Slashdot Asks: Should FBI Reveal to Apple How to Unlock Terrorist's iPhone?

After reports that the FBI managed to unlock an iPhone 5c belonging to one of the San Bernardino shooters without the help of Apple, Apple is now the one that needs the FBI's assistance. "The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices," said Justin Olsson, product counsel at security software maker AVG Technologies. However, many experts in the field believe that the government isn't legally obligated to provide the information to Apple. As mentioned in Los Angeles Times, this creates a new ethical dilemma: Should tech companies be made aware of flaws in their products, or should law enforcement be able to deploy those bugs as crime-fighting tools?

Didn't

They didn't hack the phone - they're just trying to save face by saying they don't need Apple's help anymore.

Re:Didn't

[taustin]

And convince terrorists worldwide to use other - less secure - phones. It's not the best outcome for them, but it's better than getting handed their ass in the PR battle, like they were.

Re:Didn't

[VernonNemitz]

Yeah, Apple is approaching the wrong party. That company in Israel found the flaw, and the FBI paid them to use it. Apple has so far been unwilling to encourage folks to expose bugs, by paying them, so....
Logically, especially since it is well known that Apple has plenty of cash on-hand to buy things, Apple should buy the vulnerabililty, instead of expecting to get it for free from the Feds. How greedy do you think ordinary folks are willing to let Apple be, in such circumstances?

Re: Didn't

[meerling]

They can't. They didn't create it.

Re:Didn't

[tlhIngan]

Logically, especially since it is well known that Apple has plenty of cash on-hand to buy things, Apple should buy the vulnerabililty, instead of expecting to get it for free from the Feds. How greedy do you think ordinary folks are willing to let Apple be, in such circumstances?

Well, you know how much iOS vulnerabilities go for? Bug bounties that are offered by Google, Microsoft and everyone else pale. $10K? peanuts. An iOS vulnerability sells for $1M. Yes, a million dollars. Hell, Android vulnerabilities go for $30K or less.

Shoot, they offered 3 prizes of $1M each to break iOS - only one was collected.

I suspect Apple will probably audit their code like they did after Heartbleed and found the "goto fail" bug.

Re:Didn't

[marcansoft]

Of course they hacked the phone.

There is a very easy, very reasonable trick that is guaranteed to work to get the data out of that phone with minimal risk (assuming it has a 4-digit PIN). It's not a mistake, it's not a bug, it's not something anyone has to "discover". It's simply an attack outside the threat model that Apple used when designing that particular iPhone (and, with minor differences, all currently released iPhones). I have no doubt Apple knows full well it will work and knew it would work when they designed the phone (it's blatantly obvious, and Apple's security engineers aren't idiots) - protecting against it is just not trivial (it cannot be solved by software, it requires support hardware) so, to this date, they've chosen not to. In fact, they added a minor roadblock against it on newer phones (but only a minor one that can also be bypassed - because doing better is Hard(TM) and costs money), which demonstrates they are fully aware of it. I explained how it works here (search for "replay attack"). I'm not the first one to mention this approach.

Making iPhone secure against all physical attacks is impossible. If your PIN is bruteforceable (as is the case here), then security relies on the PIN attempt counter. An attacker with physical possession of the phone can always find a way in. Apple just has to decide how much effort (and money) they want to put into making that harder. The current bar is at approximately the "a couple experienced hardware/software hackers and a couple thousand dollars in R&D costs" level. With some more money/effort they could raise it to the "a crazy dude like Chris Tarnovsky and a medium-budget silicon hacking lab" level. It's not going to get to the "noone will practically be able to do it" level without making the iPhone into a tamper-resistant hardware security module with physical defenses (i.e. not something likely to fit in your pocket).

It still baffles me why everyone is so concerned about how the FBI got in, when we know an easy way in already.

Re:Didn't

[fastest+fascist]

I've got my tinfoil hat on tight, so it's baseless speculation time: How do we know Apple didn't help them? They could have just done the court dance to keep up appearances, and help the Feds out on the sly. Win-win: Apple keeps their users happy and even gains extra points for standing up to the government, and they keep up good relations with the Feds.

