FBI Hires Cellebrite To Crack San Bernadino iPhone

tlhIngan writes: Earlier this week, the FBI asked the court for a continuance so it could do some research into a proposed method of cracking the [iPhone belonging to one of the San Bernardino, California shooters]. It turns out the FBI has contracted Cellebrite for $15,000 to break into the phone. Cellebrite is an Israeli software provider specializing in mobile phone forensics software. If they succeed, it would mean Apple would no longer need to be involved.

apple can pull some DCMA BS and sue them

[Joe_Dragon]

apple can pull some DCMA BS and sue them. Now will they be that much of a dick?

Re:apple can pull some DCMA BS and sue them

[Lumpy]

I for one hope so. The DMCA is a piece of shit legislation, and if apple uses it it will be the only time it is used properly. to poke a stick in the eye of government goons.

Re:apple can pull some DCMA BS and sue them

[Sneftel]

Cute, but no. Sayeth the DMCA:

Law Enforcement, Intelligence, and Other Government
Activities.--This section does not prohibit any lawfully authorized
investigative, protective, information security, or intelligence
activity of an officer, agent, or employee of the United States, a
State, or a political subdivision of a State, or a person acting
pursuant to a contract with the United States, a State, or a political
subdivision of a State..

Re:apple can pull some DCMA BS and sue them

[Sneftel]

Cute, but no. Sayeth the DMCA:

Law Enforcement, Intelligence, and Other Government
Activities.--This section does not prohibit any lawfully authorized
investigative, protective, information security, or intelligence
activity of an officer, agent, or employee of the United States, a
State, or a political subdivision of a State, or a person acting
pursuant to a contract with the United States, a State, or a political
subdivision of a State..

Re: apple can pull some DCMA BS and sue them

[lgw]

Neither side requires burden of proof at the beginning.

The "conversation" goes like this:

Content owner: "this looks like ours, service please take it down" /takes it down
Uploader: "no, this is mine. YouTube , please put it back up" /restores content.

Sadly, the conversation actually goes like this:
Content owner's bot: "this looks like ours, YouTube please take it down"
YouTube bot: takes it down
YouTube bot: all revenue from your channel now goes to Content owner
YouTube bot: copyright strike against you, you can't upload a video over 15 minutes
Uploader: "no, this is mine. YouTube, please put it back up"
Uploader, a week later: "Heloooo! YouTube?! Is there anyone there?! I filled out all your forms, but nothing happened"
Uploader, a month later: "Do any actual humans work at Google? "
Uploader eventually dies of old age

Re:apple can pull some DCMA BS and sue them

[Etcetera]

The judge can't compel you to do something illegal. Neither can a police officer.

That's begging the question slightly. "Following the directions of a peace officer" in an emergency is on the rulebooks in most states. This is why a cop can flip traffic around and tell you to go the wrong way down a one-way street because there's an accident in an intersection, despite the presence of a marked "One way" sign, which is usually what wrong-way laws are keyed off.

Don't confuse "illegal" with "unsafe" or "unreasonable"... The latter standards apply more broadly.

FBI may be required to share hack with Apple

[JoeyRox]

The irony is sweet with this one:

http://www.bloomberg.com/news/...

Re:FBI may be required to share hack with Apple

Hello Apple, as required by law, we inform you that we have discovered a security leak in your product. Full disclosure follows.

In order to reproduce the problem:
1. call Cellebrite
2. pay $15,000.-
3. Handover phone to Cellebrite
4. receive USB stick with all data.

regards, the FBI

Re:FBI may be required to share hack with Apple

[cant_get_a_good_nick]

The legend is that they're copying off the NAND area. Basically, you can then brute force the phone as often as you want.

You have 9 bad attempts. Then before you try the tenth, you copy the NAND back from before, in effect you reset the counter to 0. And you keep banging away.

This won't work with newer phones with a Secure Element.

So, there's no hack to share. Apple has already designed around this particular exploit.

Re:Israel

Because to live there you can't be a fucking pussy.

Re:Only $15,278.02?

[DaHat]

Devices like this have been around for a bit and is one possibility: http://blog.mdsec.co.uk/2015/0...

Only $15,000????

[gurps_npc]

All that bullshit because the FBI wanted to save $15 thousand dollars?

Someone should be fired for such a dramatically bad decision as fighting it out in the court of public opinion, let alone federal court.

