The FBI refuses to tell Apple how the supposedly unbreakable iPhone belonging to San Bernardino jihadi Syed Farook was hacked, with the help of an undisclosed contractor who was paid $1.3 million for the work.
The New York Times sees this as “a clear rebuke to Apple,” which fought with the FBI for months over unlocking the phone. Among other objections, Apple said the government wanted to effectively commandeer its programmers to write a new version of the iPhone software that would allow the government to bypass its encryption – something the company promised its customers it would never do.
The FBI’s decision to keep its iPhone crack secret “upset some technology industry executives, who said it appeared to run counter to the Obama administration’s promises to promote security and transparency in the nation’s technology operations,” according to the New York Times.
The notion that ostensibly intelligent tech executives would actually believe a promise from Barack Obama is one of the strangest developments in this case, especially a promise that has anything to do with “transparency.”
Somehow Silicon Valley failed to notice, over the past seven years, that this is by far the most opaque administration in history, far beyond the most paranoid dreams of a Richard Nixon. In everything from thwarted Freedom of Information Act requests to slow-walked responses to court orders – from the IRS’s ridiculous stories of shredded hard drives to Secretary of State Hillary Clinton’s secret email server – the Obama Administration has made thwarting public review and congressional oversight a top priority.
On an ideological level, Obama is a deep believer in government surveillance, disinclined to accept the notion of private-sector systems the government cannot access, under any circumstances. How did the tech executives who donated so much money to Obama miss that about him? It’s not a conviction he keeps secret, and he’s far from the only person in Washington who feels that way.
As for the technology the FBI is keeping secret, it’s described as “a tool for getting into the phone, and not a blueprint exposing the actual security flaws in the device.” Fortune quotes FBI Director James Comey stating that the tool only works on the specific model of phone owned by Farook, the iPhone 5c.
For this reason, the matter was not referred to the White House panel that normally decides whether “software vulnerabilities discovered by American intelligence officials should be shared with the software designer to enhance security.”
That’s been a sore spot with the tech world for years, as software companies complain intelligence agencies keep finding security flaws and exploits they keep to themselves – enhancing their ability to penetrate popular systems, at the expense of security for law-abiding users. The dangerous Heartbleed bug is the most infamous example, reportedly known to the National Security Agency for two years before the public became aware of it.
The FBI claims it didn’t buy the rights to technical details of how the iPhone cracking tool works, so it doesn’t have the information that would be required by the White House Vulnerability Equities Panel… which suggests they didn’t drive a very hard bargain for that $1.3 million they paid.
The Times isn’t buying that excuse, explicitly accusing the Bureau of “finding a loophole in the vulnerability review process” – to wit, “hire the hacker to extract the data, but be careful to not know how he got the job done.” As security expert Alex Rice of HackerOne pointed out, this means the government is not only keeping a known security vulnerability for an enormously popular product secret, but it’s helping hackers profit from the flaw.
Furthermore, a quote from the president’s special assistant on cybersecurity, Michael Daniel, suggested one of the major criteria for determining if security flaws are shared with private companies is whether the flaw inconveniences the government or not: “Disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than anyone else.”
Gizmodo notes that the FBI told Apple about a different security flaw that only affected older versions of their operating system on April 14, after submitting it to the Vulnerability Equity Panel for review. Gizmodo guesses this was an “appeasement attempt,” a “token effort from the FBI to pretend to care about customer security.”
It didn’t work, because an Apple exec growled that “the flaw the FBI disclosed to Apple this month did nothing to change the company’s perception that the White House process is less effective than has been claimed.”
Comey also made the situation more than a dispute about the fine points of White House review protocol when he said, “We tell Apple, then they’re going to fix it, then we’re back where we started from.”
Since the Farook phone is unlocked now, he’s not talking about going back to Square One on the San Bernardino investigation. He’s either tweaking Apple and blowing off steam after the bitter battle over unlocking Farook’s iPhone, or he’s suggesting the FBI wants to unlock some more phones with its $1.3 million hacking tool before Apple renders it obsolete.
The New York Times took a look at the price paid by the FBI for its iPhone crack, and found it was in line with bounties paid to hackers for other major software vulnerabilities. These are usually transactions between software designers and white-hat hackers, who are effectively hired as last-ditch testers to find vulnerabilities missed by in-house testing teams… but since very little is known about the contractors who broke Farook’s phone for the FBI, is there a guarantee they won’t sell the tool to other parties, or perhaps to Apple itself?
Incidentally, the Times also noted that while the FBI’s legal action against Apple over Farook’s phone was dropped after they bought their hacking tool, the Justice Department is “still trying to force Apple in court to help unlock encrypted phones in Brooklyn, Boston and elsewhere.” The encryption debate is off the front pages for a while, but it’s far from settled.