Attacks/Breaches
3/30/2016
04:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

'FBiOS' Case Heading For A New Firestorm

The surprise developments in the FBI v Apple case offer little reason to celebrate for encryption and privacy advocates.

The startling events over the last few weeks in the San Bernardino shooting case, which has come to be known as "the FBiOS case" in some circles, have left me incredibly conflicted. On the one hand, the surprise filing and discovery of a "capable third party" to unlock the iPhone used by one of the attackers in the San Bernardino shootings can be considered to be a rather ingenious tactic. It allows the FBI to back down from the controversial proceedings without derogation from its main arguments – a move that would maintain the current status quo and prevent the government from further encroaching on digital rights. This would be a de facto win for privacy advocates and for Apple (at least for now), which, at least instinctively, is a good thing.  

On the other hand, this surprise development has some rather troubling prospects for encryption and privacy supporters who have little reason to celebrate and plenty of reasons to be even more concerned about the future of this debate. The recent US District Court filing indicates that, due to the "worldwide publicity and attention on this case," the US government has been approached by "others outside the U.S. government" offering "avenues of possible research."

Proceeding under the assumption that the FBI or the US government as a whole does indeed lack the capacity to develop tools necessary to conclude its investigation without the use of external assistance (which some may call a highly suspect premise to begin with, considering the formidable capabilities of the US security and law enforcement agencies), the court filing provides troublingly little insight as to who the provider of the external assistance may be. The language lends itself to cover all possibilities: it could be an American or non-American private citizen, an American or foreign legal entity or corporation, or even a non-American governmental agency or security service.

Who is the third party?

The fact that the FBI is using the services of an undisclosed third party to assist its efforts in overpowering the encryption ciphers of the San Bernardino shooting suspect's phone should be a troubling concept in its own right. At the very least, this issue raises a lot of questions regarding the compatibility of such assistance with the due process of law and the validity of any evidence obtained during the search. Recent publications in Israel seem to indicate that the FBI is aware of these questions, and is attempting to assuage concerns by enlisting the aid of Israeli digital forensics firm Cellebrite – a firm with a history of working together with law enforcement agencies worldwide. As of this writing, neither party has issued official confirmation of Cellebrite's involvement (nor have they denied it).

As little as we know about who the FBI will be contacting for assistance, we know even less about how this assistance will be provided. A number of possibilities spring to mind. Computer forensics researcher Jonathan Zdziarski has suggested, for example, that the phone may be unlocked using a chip cloning technique that would allow investigators to copy all of the information from the phone's memory chip and replicate it as needed. This would allow them to safely attempt to guess the suspect's password without fear of accidentally triggering the defensive mechanisms encoded in the chip and permanently wiping its information.

But another possibility is that some unknown party has approached the FBI with information regarding a previously unknown iOS weakness or exploit.

The disclosure dilemma

Issues of legal forensics and concerns about the validity of the evidence recovered through this potential avenue aside, if this is indeed the case, then law enforcement agencies will be faced with a new and equally difficult dilemma: Do they keep the knowledge about this new weakness or exploit to themselves, or do they relay the information to the manufacturer?

Failing to relay the information may afford these government agencies a continuing route to access this and other iPhones, and moot the entire court proceedings at the expense of the privacy of all users subject to the exploitation of this weakness. The FBI's decision to drop this case altogether seem to indicate that this is indeed the case. But relaying the information may prompt Apple to fix the weakness, which would prevent future access by the government. This dilemma is difficult enough for technology companies and private individuals to answer; one can only imagine the difficulties a governmental agency, which is subject to more stringent oversight and obligations to operate in good faith, would face in defending its position in open court.  

The filing also avoids stating why the pursuit of a capable third party was not attempted before trying to force Apple to open the iOS version through the use of a court order issued under the All Writs Act. On the other hand, we should be more than willing to give the US government credit that they were fully aware of the landmark nature of this case and not fault them for attempting to delineate the limits of the law in their favor.

Regardless of how this case develops, the current developments in these proceedings are apparently only a tactical withdrawal and do not seem to be a strategic shift. In my mind, an eventual challenge to the All Writs Act and its applicability to technology cases is inevitable. The decision to vacate this specific request will cause a delay on a much-needed ruling on the scope of power afforded to American law enforcement agencies. I am of the opinion that the question "Can the government force me to develop software against my will?" needs to be answered sooner rather than later.

Law students are often taught the legal maxim "hard cases make for bad law" in order to explain why the drafting of a new legal norm should be aimed at the most likely scenario instead of the most unusual one. Some judges take this maxim into consideration when applying a novel interpretation of an existing piece of legislation – not unlike the FBI's original request in this specific case. My overall impression of this delay is that the FBI is waiting until a very difficult case presents itself to establish a rule regarding the encryption of cellphones and other personal electronic appliances. You can infer from that what my gut tells me about the potential of the ruling that may emerge. It remains to be seen if the world will be better off for it.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jonathan is Cymmetria's Legal & Operations officer. He is responsible for ensuring compliance with the complex regulatory demands faced by a cybersecurity company operating in a multi-national environment and coordinating any additional legal aspects of the company's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Psychologue Lyon
50%
50%
Psychologue Lyon,
User Rank: Guru
4/6/2016 | 3:13:03 PM
Apple

Apple is a closed system ... not for long apparently!

Thank you for your post!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.