Re: Didn't

[Mattcelt]

Both the EU and US have first-to-file patent systems now. They don't have to create it first - they only have to patent it first.

This is actually an interesting legal strategy. If someone were to patent a general method for, say, sql injection or a buffer overflow, they could theoretically sue anyone who used it. I wonder how that might play out.

DMCA?

[BuckaBooBob]

Shouldn't Apple be chasing after them for circumventing the encryption and digital rights management system on the phone? Its what they do to people coming up with jailbreaks... why would this be diffrent?

Re:DMCA?

[zlives]

because its not illegal when the president does it.

Re:DMCA?

[Duhfus]

No, DMCA has exceptions for law enforcement.

Re:DMCA?

[macs4all]

I doubt they could succeed in this manner. Regardless of what the DMCA says, there's the principle of rex non potest paccare, translated roughly to the King can do no wrong. It's not codified in US law anywhere, but this is the legal doctrine of sovereign immunity. I don't see any exception to sovereign immunity that would allow Apple to succeed in bringing such a suit against the US government. The only way this would work is for Congress to specifically allow such a lawsuit, which seems highly unlikely.

Fine. But what about the NON governmental agency that allegedly did the hacking? I'm not at all sure they inherit that bogus Sovereign Immunity, especially since there was never actually a Court Order, only a Proposed Order.

Re:DMCA?

[mark-t]

Because the DMCA explicitly "does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State."

Re:DMCA?

[LynnwoodRooster]

Well, first it was Eric Holder. But now Loretta Lynch says so... Awfully hard to prosecute when the Justice Department acts like the political enforcement arm of the Administration rather than, well, an actual Department of Justice.

The "bad guys" want to know too

[sgrover]

If the FBI does not reveal the hack so they can hack other phones, well that means the bad guys can also continue using that hack. After all we know that there are now at least 3 organizations who can access a locked iPhone 5c without the owner's password.

Re:The "bad guys" want to know too

[Black+Parrot]

They're probably living in a fantasy world where the Good Guys(tm) have secure encryptions, but anyone else can be cracked.

How that's quite supposed to work, I cannot guess.

Nope, Due Process.

[MobileTatsu-NJG]

...or should law enforcement be able to deploy those bugs as crime-fighting tools?

Um, no, law enforcement doesn't get to skirt around due-process just because it's inconvenient.

We Should Just Bend Over And Take It.

[zenlessyank]

O wait....we have already bent over. It is too late folks. No one cares what you think anymore. The system is established. Only blood will wash it away. Enjoy.

this is not unknown

[supernova87a]

Well, actually, we don't need to leave it to a bunch of internet commenters to decide this issue -- there is an actual process described as "equities review" which the Executive Branch is responsible for, when a cyber vulnerability is known, but not yet disclosed to the public:

https://www.whitehouse.gov/blo...>href=https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities

The considerations described here (in whether to reveal or keep secret a vulnerability) cover:

-- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
-- Does the vulnerability, if left unpatched, impose significant risk?
-- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
-- How likely is it that we would know if someone else was exploiting it?
-- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
-- Are there other ways we can get it?
-- Could we utilize the vulnerability for a short period of time before we disclose it?
-- How likely is it that someone else will discover the vulnerability?
-- Can the vulnerability be patched or otherwise mitigated?

In this case, I might argue that this is becoming so well known (though the technical specifics have not been revealed), that the FBI/US had better tell Apple to make sure that other users of the affected phones can be secured -- while the intelligence value of the exploit is rapidly decreasing due to its publicity.

It's a 5C

[bill_mcgonigle]

Apple already knows it's hackable, that's why the 5S and newer have Secure Enclave.

Still, they should make the FBI rue the day they tried to destroy Apple's market, however they can. Revealing the San Bernadito phone as a ploy is the minimum they should pursue.

Yet, ultimately I hope Apple loses an inquiry about this break because it's better for all of us if they see the unconstitutional law enforcement agencies as adversaries.

There, now I've disagreed with both camps.

The ethical choice

[Macdude]

The choice is between helping Apple secure the phones of millions of Americans against phone-thieves, identity-thieves, virus, mal-ware and ransom-ware writers or continuing to leave their citizens vulnerable to the above so that the government can spy on it's own people.

