Attacks/Breaches

3/30/2016
04:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

'FBiOS' Case Heading For A New Firestorm

The surprise developments in the FBI v Apple case offer little reason to celebrate for encryption and privacy advocates.

The startling events over the last few weeks in the San Bernardino shooting case, which has come to be known as "the FBiOS case" in some circles, have left me incredibly conflicted. On the one hand, the surprise filing and discovery of a "capable third party" to unlock the iPhone used by one of the attackers in the San Bernardino shootings can be considered to be a rather ingenious tactic. It allows the FBI to back down from the controversial proceedings without derogation from its main arguments – a move that would maintain the current status quo and prevent the government from further encroaching on digital rights. This would be a de facto win for privacy advocates and for Apple (at least for now), which, at least instinctively, is a good thing.  

On the other hand, this surprise development has some rather troubling prospects for encryption and privacy supporters who have little reason to celebrate and plenty of reasons to be even more concerned about the future of this debate. The recent US District Court filing indicates that, due to the "worldwide publicity and attention on this case," the US government has been approached by "others outside the U.S. government" offering "avenues of possible research."

Proceeding under the assumption that the FBI or the US government as a whole does indeed lack the capacity to develop tools necessary to conclude its investigation without the use of external assistance (which some may call a highly suspect premise to begin with, considering the formidable capabilities of the US security and law enforcement agencies), the court filing provides troublingly little insight as to who the provider of the external assistance may be. The language lends itself to cover all possibilities: it could be an American or non-American private citizen, an American or foreign legal entity or corporation, or even a non-American governmental agency or security service.

Who is the third party?

The fact that the FBI is using the services of an undisclosed third party to assist its efforts in overpowering the encryption ciphers of the San Bernardino shooting suspect's phone should be a troubling concept in its own right. At the very least, this issue raises a lot of questions regarding the compatibility of such assistance with the due process of law and the validity of any evidence obtained during the search. Recent publications in Israel seem to indicate that the FBI is aware of these questions, and is attempting to assuage concerns by enlisting the aid of Israeli digital forensics firm Cellebrite – a firm with a history of working together with law enforcement agencies worldwide. As of this writing, neither party has issued official confirmation of Cellebrite's involvement (nor have they denied it).

As little as we know about who the FBI will be contacting for assistance, we know even less about how this assistance will be provided. A number of possibilities spring to mind. Computer forensics researcher Jonathan Zdziarski has suggested, for example, that the phone may be unlocked using a chip cloning technique that would allow investigators to copy all of the information from the phone's memory chip and replicate it as needed. This would allow them to safely attempt to guess the suspect's password without fear of accidentally triggering the defensive mechanisms encoded in the chip and permanently wiping its information.

But another possibility is that some unknown party has approached the FBI with information regarding a previously unknown iOS weakness or exploit.

The disclosure dilemma

Issues of legal forensics and concerns about the validity of the evidence recovered through this potential avenue aside, if this is indeed the case, then law enforcement agencies will be faced with a new and equally difficult dilemma: Do they keep the knowledge about this new weakness or exploit to themselves, or do they relay the information to the manufacturer?

Failing to relay the information may afford these government agencies a continuing route to access this and other iPhones, and moot the entire court proceedings at the expense of the privacy of all users subject to the exploitation of this weakness. The FBI's decision to drop this case altogether seem to indicate that this is indeed the case. But relaying the information may prompt Apple to fix the weakness, which would prevent future access by the government. This dilemma is difficult enough for technology companies and private individuals to answer; one can only imagine the difficulties a governmental agency, which is subject to more stringent oversight and obligations to operate in good faith, would face in defending its position in open court.  

The filing also avoids stating why the pursuit of a capable third party was not attempted before trying to force Apple to open the iOS version through the use of a court order issued under the All Writs Act. On the other hand, we should be more than willing to give the US government credit that they were fully aware of the landmark nature of this case and not fault them for attempting to delineate the limits of the law in their favor.

Regardless of how this case develops, the current developments in these proceedings are apparently only a tactical withdrawal and do not seem to be a strategic shift. In my mind, an eventual challenge to the All Writs Act and its applicability to technology cases is inevitable. The decision to vacate this specific request will cause a delay on a much-needed ruling on the scope of power afforded to American law enforcement agencies. I am of the opinion that the question "Can the government force me to develop software against my will?" needs to be answered sooner rather than later.

Law students are often taught the legal maxim "hard cases make for bad law" in order to explain why the drafting of a new legal norm should be aimed at the most likely scenario instead of the most unusual one. Some judges take this maxim into consideration when applying a novel interpretation of an existing piece of legislation – not unlike the FBI's original request in this specific case. My overall impression of this delay is that the FBI is waiting until a very difficult case presents itself to establish a rule regarding the encryption of cellphones and other personal electronic appliances. You can infer from that what my gut tells me about the potential of the ruling that may emerge. It remains to be seen if the world will be better off for it.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jonathan is Cymmetria's Legal & Operations officer. He is responsible for ensuring compliance with the complex regulatory demands faced by a cybersecurity company operating in a multi-national environment and coordinating any additional legal aspects of the company's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Psychologue Lyon
50%
50%
Psychologue Lyon,
User Rank: Guru
4/6/2016 | 3:13:03 PM
Apple

Apple is a closed system ... not for long apparently!

Thank you for your post!
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.