Endpoint

10/2/2017
04:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FBI Won't Have to Reveal iPhone-Cracking Tool Used in Terror Case

Revealing vendor's name and pricing details a threat to national security, DC court says.

The identity of the vendor that helped the FBI unlock an encrypted iPhone belonging to one of the terror suspects in the San Bernardino shootings in December 2015 will remain under wraps. So too, will the amount of money the government paid the vendor for the technology.

A Washington, DC, federal court on Friday rejected separate requests for the information that the Associated Press, USA Today, and Vice Media LLC had filed last year under the Freedom of Information Act (FOIA). The three media companies had claimed the public had a right to know details of the FBI's transactions with the vendor after then-director James Comey publicly disclosed some non-specific details about the tool and its purchase cost.

In a 27-page ruling, United States District Judge Tanya Chutkan denied the FOIA request and agreed with the FBI that releasing the information would give adversaries a way to undermine the agency's ability to use the tool in similar investigations. The FBI has also maintained that the vendor did not have the same abilities as the FBI to protect its networks against attacks. So disclosing the company's name could lead to attacks against it and compromise the technology.

"If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool's technological design," Judge Chutkan wrote. Such information could allow adversaries to enhance their own encryption capabilities to better guard against the FBI, she said.

John Pescatore, director of emerging security threats at the SANS Institute, says the ruling makes little sense. "It seems kind of odd that the identity of the vendor selling the tool would be kept confidential because if that was known, the bad guys would somehow find ways to thwart the FBI," he notes. The identity of the vendor alone is unlikely to give adversaries any more of an advantage, he says. "Security through obscurity very rarely lends much to security."

Syed Rizwan Farook and Tashfeen Malik killed 14 people at the Inland Regional Center in San Bernardino in December 2015. During the ensuing investigation, the FBI recovered a company-issued password protected iPhone 5C running iOS 9 belonging to Farook. Since the device had a capability to auto-erase the data on its disks after 10 failed password entry attempts, the FBI sought Apple's help in unlocking the device.

When Apple refused, the FBI commenced legal action against the company seeking to compel its help in unlocking the device. The FBI also sought the assistance of other third parties in finding a way to break into Farook's device, which they said could provide vital clues to his motives and terror affiliations.

In March 2016, the FBI stayed its case against Apple and announced that it had found a vendor with a demonstrated method for unlocking the phone safely. The FBI asked that it be allowed to single-source the contract rather than go through the usual competitive bidding process. Later that same month, the agency claimed that it had managed to break into Farook's iPhone and recover the data using technology from the undisclosed third-party.

In subsequent public comments, then FBI director Comey hinted that the FBI had paid upwards of $1.2 million for the tool. He described the technology as being narrowly tailored for breaking into the iPhone 5C running iOS 9. In May this year during a Congressional hearing, one lawmaker said the FBI had paid $900,000 for the tool.

The media companies had claimed that since such details were already publicly available, the vendor's identity and transaction details should be made public.

In siding with the FBI, Judge Chutkan held that releasing the vendor's identity could cause demonstrable harm to US national security interests. She said the FBI had demonstrated a 'logically reasonable risk" that the third-party vendor would be harmed if its name was released. Similarly, disclosing pricing details is not wise, she said,

"Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices," she held.

Pescatore, however, notes that there is little that adversaries can gain from merely the pricing details of a product. Rather, since the FBI contracted with the company on a single-source basis, it becomes important to know if the agency overpaid, he says. "Keeping the pricing secret makes even less sense to me," than not identifying the vendor, he says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
djr
0%
100%
djr,
User Rank: Apprentice
10/3/2017 | 9:12:17 AM
iphone cracking security
and don't let our National Disgrace know either !  He'll tweet it to the Russians !
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15137
PUBLISHED: 2018-07-16
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2017-17541
PUBLISHED: 2018-07-16
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
CVE-2018-1046
PUBLISHED: 2018-07-16
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow ...
CVE-2018-10840
PUBLISHED: 2018-07-16
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVE-2018-10857
PUBLISHED: 2018-07-16
git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN.