No harm, no foul. The FBI got into Syed Rizwan Farook’s iPhone 5C, and Apple didn’t have to write a special version of its operating system for them.
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.
The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
This means two things.
- The Apple phones aren’t as secure as you think they are, since a shadowy group of gray-hat hackers knew how to break it.
- The FBI absolutely blindsided Apple by making all this public bluster about a court-ordered solution when they knew there were groups specializing in security vulnerabilities all along.
As for the hackers, there are lots of research firms out there that specialize in finding vulnerabilities in, well, everything. Some of them work for corporate firms, some of them work for criminals, some of them work for the government, and some work for all three.
There’s entire conventions for hackers, where nobody wears their hat color on their sleeve, very few hand out accurate business cards, and ever fewer are naive enough to bring unsecured wireless devices. Advice you’d get if you plan to attend Defcon in Las Vegas.
Do not, under any circumstances, use the free conference wifi. Don’t access anything on your phone that has a password that you don’t want other people to find out. And, to be extra safe, bring a burner laptop.
There’s also a conference called Black Hat. And those folks are hard core. You’ll find Russian hackers mixing with their government counterparts, dancing in a sort-of neutral holy ground (although they leave their devices behind, because, you know).
FBI Director James B. Comey has said that the solution works only on iPhone 5Cs running the iOS 9 operating system — what he calls a “narrow slice” of phones.
Apple said last week that it would not sue the government to gain access to the solution.
If the flaw is only with the iPhone 5C and that specific version of iOS 9, Apple has already likely fixed it or at least made it marginally harder to exploit. In fact, there are exploits, vulnerabilities and fixes in the world of personal Internet devices every day, and, being so closely knit to our hands, the iPhones are first in line for getting updates.
The FBI should never have resorted to its Hail Mary play to force Apple to code around its own security. Tim Cook was justified in his anger with the government–even if his company stood on shaky legal ground. Nobody knows better than the FBI that the war between hackers and their targets is never-ending.
When I was an Air Force IT contractor, we were told the only sure way to achieve perfect network security: Unplug it. And the Iranians learned even that doesn’t always work.
I’m willing to bet that the government knew before they pounced on Apple, that there was a way to potentially exploit this flaw, but once they went public, they had to weigh the value of disclosing the flaw’s existence versus the value of the data they needed from the terrorist phone. They went with the play to get Apple to voluntarily unlock its secrets, establishing a precedent they could use to bully every device manufacturer forever.
Now they’ve got what they need from the phone, but not from Apple. The InfoSec wars continue, and we should be more worried about the Internet of Things (IoT) than our phones. When was the last time you updated the software on your home WiFi router? Or your smart TV? Or your Blu-Ray player? Or your refrigerator? Or your car (DARPA showed it can hack GM OnStar telematics and take over a Chevy Impala using a laptop).
The government wanted a skeleton key in the form of a legal precedent, and they didn’t get it. Good for everyone.