Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Couldn't Tell Apple What Hack It Used, Even If It Wanted To (qz.com)

Posted by msmash on from the apple-vs-government dept.

An anonymous reader writes: The US Federal Bureau of Investigation doesn't own the technique used to unlock the San Bernardino iPhone, so it can't reveal the method to Apple even if it wanted to, Reuters reported, citing unnamed White House sources. The Washington Post reported yesterday, citing unnamed sources, that the FBI had paid a hacker a one-time fee to use a piece of hardware that allowed it to access the iPhone 5c belonging to one of the San Bernardino, California assailants. The vendor that supplied the hack is a non-US company, according to Reuters. But according to the Post report, it is not the Israeli firm Cellebrite, which had previously been named. The FBI would require the vendor's cooperation in order to submit the technique it used to Vulnerabilities Equities Process, a mechanism that allows the government to consider whether it should disclose security flaws to manufacturers. It's a move that mirrors Apple's own efforts to create security systems on its phones that even it wouldn't be able to crack, meaning it can't comply with a government order to hand over user data even if it wanted to.

18 of 99 comments (clear)

  1. I may not always quote sources... by JBMcB · · Score: 4, Funny

    ... but when I do, I prefer them to be unnamed.

    --
    My Other Computer Is A Data General Nova III.
    1. Re:I may not always quote sources... by 0a100b · · Score: 2

      According to both unnamed sources an unnamed entity used an unnamed technique for the hack.

      Find out more next episode.

  2. Which lie did the FBI tell? by Anonymous Coward · · Score: 5, Insightful

    At least one of these things has to be false:

    1) The FBI paid a hacker to unlock the phone and doesn't have access to the technique
    2) The FBI is able to help local law enforcement unlock iPhones

    Which of these is false? Assuming the FBI isn't going to foot the bill to pay a hacker each time local law enforcement wants an iPhone unlocked, these things are mutually exclusive. Which lie did the FBI tell?

    And because the FBI lied, why should I have confidence in law enforcement at all? I understand that they may not want to disclose the details of an ongoing investigation, but that doesn't justify lying about things that don't have to be kept secret to preserve the integrity of the investigation.

    1. Re:Which lie did the FBI tell? by ooloorie · · Score: 2

      Which of these is false?

      They are probably both true: the FBI knows how to unlock some phones themselves, and for others, they need outside help.

      And because the FBI lied, why should I have confidence in law enforcement at all?

      It should be obvious to anybody that civilization requires jackbooted thugs carrying guns and protected by (un)qualified immunity reading your E-mail. For the children. And so that you don't cheat on your taxes. Seriously, do you want to live in SOMALIA?

    2. Re:Which lie did the FBI tell? by macs4all · · Score: 2

      Sovereign Immunity is not a blank check. The FBI (or any other agency) cannot have the legal authority to trump the legal process by contract. That would allow them to trump discovery in any court case by constructing contracts that prevent disclosure.

      "Your Honor, your order to produce the basis for the evidence against the plantiff is trumped by our contract with party X to not disclose that." Nope.

      It would work if they actually don't have that information, not if they 'promised' not to disclose it.

      You either work for the government and/or have never sued the government.

      You say that that Sovereign Immunity doesn't trump Discovery? Well, technically that is true; but as soon as you file a Discovery Request, the Gummint WILL immediately file two Motions (well, they will probably have already filed a Motion To Dismiss based on that Sovereign Immunity), but they will DEFINITELY file for a "Stay" of your Discovery Request "Until the Motion To Dismiss is Adjudicated." They will trot out two metric tons of case law in support of their position that Immunity ALSO means "Immunity from the 'burden' of Discovery."

      To absolutely NO ONE'S surprise, the Court will Grant this Motion. And it will do ABSOLUTELY no good to argue that you need that Discovery to "Pierce" their Immunity in the first place.

      Then, since you can't produce evidence to overcome their Motion To Dismiss...

      So, don't tell me it can't happen; I had the unpleasant experience of falling victim to EXACTLY THAT TACTIC when I attempted to sue my State about 3 years ago.

    3. Re:Which lie did the FBI tell? by doccus · · Score: 2

      Screw people like you that turn whatever they read into unneeded arguments.....

      Actually, I'd rather not, thank you. They're probably the kind to fake their orgasms..

  3. Re:But what about when they need it next time? by Frosty+Piss · · Score: 2

    Certainly someone in government could reverse engineer the code to enable re-use?

    From the "story":

    the FBI had paid a hacker a one-time fee to use a piece of hardware that allowed it to access the iPhone 5c

    ...which actually is an interesting clue.

    --
    If you want news from today, you have to come back tomorrow.
  4. Can we trust what they found? by wcrowe · · Score: 5, Insightful

    IANAL, but it seems like they would have a chain-of-evidence problem here or something like that. Let's imagine, instead of a phone, that the FBI wanted to unlock a safe. So they hire a safe cracker, and he says, "I'm going to unlock the safe, but you can't watch me do it." The safe cracker goes into the room, shuts the door. After a few minutes the safe cracker walks out and says, "It's all yours," wherein the FBI finds an open safe. But now we don't know what happened. Did the safe cracker take anything from the safe? Did he put anything in the safe? The FBI doesn't know for sure.

    It seems like there could be a similar problem with the phone. If you don't know how it's done, then how do you know if what you see is what was really in the phone? Did the hacker put something in the phone? Did he take anything out? If there is evidence in the phone that says, for example, that Bob Loblaw was part of the conspiracy, can you trust that information?

