If the FBI found its own iPhone backdoor, should it show Apple?

Analysis: Using a zero-day flaw to bypass an iPhone's security is still a backdoor. With the potential to affect hundreds of millions of iPhone owners, will the FBI keep the flaw to itself?

(Image: file photo)

The FBI has called off a hearing scheduled for later Tuesday after an "outside party" said it found a way into the locked iPhone used by one of the San Bernardino shooters.

The suspension of the Apple vs. FBI case took many by surprise. After weeks of strongly-worded rhetoric from the Justice Dept. arguing that Apple had "exclusive technical means" to unlock the shooter's iPhone, that turned out to be false.

Prosecutors have yet to formally drop the case pending confirmation of the phone's unlocking.

Exactly how federal agents are planning to unlock the device is still a mystery.

The Justice Dept. and the FBI did not say how it plans to unlock the phone but were upbeat and optimistic in the court filing on Monday. Apple attorneys said on a late-evening call that the FBI has not told the company the nature of any iPhone vulnerability it might use to crack the device, adding that it was told of the fact just hours earlier.

Despite the connection to cryptography and national security, the NSA is unlikely to have thrown its hat into the ring as the court filing indicated the source of the flaw information was someone from "outside the US government."

That points to a supplier of zero-day exploits -- which are more common than you might think.

It's widely known since the Edward Snowden disclosures that the government uses zero-day flaws -- called that because software makers have no prior time to respond to them -- in order to carry out surveillance as part of investigations.

ACLU's Christopher Soghoian said in a tweet that the government "doesn't disclose security flaws to firms like Apple" if they prove useful to law enforcement.

That leaves a schism between law enforcement who want to use these flaws for surveillance and the tech companies that want to patch them to protect their users from hackers -- all while the intelligence agencies sit squarely in the middle wanting both. The NSA has said before that it discloses the vast majority of zero-day flaws, but wouldn't say if it does so after using them first.

On a press call Monday, law enforcement officials did not want to "speculate" on whether or not the FBI has found a previously undisclosed security flaw that would give agents access.

Would the FBI disclose the flaw after it used it? "Unlikely," said Soghoian, adding that the exploit and the methods used to unlock the phone will likely be classified.

US government pushed tech firms to hand over source code

If source code gets into the wrong hands, the damage would be incalculable.

Others believe, however, that an outside forensics team -- likely overseas -- could help the FBI crack the phone by using NAND memory mirroring, which essentially takes the memory chip and copies it as many times as there are passcode combinations, and brute forces the code over the hundreds of cloned devices.

In reality, there's no difference from the government compelling Apple to rewrite its software to bypass the iPhone's security features so that the FBI can brute force the passcode and using a previously-undisclosed security vulnerability to crack open the phone like a nut.

In either case, it's still a backdoor -- one that Apple (and other tech firms) would want to fix like any other vulnerability.

Apple may never know what the flaw is, and that itself sets a troubling thought: if the FBI can quietly use an exploit to crack open an iPhone, what's stopping a hacker or other malicious actor from finding the same way in? That's not a new argument, nor is it one that Apple will let go of lightly.

The government must file a status report with the court by April 5 -- where we will learn more.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All