Thread: FBI Hacking of iPhone Raises Questions About Method, Who Helped

FBI Hacking of iPhone Raises Questions About Method, Who Helped

• By ALYSSA NEWCOMB

Mar 29, 2016, 11:36 AM ET

Wang Lei/Xinhua/Newscom

WATCH Government Withdraws Case Against AppleFederal officials announced Monday night they successfully cracked into an iPhone belonging to one of the San Bernardino shooters and no longer needed Apple's help in unlocking the device.

In doing so, authorities succeeded in their goal of breaking into an iPhone used by Syed Farook but did not set any sort of legal precedent that could be used in a future case, making it a sort of lukewarm win for both Apple and federal authorities.

Apple Files to Vacate Court Order in San Bernardino iPhone Case

Apple Encryption Battle: What's Next After Feds Drop Case

While the legal case has been dropped, the latest twist in the encryption tug-of-war is now raising more questions than the FBI has answered.

Who Helped the FBI?

Federal officials revealed the existence of a third party that came forward last week to offer assistance in cracking the iPhone. It's unclear whether this is one hacker or a cyber security firm.

How Did They Break Into an iPhone?

The FBI declined to comment on the technical steps taken to get into the iPhone.

"During the past week, to include the weekend, extensive testing of the iPhone was done by highly skilled personnel to ensure that the contents of the phone would remain intact once technical methods were applied. The full exploitation of the phone and follow-up investigative steps are continuing," FBI Assistant Director in Charge David Bowdich said in a statement on Monday night.

Data on iPhones is encrypted and Apple has an auto-erase function making it trickier for a third party to break into a locked phone. Make 10 unsuccessful attempts to open a locked phone using the 4-digit user-created code and the iPhone and all the data it holds is rendered inaccessible. The 4-digit code you enter into your phone initiates a complex calculation that generates a unique key to unlock the data on the phone. No key, no data. The auto-erase function, if triggered, will wipe out all the encryption keys, rendering the data on the iPhone useless.

Will the Feds Share the Solution With Apple?

Apple has been staunch in its position that creating a backdoor for government officials would undermine the security of millions of users.

The company said in a statement Monday night that it believed the case "should never have been brought."

"From the beginning, we objected to the FBI's demand that Apple build a backdoor into the iPhone because we believed it was wrong and would set a dangerous precedent. As a result of the government’s dismissal, neither of these occurred," Apple said. "We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated."

What Does This Mean for Future Cases?

The legal precedent authorities were hoping to set didn't happen, essentially punting the issue down the line for future cases that may arise.

"This seemed like the perfect case and that has evaporated but now the question is, will Congress step in?" Mark Bartholomew, a law professor at the University of Buffalo who studies encryption and cyber law, told ABC News. "This is such an important story, so I could see Congress weighing in on this issue. We need a more fine-tuned answer than what we are getting from this case. Congress needs to be precise about what this technology should look like and when consumer interests would trump law enforcement."

What Was on the iPhone?

Officials said they "successfully retrieved the data stored" on the device, but it's unclear whether that data will be of any use. Authorities wanted to access Farook's iPhone to see if there was information about who he was communicating with and whether more attacks were planned.

"We promised to explore every investigative avenue in order to learn whether the San Bernardino suspects were working with others, were targeting others, or whether or not they were supported by others," Bowdich said Monday night. "While we continue to explore the contents of the iPhone and other evidence, these questions may not be fully resolved, but I am satisfied that we have access to more answers than we did before and that the investigative process is moving forward."

http://abcnews.go.com/Technology/fbi...ry?id=38001819

Word on DarkNet is the F.B.I. paid a 15 year old hacker $200 to get into the Iphone.
I'm looking for the source.
If anyone see it please let me know.

https://en.wikipedia.org/wiki/Darknet_(disambiguation)

Darknet or dark net may refer to:

• Darknet, a network that can only be accessed with specific software, configurations, or authorization
• Dark web, the part of the World Wide Web which exists only in darknets
• Network telescope, or darknet, used to monitor network traffic on unallocated IP space

Apple wants the FBI to reveal how it hacked the San Bernardino killer's iPhone


Attorneys for Apple are researching legal tactics to compel the government to turn over specifics on how it unlocked an iPhone 5c. Above, an Apple exec touts the features of the latest iPhones. (Eric Risberg / Associated Press)


Paresh Dave Contact Reporter


Apple Inc. refused to give the FBI software the agency desperately wanted. Now Apple is the one that needs the FBI's assistance.