    Basically, it sounds like the FBI hired someone to make it rain. That person lit a fire, and did a little dance, and it rained. And now the FBI is saying, "Hey, we don't know what the guy did. We're just happy that it's raining."

    --
    Proverbs 21:19
    1. Re:Can we trust what they found? by Altus · · Score: 3, Insightful

      sure it might not be admissible but that wont stop them from creating warrantless wiretaps using the info found in the phone and then they can use evidence gathered there in court.

      It should matter, but in this day and age,it really doesn't.

      --

      "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

    2. Re:Can we trust what they found? by MachineShedFred · · Score: 2

      As for the FBI case, they probably don't care about chain of custody, as the person using the phone is already dead. Nothing from that phone is going to see a court, so they don't have to keep meticulous chain-of-custody for it.

      As for other law enforcement agencies using this "service" that is probably a legitimate question.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    3. Re:Can we trust what they found? by wcrowe · · Score: 2

      Yes, but even if they have a warrant, they still need to maintain proper chain of evidence. That's really the issue I'm talking about. If the FBI can't see what the hacker did to the phone, how do they know, without a shadow of a doubt, that what they found in the phone was actually there and not planted by the hacker?

      --
      Proverbs 21:19
  5. The problem with non-disclosure legally by UnknowingFool · · Score: 2

    The problem with not being able to disclose the technique is that legally the evidence cannot be used in court then. Since terrorists are dead, it is not much of a legal ramification to them; however, against anyone else, a prosecution team must provide the technique/technician to a defense team for cross examination. That was one of the objections that Apple had in their brief: If the FBI forced them to assist them, Apple would have to constantly provide their personnel for court cases to testify. In the case of a forensics company that does DNA testing, that is part of the service that they should provide. An unknown "hacker" may not agree to be part of future investigations.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  6. No Reports About what they FOUND on the phone by dav1dc · · Score: 2

    Maybe the contents of the phone contained NO helpful information pertaining to the investigation - and perhaps the FBI doesn't want to admit that they jumped created this huge FUSS and it provided no distinctive investigative advantage over not having access to the data on the phone.

  7. Re:But what about when they need it next time? by Archangel+Michael · · Score: 2

    They desoldered the chip, cloned it, and cracked it, using brute force. From how fast it took to actually crack it, it probably wasn't that difficult once the chip was cloned. And this would hardly be a "hack" of the phone. It would require specific skills and direct access to the phone.

    Physical access to the hardware has always been a security concern from the origins of computing.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  8. Re:how to stop the FBI from accessing your phone by Anonymous Coward · · Score: 2, Insightful

    Most Federal laws are not Mens Rea anymore; they are mostly Strict Liability. Add to this the fact that the Federal Government doesn't even know how many laws there are, and you get a situation where your ignorance of the law is a given and no excuse, and you don't even have to know what you were doing was wrong. Looks pretty bad for you doesn't it? But add to this situation the fact that the prosecutor/DA has total immunity for his actions and can get a grand jury to indict a ham sandwitch, and you've very likely broken three laws today without knowing it.

    So what have we learned? You can't "stop breaking the law" and be safe. Your safety is purely due to the fact that no one in power in the Criminal Justice system has decided they want to prosecute you. As soon as they do, they'll go and look through all the records they've gathered about you, break into your phone, and find the laws you've broken and arrest you. You know they have a greater than 98% conviction rate, so you'll likely plea to something so you don't go to prison for the rest of your life.

    Welcome to Soviet Amerika!

  9. Re:Nice by Impy+the+Impiuos+Imp · · Score: 3, Interesting

    One wonders if they set up a little fake company so they could use some technique buried deep inside the NSA, so they could hide it from court examination. There is no plausible parallel construction lie.

    As the guy is dead, there is no trial, and thus no defense lawyers to force the issue.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  10. DMCA allows it by raymorris · · Score: 4, Informative

    I posted relevant portions of the law last week, if you care to read the details. There are two sections that are mainly relevant.

    First, DMCA explicitly says that circumvention by or FOR the government is legal. So you can hack it if the government asks you to.

    Secondly, and this is important to my job developing security testing tools, DMCA says twice that it is legal to create tools to research on the security of the measures as long as those tools aren't used, or intended to be used, for copyright infringement as specified in DMCA.

    So it's a lot like gun laws in areas that have Constitutional gun laws - using a gun to commit a felony is an additional crime, but just having a gun is legal. Similarly, building a circumvention tool FOR THE PURPOSE of copyright violation is unlawful, but building it for research, security, and investigation purposes is fine.

  11. Re:That can't be true by Registered+Coward+v2 · · Score: 2

    That can't be true. If they found data that led them to a conspirator, they would want to arrest that person. They would need to have evidence to present in that person's trial that they participated in this terrorist event. I can't imagine that their plan is that if the defendant's attorney asks them how they got this data, they'll just say "some un-named third party pulled this data out of their own hardware and assured us their hardware had copied it from this mobile phone."

    Your honor, the phone data merely indicated possible suspects. We conducted an investigation, based on that and other information in addition to ongoing investigations, determined the defendant was conspiring to commit terrorist acts.

    The phone data would merely be one piece of evidence used and probably only point to possible additional suspects. In essence, it's no differenttahn a tip that comes in anonymously.

    --
    I'm a consultant - I convert gibberish into cash-flow.