I know what choice I think they should make.

Re:Better idea:

[meadow]

The *reality* of who the FBI actually are - the people in your community - who you don't know about - who work there - is that they are basically a secret mafia, usually very connected to your local law enforcement and oligarchy that runs your city - and they have super powers that you cannot even imagine to be able to raid and invade anyone's life at will. They are a separate class and truly a branch of the oligarchy, and in ways far more frightening than the mafia/thug class associated historically with other regimes because their powers and secrecy go way beyond - whereas with the former historical ones they tended to be more overtly violent thugs.

The very existence of FBI - and in fact also police in the United States - is a violation of the pact between people and government, and a clear sign that this is a de facto oligarchy, and that just because its an *oligarchy* and not some other type of fascist regime, is no less human-rights violating and dictatorial than any other.

That said, the conduct of the NSA and other federal agencies is totally reprehensible. From the viewpoint of basic human decency, if you happen to notice a problem with your neighbor - perhaps something unusual or wrong with their house or any of their possessions - it is universally understood that you should tell them about it.

The analogy with our federal government is that they are like the most shitty, disgusting neighbor who knows all these things are wrong with their neighbor's house and they are actually glad for it and refuse to tell the neighbor about it because they view those vulnerabilities as an advantage or asset to be potentially exploited. That is the EXACT OPPOSITE of how they should be acting and is more than justification for their complete and immediate disbandment and a major reform of our federal, state, and local governments from the ground up.

Wake up people.

The level of delusion, apathy, and disregard one sees in Silicon Valley is truly appalling given the seriousness of our situation in America. Our elections are a complete joke. Our entire system is becoming more and more a farce based not on the basic concept of rule of law but rather groups of thugs - usually identified as liberal - who see their jobs as entailing the constant breaking and bending of rules for one selected class or another.

Re:Obviously the FBI should keep quiet.

[ColdWetDog]

Sure, if said government officials will hand over the phone to be disassembled. Recall that this particular hack is likely NAND mirroring. That requires removing the CPU. Not something you would tend to do in bulk.

It depends on perspective

[TsuruchiBrian]

Does the FBI care more about fighting crime or reducing crime? There is a common tendency to for people and organizations to try to increase their own importance. So maybe the FBI could help to prevent X amount of crime (in the form of hacking, fraud, etc) from ever happening by helping Apple fix some security flaws. But maybe they will get more credit for allowing this vulnerability to remain and exploiting the vulnerability to catch a few more criminals. It's harder to appreciate crime prevention than punishment of criminals after the fact.

If someone invented a magic security system for houses that eliminated home invasions, this might actually be bad for the prestige of law enforcement. While it will probably reduce crime (one of the purposes of law enforcement), it reduces the reliance of the population on law enforcement and therefore decreases their importance. A flaw in the security system would create the opportunity for more people to be criminals and more opportunity for law enforcement to come to the rescue. If law enforcement can in addition actually exploit this weakness to catch a few more criminals then even better.

If the damage done by leaving the hole open exceeds the damage prevented by leaving the hole open, then it is better for society to have the hole closed, but it is not necessarily better for the FBI to have the hole closed. They won't get the blame for damage caused by an security hole unknown to the public, and they won't get any credit for the damage prevented by closing it.

It would be nice if everyone (especially public officials) did what was best for society rather than what was best for themselves, but this is a rather hard standard to hold human beings to.

I suspect it would be better for society to have the hole closed, but I wouldn't expect the FBI to have the kind of deep dedication to the improvement of society necessary to see that. Maybe it will be easier for them to see if they somehow become the victim (e.g. a scandal resulting from the FBI director's iphone getting hacked, etc).

Take for example Nancy Pelosi. She was all for government surveillance. It was only until she became one of the targets of government surveillance, that she was able to be outraged.

Knock off the bullshit

[PopeRatzo]

Stop pretending the FBI didn't already have the crack before they brought Apple to court. They were just looking for a legal precedent.

Second, stop pretending that Apple doesn't know how to crack your phone. This entire story was nothing but theater.

