On the other, the government’s reversal seems to only postpone the inevitable. Both US officials and technology executives have said that if the San Bernardino case had not brought the two sides into court, another one surely would.

Melanie Newman, a justice department spokeswoman, said the department was “cautiously optimistic” that the proposed new investigative tactic would work, but testing was required.

“If this solution works, it will allow us to search the phone and continue our investigation into the terrorist attack that killed 14 people and wounded 22 people,” Newman said in a statement.

Yet the FBI is, for now, spared a showdown with Apple that saw an unprecedented near-unanimity of leading tech firms, more than a dozen of which rallied to Apple’s defense in court. Even the US defense secretary, Ashton Carter, undercut the FBI in public by singing the praises of encryption in a recent speech, suggesting a lack of government unity behind the FBI push.
Ein News: http://bit.ly/1RHkBQZ

« Clinton Emails Suggest Google's Assistance In Undermining Assad
Poland Strengthens Cybersecurity Against Russian Threat »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

JumpCloud

JumpCloud

JumpCloud's Directory-as-a-Service (DaaS) is the single point of authority to authenticate, authorize, and manage the identities of a business’s employees and the systems and IT resources they need.

Panzura

Panzura

Panzura optimizes enterprise data storage management and distribution in the cloud, making cloud storage simple and secure.

Exein

Exein

Exein are on a mission to build the world’s first ecosystem for firmware security so that all different types of firmware are secure around the world.

AppGuard

AppGuard

AppGuard prevents breaches by blocking applications from performing inappropriate processes using our patented dynamic isolation and inheritance technologies.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

LibraSoft

LibraSoft

Librasoft creates solutions to protect information from external and internal threats.

Accolite Digital

Accolite Digital

Accolite is an innovative, design thinking software company that guarantees seamless digital experiences with maximum results.

ImpactQA

ImpactQA

ImpactQA is a global leading software testing & QA consulting company. Ten years of excellence. Delivering unmatched services & digital transformation to SMEs & Fortune 500 companies.

CyberNews

CyberNews

Cybernews.com is a research-based online publication that helps people navigate a safe path through their increasingly complex digital lives.

Cyber Security for Europe (CyberSec4Europe)

Cyber Security for Europe (CyberSec4Europe)

CyberSec4Europe is designing, testing and demonstrating potential governance structures for a European Cybersecurity Competence Network.

iManage

iManage

iManage's intelligent, cloud-enabled, secure knowledge work platform enables organizations to uncover and activate the knowledge that exists inside their business.

MajorKey Technologies

MajorKey Technologies

MajorKey improves security performance by reducing user friction and business risk, empowering your people, and protecting your IP.

Cognna

Cognna

Cognna's innovative platform is designed to empower you and your team, providing the tools you need to detect, prevent, and resolve threats with ease.

Spirit Technology Solutions

Spirit Technology Solutions

Spirit Technology Solutions is a modern workplace services provider committed to delivering solutions that embody our core principles of security, sustainability, and scalability.

Miggo Security

Miggo Security

Miggo is the first Application Detection and Response (ADR) platform on a mission to stop application breaches.

Blackwell Security

Blackwell Security

Blackwell is a driving force in healthcare cybersecurity, transforming how security operations are conducted within this critical sector.