Endpoint

10/2/2017
04:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FBI Won't Have to Reveal iPhone-Cracking Tool Used in Terror Case

Revealing vendor's name and pricing details a threat to national security, DC court says.

The identity of the vendor that helped the FBI unlock an encrypted iPhone belonging to one of the terror suspects in the San Bernardino shootings in December 2015 will remain under wraps. So too, will the amount of money the government paid the vendor for the technology.

A Washington, DC, federal court on Friday rejected separate requests for the information that the Associated Press, USA Today, and Vice Media LLC had filed last year under the Freedom of Information Act (FOIA). The three media companies had claimed the public had a right to know details of the FBI's transactions with the vendor after then-director James Comey publicly disclosed some non-specific details about the tool and its purchase cost.

In a 27-page ruling, United States District Judge Tanya Chutkan denied the FOIA request and agreed with the FBI that releasing the information would give adversaries a way to undermine the agency's ability to use the tool in similar investigations. The FBI has also maintained that the vendor did not have the same abilities as the FBI to protect its networks against attacks. So disclosing the company's name could lead to attacks against it and compromise the technology.

"If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool's technological design," Judge Chutkan wrote. Such information could allow adversaries to enhance their own encryption capabilities to better guard against the FBI, she said.

John Pescatore, director of emerging security threats at the SANS Institute, says the ruling makes little sense. "It seems kind of odd that the identity of the vendor selling the tool would be kept confidential because if that was known, the bad guys would somehow find ways to thwart the FBI," he notes. The identity of the vendor alone is unlikely to give adversaries any more of an advantage, he says. "Security through obscurity very rarely lends much to security."

Syed Rizwan Farook and Tashfeen Malik killed 14 people at the Inland Regional Center in San Bernardino in December 2015. During the ensuing investigation, the FBI recovered a company-issued password protected iPhone 5C running iOS 9 belonging to Farook. Since the device had a capability to auto-erase the data on its disks after 10 failed password entry attempts, the FBI sought Apple's help in unlocking the device.

When Apple refused, the FBI commenced legal action against the company seeking to compel its help in unlocking the device. The FBI also sought the assistance of other third parties in finding a way to break into Farook's device, which they said could provide vital clues to his motives and terror affiliations.

In March 2016, the FBI stayed its case against Apple and announced that it had found a vendor with a demonstrated method for unlocking the phone safely. The FBI asked that it be allowed to single-source the contract rather than go through the usual competitive bidding process. Later that same month, the agency claimed that it had managed to break into Farook's iPhone and recover the data using technology from the undisclosed third-party.

In subsequent public comments, then FBI director Comey hinted that the FBI had paid upwards of $1.2 million for the tool. He described the technology as being narrowly tailored for breaking into the iPhone 5C running iOS 9. In May this year during a Congressional hearing, one lawmaker said the FBI had paid $900,000 for the tool.

The media companies had claimed that since such details were already publicly available, the vendor's identity and transaction details should be made public.

In siding with the FBI, Judge Chutkan held that releasing the vendor's identity could cause demonstrable harm to US national security interests. She said the FBI had demonstrated a 'logically reasonable risk" that the third-party vendor would be harmed if its name was released. Similarly, disclosing pricing details is not wise, she said,

"Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices," she held.

Pescatore, however, notes that there is little that adversaries can gain from merely the pricing details of a product. Rather, since the FBI contracted with the company on a single-source basis, it becomes important to know if the agency overpaid, he says. "Keeping the pricing secret makes even less sense to me," than not identifying the vendor, he says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
djr
0%
100%
djr,
User Rank: Apprentice
10/3/2017 | 9:12:17 AM
iphone cracking security
and don't let our National Disgrace know either !  He'll tweet it to the Russians !
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6345
PUBLISHED: 2019-01-15
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all s...
CVE-2018-7603
PUBLISHED: 2019-01-15
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered t...
CVE-2019-3554
PUBLISHED: 2019-01-15
Wangle's AcceptRoutingHandler incorrectly casts a socket when accepting a TLS 1.3 connection, leading to a potential denial of service attack against systems accepting such connections. This affects versions of Wangle prior to v2019.01.14.00
CVE-2019-3557
PUBLISHED: 2019-01-15
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were...
CVE-2019-0030
PUBLISHED: 2019-01-15
Juniper ATP uses DES and a hardcoded salt for password hashing, allowing for trivial de-hashing of the password file contents. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.