Endpoint

10/2/2017
04:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FBI Won't Have to Reveal iPhone-Cracking Tool Used in Terror Case

Revealing vendor's name and pricing details a threat to national security, DC court says.

The identity of the vendor that helped the FBI unlock an encrypted iPhone belonging to one of the terror suspects in the San Bernardino shootings in December 2015 will remain under wraps. So too, will the amount of money the government paid the vendor for the technology.

A Washington, DC, federal court on Friday rejected separate requests for the information that the Associated Press, USA Today, and Vice Media LLC had filed last year under the Freedom of Information Act (FOIA). The three media companies had claimed the public had a right to know details of the FBI's transactions with the vendor after then-director James Comey publicly disclosed some non-specific details about the tool and its purchase cost.

In a 27-page ruling, United States District Judge Tanya Chutkan denied the FOIA request and agreed with the FBI that releasing the information would give adversaries a way to undermine the agency's ability to use the tool in similar investigations. The FBI has also maintained that the vendor did not have the same abilities as the FBI to protect its networks against attacks. So disclosing the company's name could lead to attacks against it and compromise the technology.

"If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool's technological design," Judge Chutkan wrote. Such information could allow adversaries to enhance their own encryption capabilities to better guard against the FBI, she said.

John Pescatore, director of emerging security threats at the SANS Institute, says the ruling makes little sense. "It seems kind of odd that the identity of the vendor selling the tool would be kept confidential because if that was known, the bad guys would somehow find ways to thwart the FBI," he notes. The identity of the vendor alone is unlikely to give adversaries any more of an advantage, he says. "Security through obscurity very rarely lends much to security."

Syed Rizwan Farook and Tashfeen Malik killed 14 people at the Inland Regional Center in San Bernardino in December 2015. During the ensuing investigation, the FBI recovered a company-issued password protected iPhone 5C running iOS 9 belonging to Farook. Since the device had a capability to auto-erase the data on its disks after 10 failed password entry attempts, the FBI sought Apple's help in unlocking the device.

When Apple refused, the FBI commenced legal action against the company seeking to compel its help in unlocking the device. The FBI also sought the assistance of other third parties in finding a way to break into Farook's device, which they said could provide vital clues to his motives and terror affiliations.

In March 2016, the FBI stayed its case against Apple and announced that it had found a vendor with a demonstrated method for unlocking the phone safely. The FBI asked that it be allowed to single-source the contract rather than go through the usual competitive bidding process. Later that same month, the agency claimed that it had managed to break into Farook's iPhone and recover the data using technology from the undisclosed third-party.

In subsequent public comments, then FBI director Comey hinted that the FBI had paid upwards of $1.2 million for the tool. He described the technology as being narrowly tailored for breaking into the iPhone 5C running iOS 9. In May this year during a Congressional hearing, one lawmaker said the FBI had paid $900,000 for the tool.

The media companies had claimed that since such details were already publicly available, the vendor's identity and transaction details should be made public.

In siding with the FBI, Judge Chutkan held that releasing the vendor's identity could cause demonstrable harm to US national security interests. She said the FBI had demonstrated a 'logically reasonable risk" that the third-party vendor would be harmed if its name was released. Similarly, disclosing pricing details is not wise, she said,

"Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices," she held.

Pescatore, however, notes that there is little that adversaries can gain from merely the pricing details of a product. Rather, since the FBI contracted with the company on a single-source basis, it becomes important to know if the agency overpaid, he says. "Keeping the pricing secret makes even less sense to me," than not identifying the vendor, he says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
djr
0%
100%
djr,
User Rank: Apprentice
10/3/2017 | 9:12:17 AM
iphone cracking security
and don't let our National Disgrace know either !  He'll tweet it to the Russians !
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...
CVE-2018-12559
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequ...
CVE-2018-12560
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring.
CVE-2018-12561
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. A regular user can inject additional mount options such as file_mode= by manipulating (for example) the domain parameter of the samba URL.
CVE-2018-12562
PUBLISHED: 2018-06-19
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The wrapper script 'mount.cifs.wrapper' uses the shell to forward the arguments to the actual mount.cifs binary. The shell evaluates wildcards (such as in an injected string:/home/../tmp/* string).