Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM
Connect Directly
E-Mail vvv

'FBiOS' Case Heading For A New Firestorm

The surprise developments in the FBI v Apple case offer little reason to celebrate for encryption and privacy advocates.

The startling events over the last few weeks in the San Bernardino shooting case, which has come to be known as "the FBiOS case" in some circles, have left me incredibly conflicted. On the one hand, the surprise filing and discovery of a "capable third party" to unlock the iPhone used by one of the attackers in the San Bernardino shootings can be considered to be a rather ingenious tactic. It allows the FBI to back down from the controversial proceedings without derogation from its main arguments – a move that would maintain the current status quo and prevent the government from further encroaching on digital rights. This would be a de facto win for privacy advocates and for Apple (at least for now), which, at least instinctively, is a good thing.  

On the other hand, this surprise development has some rather troubling prospects for encryption and privacy supporters who have little reason to celebrate and plenty of reasons to be even more concerned about the future of this debate. The recent US District Court filing indicates that, due to the "worldwide publicity and attention on this case," the US government has been approached by "others outside the U.S. government" offering "avenues of possible research."

Proceeding under the assumption that the FBI or the US government as a whole does indeed lack the capacity to develop tools necessary to conclude its investigation without the use of external assistance (which some may call a highly suspect premise to begin with, considering the formidable capabilities of the US security and law enforcement agencies), the court filing provides troublingly little insight as to who the provider of the external assistance may be. The language lends itself to cover all possibilities: it could be an American or non-American private citizen, an American or foreign legal entity or corporation, or even a non-American governmental agency or security service.

Who is the third party?

The fact that the FBI is using the services of an undisclosed third party to assist its efforts in overpowering the encryption ciphers of the San Bernardino shooting suspect's phone should be a troubling concept in its own right. At the very least, this issue raises a lot of questions regarding the compatibility of such assistance with the due process of law and the validity of any evidence obtained during the search. Recent publications in Israel seem to indicate that the FBI is aware of these questions, and is attempting to assuage concerns by enlisting the aid of Israeli digital forensics firm Cellebrite – a firm with a history of working together with law enforcement agencies worldwide. As of this writing, neither party has issued official confirmation of Cellebrite's involvement (nor have they denied it).

As little as we know about who the FBI will be contacting for assistance, we know even less about how this assistance will be provided. A number of possibilities spring to mind. Computer forensics researcher Jonathan Zdziarski has suggested, for example, that the phone may be unlocked using a chip cloning technique that would allow investigators to copy all of the information from the phone's memory chip and replicate it as needed. This would allow them to safely attempt to guess the suspect's password without fear of accidentally triggering the defensive mechanisms encoded in the chip and permanently wiping its information.

But another possibility is that some unknown party has approached the FBI with information regarding a previously unknown iOS weakness or exploit.

The disclosure dilemma

Issues of legal forensics and concerns about the validity of the evidence recovered through this potential avenue aside, if this is indeed the case, then law enforcement agencies will be faced with a new and equally difficult dilemma: Do they keep the knowledge about this new weakness or exploit to themselves, or do they relay the information to the manufacturer?

Failing to relay the information may afford these government agencies a continuing route to access this and other iPhones, and moot the entire court proceedings at the expense of the privacy of all users subject to the exploitation of this weakness. The FBI's decision to drop this case altogether seem to indicate that this is indeed the case. But relaying the information may prompt Apple to fix the weakness, which would prevent future access by the government. This dilemma is difficult enough for technology companies and private individuals to answer; one can only imagine the difficulties a governmental agency, which is subject to more stringent oversight and obligations to operate in good faith, would face in defending its position in open court.  

The filing also avoids stating why the pursuit of a capable third party was not attempted before trying to force Apple to open the iOS version through the use of a court order issued under the All Writs Act. On the other hand, we should be more than willing to give the US government credit that they were fully aware of the landmark nature of this case and not fault them for attempting to delineate the limits of the law in their favor.

Regardless of how this case develops, the current developments in these proceedings are apparently only a tactical withdrawal and do not seem to be a strategic shift. In my mind, an eventual challenge to the All Writs Act and its applicability to technology cases is inevitable. The decision to vacate this specific request will cause a delay on a much-needed ruling on the scope of power afforded to American law enforcement agencies. I am of the opinion that the question "Can the government force me to develop software against my will?" needs to be answered sooner rather than later.

Law students are often taught the legal maxim "hard cases make for bad law" in order to explain why the drafting of a new legal norm should be aimed at the most likely scenario instead of the most unusual one. Some judges take this maxim into consideration when applying a novel interpretation of an existing piece of legislation – not unlike the FBI's original request in this specific case. My overall impression of this delay is that the FBI is waiting until a very difficult case presents itself to establish a rule regarding the encryption of cellphones and other personal electronic appliances. You can infer from that what my gut tells me about the potential of the ruling that may emerge. It remains to be seen if the world will be better off for it.

Related Content:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jonathan is Cymmetria's Legal & Operations officer. He is responsible for ensuring compliance with the complex regulatory demands faced by a cybersecurity company operating in a multi-national environment and coordinating any additional legal aspects of the company's ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Psychologue Lyon
Psychologue Lyon,
User Rank: Guru
4/6/2016 | 3:13:03 PM

Apple is a closed system ... not for long apparently!

Thank you for your post!
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: Buffer Overflow. The impact is: buffer overflow in strcpy. The component is: tempo. The fixed version is: after commit b1559f4c9ce2b304d8d27ffdc7128b6795ca82e5.
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash (DoS). The component is: onset. The fixed version is: after commit e4e0861cffbc8d3a53dcd18f9ae85797690d67c7.