- FBI could be required to disclose any security flaws it uses
- Apple fixing gap may mean U.S. could unlock just one phone
The FBI has come up with a strategy to get out of its messy court case with Apple over accessing a dead terrorist’s iPhone: bring in the hackers. Yet any new method the bureau uses to hack into iPhones may be short-lived -- it may be obligated to give Apple the details so the company can fix the security gap.
At the Federal Bureau of Investigation’s request, a magistrate judge canceled a court hearing scheduled for Tuesday to determine whether Apple should be compelled to help the U.S. gain access to a locked iPhone used by an attacker who killed 14 people last year in San Bernardino, California. The bureau said it was approached on Sunday by an unidentified third party with a possible way to get into the phone without Apple’s help.
The FBI’s new tactic may be subject to a relatively new and little-known rule that would require the government to tell Apple about any vulnerability potentially affecting millions of iPhones unless it can show a group of administration officials that there’s a substantial national security need to keep the flaw secret. This process, known as an equities review, was created by the Obama administration to determine if new security flaws should be kept secret or disclosed, and gives the government a specific time frame for alerting companies to the flaws.
“I do think it should be subjected to an equities review,” said Chris Inglis, former National Security Agency deputy director. “The government cannot choose sides in the tension between individual and collective security so the equities process should be run to put both on a level playing field.”
Such a disclosure would pose a conundrum for the U.S.: By finding a way to crack the iPhone at the center of this one legal battle without Apple’s help, the FBI may give the company the opportunity to close that security gap as well, making law enforcement’s job that much harder.
The FBI declined to comment on whether the review process will be used in the Apple dispute. Apple lawyers on Monday said that if the case proceeds, the company would want the government to share the nature of the vulnerability it found in the iPhone.
Shrouded in Secrecy
The review process has been largely shrouded in secrecy. White House cybersecurity coordinator Michael Daniel explained some of it in an April 2014 blog post. It includes reviews by multiple agencies and takes into consideration whether a vulnerability, if left unpatched, would create significant risk, Daniel said.
If the new method isn’t subject to review, then the government might be in possession of what amounts to a secret tool to hack into iPhones. Apple’s objections to helping the FBI -- mainly that doing so would put the private data of hundreds of millions of its customers at risk -- would be moot, and iPhones would be no safer than if the company had helped the FBI in the first place.
“The equities process is supposed to apply to anytime the government discovers, learns of, buys or uses vulnerabilities of any kind," said Nate Cardozo, staff attorney at the Electronic Frontier Foundation. “If it’s anything where they’re attacking the phone in software, it would be subject to the equities review."
Still, some say the government’s need to safeguard national security may outweigh any risk to iPhone users’ data. If the bug isn’t widely known, if it’s not easy to exploit, or if there isn’t much of a potential impact, those factors could weigh in the government’s favor for keeping the flaw secret, said Leo Taddeo, former special agent in charge of the New York FBI special operations and cyber division.
“I don’t think the government is obligated to tell Apple,” said Taddeo, who is now the chief security officer for cybersecurity company Cryptzone.“The government is obligated to do what’s in the public interest.”
According to one person familiar with the White House’s equities review process, the government discloses far more vulnerabilities than it decides to keep secret, in one year keeping only about two for offensive purposes out of about 100 the White House reviewed. The person requested anonymity because the process is classified. The vulnerabilities the government kept had clear counter-terrorism purposes and were only held for a short time, the person said. Not all vulnerabilities are examined by the White House, as lower branches of government can decide which to disclose on their own, the person said.
But the White House carved out an exception for the FBI and other agencies to keep information about software vulnerabilities from manufacturers and the public on national security grounds. The equities process also wouldn’t apply to certain hacks that involve manipulating or damaging the hardware, which some experts have proposed as possible solutions.
The FBI-Apple case highlights the barriers government agencies have in sharing computer exploits, said Gunter Ollmann, chief security officer at Vectra Networks Inc., a San Jose, California-based cybersecurity company. There’s a pecking order that can dictate which agencies are informed of which exploits, and the FBI isn’t always the first call that hackers make, he said.
In the end, it doesn’t matter whether the FBI has what security experts would consider a true zero-day software exploit -- one that hasn’t previously been discovered and fixed -- or instead is evaluating a hardware hack that takes advantage of a weakness in the way Apple’s memory chips and other components are designed and integrated. The result is the same: Apple users are exposed to more privacy and security risks now than when the FBI took the iPhone maker to court, said J.J. Thompson, founder of Rook Security, an Indianapolis-based cybersecurity firm.
“This is the worst possible thing that could have happened, when it comes to collaboration between technology companies and law enforcement,” Thompson said.
The next step in the case may well be Apple suing the U.S. Justice Department to require it to reveal details of the vulnerability, said Jeff Schilling, chief security officer for Armor Defense Inc., a cloud-security company based in Richardson, Texas. The public disclosure of the exploit will rapidly accelerate the process for using and fixing it, which in almost every other case plays out in private, said Schilling, a former director of the U.S. Army’s global security operations center under the U.S. Army Cyber Command.
Even if it were to win that battle, Cardozo said the company -- and the rest of us -- may never know who actually provided the FBI with help. The FBI has no legal requirement to disclose the information and may prefer to keep it a secret.
“Chances are pretty good we’re never going to know,” he said.