The FBI’s second thoughts — and a second chance for privacy
I’m a born skeptic, even about my own opinions. So not long after I defended Apple Inc.’s refusal to help the FBI decrypt hidden files on a terrorist’s cellphone, I began having doubts.
But I kept my qualms to myself, and a good thing, too. After insisting for weeks that Apple must write software to help break into the phone, the FBI on Monday said there may be another way. On the verge of a federal court hearing on the matter, the FBI asked for a two-week delay to try an alternative approach suggested by an unnamed “outside party.”
It was startling news for me, but not for Jonathan Zdziarski, author of several books on iPhone software hacking and developer of iPhone forensics tools used by police agencies worldwide. Zdziarski has long believed that the FBI could access the iPhone 5s of San Bernadino shooter Syed Rizwan Farook without Apple’s aid.
“The tech community has provided numerous feasible approaches,” Zdziarski told me. “So either they weren’t talking to anyone, or were talking to different experts who missed all of this until recently.”
Or maybe the FBI knew there were other options, but saw this horrific case as the perfect opportunity to set a legal precedent, one that could force Apple and other companies to crack open their digital products on demand.
Zdziarski, who often works with police, gives the bureau the benefit of the doubt, but again, I’m a skeptic.
Rick Mislan, a professor of computing security at Rochester Institute of Technology, thinks Apple should comply with the FBI’s request. But he also believes the FBI has ulterior motives in going after Apple.
“I think this was a case they figured they could hang their hat on for a bunch of other cases,” Mislan said.
The FBI is not revealing its new strategy, which may range from relatively simple hacking to pure rocket science. For instance, Zdziarski said Farook’s phone software was last updated in October. Since then, a number of security flaws have been discovered, and one of these might offer a way in.
The agency could go all “Mission: Impossible” and use an ion beam to cut open the iPhone’s processor and read its encryption key right off the chip. It’s been done before, but it’s slow, risky, and hugely expensive.
The best bet, Zdziarski said, would be to remove the iPhone’s flash memory chip, copy its contents, then put it back. Now the FBI could try every possible password on the phone until one works.
The iPhone wipes the chip after 10 unsuccessful attempts, but who cares? You’ve copied the data, remember? Put it back on the chip and try again. Eventually, you should be able to crack the code.
“It’s very feasible for a trained hardware professional,” said Zdziarski, who figures the FBI either overlooked the option or lacked the skills to pull it off. Mislan agreed that this method would probably work and can’t understand why the FBI hasn’t done it.
Whichever method is used to crack them, it will have to be proven trustworthy. Computer forensics tools are tested by the National Institute of Standards and Technology (NIST), to make sure the evidence they generate is admissible in a court of law.
But this undercuts the FBI’s claim that Apple’s cracking software could be used once, and then destroyed. In order to use the phone’s data as evidence against other suspected terrorists, the FBI must prove in court that Apple’s software works as advertised. That means making it available for independent testing. “That tool would have to end up in somebody else’s hands,” said Zdziarski, whose own phone hacking software is NIST-certified.
Besides, if the FBI defeats Apple in court, dozens of federal, state, and local police agencies with iPhones that need unlocking will also demand the software. In Manhattan alone, District Attorney Cyrus Vance Jr. has 175 iPhones waiting to be cracked.
When the code is that widely distributed, crooks are bound to get hold of it. When Zdziarski wrote forensic hacking software for older iPhones, “I tried to restrict it to law enforcement,” he said. But soon the software was being used by other forensics consultants, and it eventually leaked into the criminal underground. “It was kind of like the Wild West,” he said.
If the FBI’s new method works, Apple is off the hook, at least for a while. But it’s a temporary reprieve. The atrocity in Brussels reminds us the world is a deadly place, and vicious criminals will surely use encryption to cover their tracks.
Shall we sacrifice our privacy and liberty to protect ourselves? I’m a skeptic.