Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/30/2016
04:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

'FBiOS' Case Heading For A New Firestorm

The surprise developments in the FBI v Apple case offer little reason to celebrate for encryption and privacy advocates.

The startling events over the last few weeks in the San Bernardino shooting case, which has come to be known as "the FBiOS case" in some circles, have left me incredibly conflicted. On the one hand, the surprise filing and discovery of a "capable third party" to unlock the iPhone used by one of the attackers in the San Bernardino shootings can be considered to be a rather ingenious tactic. It allows the FBI to back down from the controversial proceedings without derogation from its main arguments – a move that would maintain the current status quo and prevent the government from further encroaching on digital rights. This would be a de facto win for privacy advocates and for Apple (at least for now), which, at least instinctively, is a good thing.  

On the other hand, this surprise development has some rather troubling prospects for encryption and privacy supporters who have little reason to celebrate and plenty of reasons to be even more concerned about the future of this debate. The recent US District Court filing indicates that, due to the "worldwide publicity and attention on this case," the US government has been approached by "others outside the U.S. government" offering "avenues of possible research."

Proceeding under the assumption that the FBI or the US government as a whole does indeed lack the capacity to develop tools necessary to conclude its investigation without the use of external assistance (which some may call a highly suspect premise to begin with, considering the formidable capabilities of the US security and law enforcement agencies), the court filing provides troublingly little insight as to who the provider of the external assistance may be. The language lends itself to cover all possibilities: it could be an American or non-American private citizen, an American or foreign legal entity or corporation, or even a non-American governmental agency or security service.

Who is the third party?

The fact that the FBI is using the services of an undisclosed third party to assist its efforts in overpowering the encryption ciphers of the San Bernardino shooting suspect's phone should be a troubling concept in its own right. At the very least, this issue raises a lot of questions regarding the compatibility of such assistance with the due process of law and the validity of any evidence obtained during the search. Recent publications in Israel seem to indicate that the FBI is aware of these questions, and is attempting to assuage concerns by enlisting the aid of Israeli digital forensics firm Cellebrite – a firm with a history of working together with law enforcement agencies worldwide. As of this writing, neither party has issued official confirmation of Cellebrite's involvement (nor have they denied it).

As little as we know about who the FBI will be contacting for assistance, we know even less about how this assistance will be provided. A number of possibilities spring to mind. Computer forensics researcher Jonathan Zdziarski has suggested, for example, that the phone may be unlocked using a chip cloning technique that would allow investigators to copy all of the information from the phone's memory chip and replicate it as needed. This would allow them to safely attempt to guess the suspect's password without fear of accidentally triggering the defensive mechanisms encoded in the chip and permanently wiping its information.

But another possibility is that some unknown party has approached the FBI with information regarding a previously unknown iOS weakness or exploit.

The disclosure dilemma

Issues of legal forensics and concerns about the validity of the evidence recovered through this potential avenue aside, if this is indeed the case, then law enforcement agencies will be faced with a new and equally difficult dilemma: Do they keep the knowledge about this new weakness or exploit to themselves, or do they relay the information to the manufacturer?

Failing to relay the information may afford these government agencies a continuing route to access this and other iPhones, and moot the entire court proceedings at the expense of the privacy of all users subject to the exploitation of this weakness. The FBI's decision to drop this case altogether seem to indicate that this is indeed the case. But relaying the information may prompt Apple to fix the weakness, which would prevent future access by the government. This dilemma is difficult enough for technology companies and private individuals to answer; one can only imagine the difficulties a governmental agency, which is subject to more stringent oversight and obligations to operate in good faith, would face in defending its position in open court.  

The filing also avoids stating why the pursuit of a capable third party was not attempted before trying to force Apple to open the iOS version through the use of a court order issued under the All Writs Act. On the other hand, we should be more than willing to give the US government credit that they were fully aware of the landmark nature of this case and not fault them for attempting to delineate the limits of the law in their favor.

Regardless of how this case develops, the current developments in these proceedings are apparently only a tactical withdrawal and do not seem to be a strategic shift. In my mind, an eventual challenge to the All Writs Act and its applicability to technology cases is inevitable. The decision to vacate this specific request will cause a delay on a much-needed ruling on the scope of power afforded to American law enforcement agencies. I am of the opinion that the question "Can the government force me to develop software against my will?" needs to be answered sooner rather than later.

Law students are often taught the legal maxim "hard cases make for bad law" in order to explain why the drafting of a new legal norm should be aimed at the most likely scenario instead of the most unusual one. Some judges take this maxim into consideration when applying a novel interpretation of an existing piece of legislation – not unlike the FBI's original request in this specific case. My overall impression of this delay is that the FBI is waiting until a very difficult case presents itself to establish a rule regarding the encryption of cellphones and other personal electronic appliances. You can infer from that what my gut tells me about the potential of the ruling that may emerge. It remains to be seen if the world will be better off for it.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jonathan is Cymmetria's Legal & Operations officer. He is responsible for ensuring compliance with the complex regulatory demands faced by a cybersecurity company operating in a multi-national environment and coordinating any additional legal aspects of the company's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Psychologue Lyon
50%
50%
Psychologue Lyon,
User Rank: Guru
4/6/2016 | 3:13:03 PM
Apple

Apple is a closed system ... not for long apparently!

Thank you for your post!
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...