Discovering and disclosing the FBI’s newfound iPhone hack
The abrupt cancelation of this week’s judicial showdown between Apple and the FBI has triggered a new wave of speculation and debate about what company approached the bureau with a way to get into the San Bernardino shooter’s encrypted iPhone, and whether the government should disclose the vulnerability to Apple.
Early Wednesday, reports in the Hebrew-language Yedioth Ahronoth newspaper named Israeli mobile forensics company Cellebrite as the firm that approached the FBI over the weekend, offering a way into Syed Rizwan Farook’s iPhone. On Monday, the Justice Department applied to withdraw its suit compelling Apple to circumvent the security of its own device by writing special software — and the judge canceled the hearing scheduled for the next day.
The news ignited a firestorm of speculation about how Cellebrite might seek to bypass the iPhone’s much vaunted encryption — something FBI had previously told the court would be impossible without Apple’s help. It also started a more substantive debate about the morality of the U.S. government using a previously undiscovered security flaw to break into a device — and then not telling the manufacturer about it, leaving every other user vulnerable.
Rep. Ted Lieu, D-Calif., one of only a handful of lawmakers with a background in computer science, told FedScoop the government shouldn’t be compelled to reveal the vulnerabilities any more than “the FBI should be able to compel private citizens and private sector companies to create new software and do things that don’t exist.”
“I would like the FBI to do that [tell Apple], but I don’t think we would be able to compel them to do that,” Lieu told FedScoop.
Under current U.S. policy, even if the FBI is using Cellebrite to exploit a previously undiscovered — a so-called zero day — vulnerability, Apple and the public may never know. White House Cybersecurity Coordinator Michael Daniel wrote in 2014 that the federal government normally discloses vulnerabilities it finds but reserves the right to withhold disclosure if it can be used for national security purposes.
Sen. Ron Wyden, D-Ore., told FedScoop he considers a vulnerability stockpile “particularly important,” but only for use in national security situations.
“The administration has said that knowledge about computer vulnerabilities will sometimes be temporarily kept secret under a process that is biased toward responsibly disclosing the vulnerability,” Wyden told FedScoop.
“Furthermore, it is important for the executive branch to share information about these decisions not only with members of Congress but also with specialized staff who possess appropriate legal and technical expertise so that Congress can ensure that this policy is being adhered to,” Wyden said.
Experts say that if Cellebrite found the flaw, the company, and not the FBI, could decide whether or not to reveal it to Apple — depending on the terms of the contract with the feds.
Apple has said it will press the Department of Justice on how it plans to open the phone — but don’t hold your breath. According a report in The Guardian, the FBI will keep the exploit classified.
None of the Justice Department, the FBI or Cellebrite have publicly commented, other than government officials stating they would need to test out the exploit before reporting back to the court on April 5. Neither the Justice Department nor Cellebrite were available to comment this week. FedScoop did speak with U.S. representatives from Cellebrite at the end of February about mobile forensics, but they refused to address any tactics that could potentially be used in the Apple case.
The silence of the main players since Monday’s court filings hasn’t quieted a discussion among security experts about how Cellebrite might be able to bypass the encryption on Farook’s iPhone 5c. A consensus appears to have coalesced around the idea that making enough copies of the storage chip to put on hundreds of devices would enable the feds to brute force the passcode — a process known as NAND mirroring.
Security researcher Jonathan Zdzarski posted a description of how NAND mirroring would work if the FBI decided to go that route, writing that a chip inside the iPhone “is typically desoldered, dumped into a program that can replicate it, and then copied so investigators can re-write the chip if its security features kick in.”
“This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying,” Zdzarski wrote. “Only instead of playing a game, they’re trying different pin combinations. It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”
The mirroring was brought up in a House Judiciary Committee hearing earlier this month when Rep. Darrell Issa, R-Calif., questioned FBI Director James Comey as to why the process had not been used before the bureau filed a court order against the company.
There is nothing listed in marketing materials to suggest that Cellebrite’s mobile forensics offerings do in fact use NAND mirroring to take data from phones. However the FBI does have a sole-source fixed-price contract with Cellebrite to use its UFED products, which claim to “quickly extract phonebook, pictures, videos, SMS messages, call histories, ESN/IMEI information, and deleted SMS/call histories off the SIM for rapid analysis.”
That product — which has earned the company $2.1 million in unclassified purchases from the FBI since since fiscal year 2009, according to business analytics firm Govini, and has been available to federal agencies on the NASA SEWP and NIH CIO-CS governmentwide contracts since last July — works with 95 percent of worldwide mobile operating systems, including the iPhone.
Lieu said the fervor surrounding the case could have been avoided if the FBI had reached out to the technical community before ever threatening Apple with legal action.
“I think what’s going on here shows a lack of due diligence by the FBI,” he said. “When you look at the timeline, the FBI wasn’t only interested in this specific phone; they were interested in trying to establish precedent. When it turned out that America was not behind the FBI on this issue, I think the FBI saw the writing on the wall to not go ahead with the court case and proceed to hack the phones themselves. To me, the FBI could have gone a far different route in this case and worked with the technical community and not made a federal case out of this.”
Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.