Re:Let's reword this

[ColdWetDog]

So, you think the national speed limit should be 35 mph?

That would save lots of lives.

Or making cigarettes and alcohol completely illegal.

Again, life is precious, gotta save every last one of them.

"Every sperm is sacred ... "

Re:Obviously the FBI should keep quiet.

[peragrin]

Not true the FBI did not ever have a warrant for the data.

The FBI had permission.

Example, a police officer knocks on your door. You invite him inside. The officer sees your heroin needle. The officer can arrest you, because you gave him permission to search your home.

Or

A police officer knocks on your door. You kerp him outside, you tell the officer to come back with a warrant. The officer suspects from the conversation you have drugs, he gets a court order to search your home.

I really wish everyone understood the difference. It matters a lot.

The phone was owned by the county of San berdino. The county gave the FBI permission to access the phone .

The only court order was the order trying to force apple to help unlock the phone.

Now the FBI should be showing the contents of the phone to the judge, so the judge can determine the status of the cyber pathogen. ///s

Re:Better idea:

[rtb61]

From an external view point the Federal Bureau of Investigation is the only real US police force. County mounties, the law en-FORCE-rs are all too often out of control, trigger happy, lard arse morons. Seriously, all local law enforcement should be disbanded in favour of state based policing overseen by Federal investigators to ensure more uniform policing across a state and equal access to investigatory powers and police oversight across the state. Sure the FBI fucks up on occasion and most of that is caused by ill-informed political appointees seeking to politicise the offices of the FBI, really dangerous and crazy stuff that should be exposed and prosecuted.

No different

[sjbe]

In all of your exemple, it's mostly about adult willingly deciding to take those risk.

No different here. I'm well aware I could be killed by a drunk driver tomorrow (FAR more likely than a terrorist incidentally) and yet I think it would be inappropriate of us to ban alchohol. In fact we tried that and it didn't go well...

In this exemple, we're talking about potentially stopping terrorist attack

I'm an adult willing to take the risk of a terrorist attack in order to protect my civil rights. I value my civil rights more than I fear any terrorist or terrorist group. If that makes the FBI have to work harder to convict a criminal then so be it.

a bootloader hack that unbelieviable?

[gl4ss]

is it really that far fetched for the israeli company to have a bootloader hack or code injection-after-boot-but-before-unlock hack?

because that's all that was needed for hacking the pin protection system on iphone 5C. if you have that, then you can prevent the system from wiping the encryption key after 10 attempts and can attempt the right pin code infinitely.

and apple 99.99999% probably already knows how they did it, so whats there to tell.

and has usa gov been telling such things? no.

fbi is just pissed that beyond 5c they can't do that nor contract anyone to do that so simply. they're longing for the "good old days" when they could just hook it up to an app they bought from some "security" company and have everything and not even bother with a warrant.

Re:Better idea:

[dl_sledding]

The problem with this idea is that local law enforcement (the county Sheriff, the highest local law enforcement official) is elected by the people that they are enforcing the law over, making them (and their subordinates) answerable to those citizens. The FBI is not answerable to the common citizen, and can (not that they do, but they can) therefore run roughshod with no immediate chance of consequence.

This is a basic premise of the ideals formed by our forefathers and written in the Constitution: that the citizen has ultimate power over the Government, not the other way around. This premise is carried all the way down from the federal to the local level. State-based policing (as you put it, meaning Federal policing) is exactly the problem in many, many countries. For instance, the final judgement call for a concealed carry permit in many (if not all) counties in the country is the local Sheriff, who may personally know the permit requester, and has the final yea or nay in the process, making it a very informed, local decision, rather than a decision made by some bureaucrat 2,000 miles away. This is government by the people, for the people, as opposed to our federal system that has a difficult time representing everyone and typically ends up typically being very right or left leaning.

I think you do not give enough credit to the local law enforcement, and calling them "lard arse morons" shows exactly how far out of touch you are. You've been watching too many movies, and until you live here and work with these ladies and gentlemen, who are as professional and courteous as any Federal official, you can happily keep your silly, uninformed, and childish opinions to yourself.