Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/2/2017
04:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

FBI Won't Have to Reveal iPhone-Cracking Tool Used in Terror Case

Revealing vendor's name and pricing details a threat to national security, DC court says.

The identity of the vendor that helped the FBI unlock an encrypted iPhone belonging to one of the terror suspects in the San Bernardino shootings in December 2015 will remain under wraps. So too, will the amount of money the government paid the vendor for the technology.

A Washington, DC, federal court on Friday rejected separate requests for the information that the Associated Press, USA Today, and Vice Media LLC had filed last year under the Freedom of Information Act (FOIA). The three media companies had claimed the public had a right to know details of the FBI's transactions with the vendor after then-director James Comey publicly disclosed some non-specific details about the tool and its purchase cost.

In a 27-page ruling, United States District Judge Tanya Chutkan denied the FOIA request and agreed with the FBI that releasing the information would give adversaries a way to undermine the agency's ability to use the tool in similar investigations. The FBI has also maintained that the vendor did not have the same abilities as the FBI to protect its networks against attacks. So disclosing the company's name could lead to attacks against it and compromise the technology.

"If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool's technological design," Judge Chutkan wrote. Such information could allow adversaries to enhance their own encryption capabilities to better guard against the FBI, she said.

John Pescatore, director of emerging security threats at the SANS Institute, says the ruling makes little sense. "It seems kind of odd that the identity of the vendor selling the tool would be kept confidential because if that was known, the bad guys would somehow find ways to thwart the FBI," he notes. The identity of the vendor alone is unlikely to give adversaries any more of an advantage, he says. "Security through obscurity very rarely lends much to security."

Syed Rizwan Farook and Tashfeen Malik killed 14 people at the Inland Regional Center in San Bernardino in December 2015. During the ensuing investigation, the FBI recovered a company-issued password protected iPhone 5C running iOS 9 belonging to Farook. Since the device had a capability to auto-erase the data on its disks after 10 failed password entry attempts, the FBI sought Apple's help in unlocking the device.

When Apple refused, the FBI commenced legal action against the company seeking to compel its help in unlocking the device. The FBI also sought the assistance of other third parties in finding a way to break into Farook's device, which they said could provide vital clues to his motives and terror affiliations.

In March 2016, the FBI stayed its case against Apple and announced that it had found a vendor with a demonstrated method for unlocking the phone safely. The FBI asked that it be allowed to single-source the contract rather than go through the usual competitive bidding process. Later that same month, the agency claimed that it had managed to break into Farook's iPhone and recover the data using technology from the undisclosed third-party.

In subsequent public comments, then FBI director Comey hinted that the FBI had paid upwards of $1.2 million for the tool. He described the technology as being narrowly tailored for breaking into the iPhone 5C running iOS 9. In May this year during a Congressional hearing, one lawmaker said the FBI had paid $900,000 for the tool.

The media companies had claimed that since such details were already publicly available, the vendor's identity and transaction details should be made public.

In siding with the FBI, Judge Chutkan held that releasing the vendor's identity could cause demonstrable harm to US national security interests. She said the FBI had demonstrated a 'logically reasonable risk" that the third-party vendor would be harmed if its name was released. Similarly, disclosing pricing details is not wise, she said,

"Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices," she held.

Pescatore, however, notes that there is little that adversaries can gain from merely the pricing details of a product. Rather, since the FBI contracted with the company on a single-source basis, it becomes important to know if the agency overpaid, he says. "Keeping the pricing secret makes even less sense to me," than not identifying the vendor, he says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
djr
0%
100%
djr,
User Rank: Apprentice
10/3/2017 | 9:12:17 AM
iphone cracking security
and don't let our National Disgrace know either !  He'll tweet it to the Russians !
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...