Endpoint

10/2/2017
04:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FBI Won't Have to Reveal iPhone-Cracking Tool Used in Terror Case

Revealing vendor's name and pricing details a threat to national security, DC court says.

The identity of the vendor that helped the FBI unlock an encrypted iPhone belonging to one of the terror suspects in the San Bernardino shootings in December 2015 will remain under wraps. So too, will the amount of money the government paid the vendor for the technology.

A Washington, DC, federal court on Friday rejected separate requests for the information that the Associated Press, USA Today, and Vice Media LLC had filed last year under the Freedom of Information Act (FOIA). The three media companies had claimed the public had a right to know details of the FBI's transactions with the vendor after then-director James Comey publicly disclosed some non-specific details about the tool and its purchase cost.

In a 27-page ruling, United States District Judge Tanya Chutkan denied the FOIA request and agreed with the FBI that releasing the information would give adversaries a way to undermine the agency's ability to use the tool in similar investigations. The FBI has also maintained that the vendor did not have the same abilities as the FBI to protect its networks against attacks. So disclosing the company's name could lead to attacks against it and compromise the technology.

"If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool's technological design," Judge Chutkan wrote. Such information could allow adversaries to enhance their own encryption capabilities to better guard against the FBI, she said.

John Pescatore, director of emerging security threats at the SANS Institute, says the ruling makes little sense. "It seems kind of odd that the identity of the vendor selling the tool would be kept confidential because if that was known, the bad guys would somehow find ways to thwart the FBI," he notes. The identity of the vendor alone is unlikely to give adversaries any more of an advantage, he says. "Security through obscurity very rarely lends much to security."

Syed Rizwan Farook and Tashfeen Malik killed 14 people at the Inland Regional Center in San Bernardino in December 2015. During the ensuing investigation, the FBI recovered a company-issued password protected iPhone 5C running iOS 9 belonging to Farook. Since the device had a capability to auto-erase the data on its disks after 10 failed password entry attempts, the FBI sought Apple's help in unlocking the device.

When Apple refused, the FBI commenced legal action against the company seeking to compel its help in unlocking the device. The FBI also sought the assistance of other third parties in finding a way to break into Farook's device, which they said could provide vital clues to his motives and terror affiliations.

In March 2016, the FBI stayed its case against Apple and announced that it had found a vendor with a demonstrated method for unlocking the phone safely. The FBI asked that it be allowed to single-source the contract rather than go through the usual competitive bidding process. Later that same month, the agency claimed that it had managed to break into Farook's iPhone and recover the data using technology from the undisclosed third-party.

In subsequent public comments, then FBI director Comey hinted that the FBI had paid upwards of $1.2 million for the tool. He described the technology as being narrowly tailored for breaking into the iPhone 5C running iOS 9. In May this year during a Congressional hearing, one lawmaker said the FBI had paid $900,000 for the tool.

The media companies had claimed that since such details were already publicly available, the vendor's identity and transaction details should be made public.

In siding with the FBI, Judge Chutkan held that releasing the vendor's identity could cause demonstrable harm to US national security interests. She said the FBI had demonstrated a 'logically reasonable risk" that the third-party vendor would be harmed if its name was released. Similarly, disclosing pricing details is not wise, she said,

"Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices," she held.

Pescatore, however, notes that there is little that adversaries can gain from merely the pricing details of a product. Rather, since the FBI contracted with the company on a single-source basis, it becomes important to know if the agency overpaid, he says. "Keeping the pricing secret makes even less sense to me," than not identifying the vendor, he says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
djr
0%
100%
djr,
User Rank: Apprentice
10/3/2017 | 9:12:17 AM
iphone cracking security
and don't let our National Disgrace know either !  He'll tweet it to the Russians !
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.