Re:Only $15,000????

[PCM2]

All that bullshit because the FBI wanted to save $15 thousand dollars?

On the other hand, $15,000 is pretty damn cheap for a global marketing campaign. When Cellebrite can't crack the iPhone, the bullshit will get cranked up to fever pitch.

Re:Only $15,000????

[cant_get_a_good_nick]

No.

the FBI wanted to save 15,000 x A_LOT_OF_PHONES. Also, if the exploit is the NAND copy exploit as thought, newer phones can't be hacked this way, 15,000 or no.

They wanted to set a precedent. There's ton of iPhones out there waiting to be cracked. Remember these are the guys that run Stingrays without telling you.

As far as the Public Opinion goes, they just guessed wrong. Here's a phone, probably with nothing useful on it. But TERRORISM!!! MUSLIMS!!!! We still have some aspects of the P.AT.R.I.O.T. A.C.T (i write it that way because the back-ronym was silly) around because we were scared then. They thought that Apple would fold, and the public would all support the hack. They guessed wrong.

Re:Only $15,000????

[bloodstar]

No, the $15K is to justify dropping the case by rending the whole situation moot and save the FBI from having a court decision against them. A court decision against them would resonate for years, so you drop the case, avoid that precedent. Then pick a different case against a company who doesn't have great lawyers. Win that case, and there you go, precedent that favors you.

Re:Israel

[Grishnakh]

No, actually they don't. You don't see commercial airliners (or military planes for that matter), ships, cars (including EVs), appliances ("durable goods"), semiconductors, mobile phones, or really almost any kind of manufacturing in Israel, except a couple of firearms makers maybe. They do do a lot with IP however; several semiconductor companies have design centers there.

It's true, Israel does have some impressive and unique technologies developed there, compared to its size and its state of security. A lot of their technology is military-oriented, for obvious reasons. They've done an impressive job of building a 1st-world nation (economically speaking) in a small place which used to be nothing special less than a century ago. But "the latest in technology"? No, sorry. They are not self-sufficient in any sense. They can't even make many of the weapons systems that defend them; they buy them from the US (e.g. fighter jets).

Re:$15,000

[Thelasko]

Wow, they should of asked for more. They would of had to pay 10 times, at least, that in any sort of legal battle.

Cellebrite will likely reap 100 times that much in new business from the publicity this generates. It's not always about making a quick buck, but about making millions of bucks over the longer term.

Re:Chain of custody?

[Lumpy]

Chain of custody does not matter in regards to TERRORISM.... and if you are against that then you hate america.

Re:Chain of custody?

[Registered+Coward+v2]

How do you maintain chain of custody of the evidence if you hand it over to a company that's not governed by our laws?

If the Israeli company recovers data that gives them leads to other suspected terrorists, does the FBI have legal authority to pursue those leads when the information was "extracted" by a foreign company and it may or may not be fabricated? The only proof that they have that the information was really on the phone is because this company said so.

There is no need for maintaining a chain of custody unless it will be used as evidence. Since anything from this phone would most likely be used to identify potential suspects or persons of interest what they get is no different than any other tip.

Re:Chain of custody?

[shawn2772]

How do you maintain chain of custody of the evidence if you hand it over to a company that's not governed by our laws?

That's not a problem, for at least two reasons.

First, chain of custody doesn't matter unless you want to use the information recovered as evidence in a trial. If you just use it to generate leads which you then use to find other suspects and evidence, then it's irrelevant if chain of custody was maintained.

Second, chain of custody is easy to maintain. Location and nationality don't affect chain of custody. What matters is that you have a documented chain and can prove that custody was maintained and access was controlled at each step. Worst case is that employees of the Israeli company may have to fly to the US and testify in court to substantiate the chain of custody, and to explain how they extracted the information. I'm sure the company would be happy to do that if the FBI paid them to (which would be an additional fee).

Re:Israel

[sixsixtysix]

because we give them billions every year?

Re:Israel

[serbanp]

You don't see commercial airliners (or military planes for that matter), ships, cars (including EVs), appliances ("durable goods"), semiconductors, mobile phones, or really almost any kind of manufacturing in Israel

That's factually not true. TowerJazz (a top-ten pure-play manufacturer) has two modern fabs in Israel and the almighty #1 (intel) has two more in that country.