Security Experts:

FBI Can Keep Details of iPhone Hack Secret: Judge

A federal judge ruled last week that the U.S. Federal Bureau of Investigation (FBI) is not obligated to disclose the details of a hacking tool used to access data stored on an iPhone belonging to the man behind the 2015 mass shooting in San Bernardino, California.

USA Today, The Associated Press and Vice Media filed Freedom of Information Act (FOIA) requests in an effort to find out who helped the law enforcement agency hack the iPhone and how much it cost. The FBI refused to provide the information and a judge has agreed with the agency.

The FBI has managed to convince United States District Court Judge Tanya Chutkan that it should not be forced to disclose the information due to national security concerns.

The agency argued that releasing the vendor’s identity could allow adversaries to study that company’s publicly available products in an effort to find weaknesses and create better encryption technology that would prevent future attempts to use the iPhone hacking tool.

The FBI is also concerned that releasing the vendor’s name would subject the company to cyberattacks.

“Since the vendor is not as well equipped to guard against these types of attacks as is the FBI, revealing the vendor’s identity ‘risks disclosure, exploitation, and circumvention of a classified intelligence source and method’,” Judge Chutkan said in her ruling.

As for the price of hacking the San Bernardino terrorist’s iPhone, statements made by James Comey, former director of the FBI, and U.S. Senator Dianne Feinstein suggest that the agency paid roughly $1 million to have the phone unlocked.

However, the FBI did not want to disclose the exact amount, arguing that “revealing the price paid for the tool would allow adversaries to determine its usefulness and assess its nature, and would reveal where the FBI concentrates its resources in national security investigations.”

“Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices,” the judge said.

Hacking the iPhone of the San Bernardino shooter

In December 2015, Syed Rizwan Farook and his wife, Tashfeen Malik, killed 14 people in a mass shooting in San Bernardino, California. The attackers were later killed in a shootout with police.

Investigators believed at the time that Farook’s work-issued iPhone 5c could contain important evidence, but they could not access the data stored on it because the device was protected by a passcode and the security mechanisms implemented by Apple prevented brute-force attacks.

The FBI tried to convince a judge to force Apple to create a backdoor to the iPhone, but the tech giant refused, arguing that it would create a dangerous precedent. In the end, the law enforcement agency managed to hack Farook’s iPhone with the help of an unidentified “outside party.”

While the FBI reportedly paid roughly $1 million for the tool, which is said to work only for an iPhone 5c running iOS 9, experts later demonstrated that it could have been done via a relatively inexpensive hardware hacking technique called NAND mirroring, which the FBI dismissed in the early stages of the investigation.

Activists asked the FBI to disclose the methods used to crack the phone, but the agency said it had not obtained technical information on how the attack worked or what vulnerabilities it exploited.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.