The FBI announced Monday that it managed to unlock an iPhone 5c belonging to one of the San Bernardino shooters without the help of Apple.

And the agency has shown no interest in telling Apple how it skirted the phone's security features, leaving the tech giant guessing about a vulnerability that could compromise millions of devices.

"One way or another, Apple needs to figure out the details," said Justin Olsson, product counsel at security software maker AVG Technologies.

"The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices."

But that's not how it's playing out so far. The situation illuminates a process that usually takes place in secret: Governments regularly develop or purchase hacking techniques for law enforcement and counterterrorism efforts, and put them to use without telling affected companies.


FBI hacks iPhone: Does this make your phone less private?

What's different in this case is that the world has been watching from the start. After Syed Rizwan Farook and his wife killed 14 people in December, the government publicly sought a court order to compel Apple to unlock Farook's work phone.

Apple opposed that order, heightening long-standing tensions between Silicon Valley and law enforcement.

Now that the FBI has dropped its case against Apple, there's a new ethical dilemma: Should tech companies be made aware of flaws in their products, or should law enforcement be able to deploy those bugs as crime-fighting tools?

It's unclear whether the FBI's hacking technique will work on other versions of the iPhone, though a law enforcement official who spoke on the condition of anonymity said its applications were limited.

Some news outlets citing anonymous sources have identified Israeli police technology maker Cellebrite as the undisclosed third party helping the government, but neither the company nor the FBI has confirmed those reports.

A source who is unauthorized to discuss the case told The Times the FBI was provided with the ability to incorrectly guess more than 10 passwords without permanently rendering the phone's data inaccessible. That allowed the agency to use software to run through potential pass codes until it landed on the correct one. It is not clear what info, if any, was gleaned from the phone.


Apple's fight with the FBI

Attorneys for Apple are researching legal tactics to compel the government to turn over the specifics, but the company had no update on its progress Tuesday.

The FBI could argue that the most crucial information is part of a nondisclosure agreement, solely in the hands of the outside party that assisted the agency, or cannot be released until the investigation is complete.

Many experts agree that the government faces no obvious legal obligation to provide information to Apple. But authorities, like professional security researchers, have recognized that a world in which computers are crucial in commerce and communications shouldn't be riddled with technical security flaws.

Even the White House's cybersecurity coordinator has acknowledged there are times when more people could be harmed by an unfixed security issue than helped by the government covertly using the loophole as part of an investigation.

A secretive White House-led procedure governs whether companies get notified of potential flaws.

Officials involved in the multi-agency deliberations — called the Vulnerabilities Equities Process — consider the risks and rewards of keeping flaws secret, according to federal records. They weigh whether the government could get the information in some other way and how likely it is someone else will discover the same vulnerability.

Federal officials have maintained that they lean toward private disclosure of a newly discovered vulnerability in the majority of cases.

But in some cases, federal agents have apparently benefited from previously unknown technical slip-ups by software developers.

The National Security Agency, though it denies the claim, reportedly took advantage of a flaw in the way websites transmit sensitive data for two years before private researchers uncovered the issue in 2014. Attorneys in two other cases have accused the FBI of using bugs in the Tor Internet browser to identify suspected criminals.

Apple's anxiety is understandable. No tech company wants a major security gap in its products — and most are given months of warning to fix issues before they are made public by the researchers who discover them.

That's why Apple sees the government holding a moral obligation to disclose details of its hacking technique.

"Apple's best chance is to make a compelling case that the disclosure of this exploit is in the interest of national security, as in, if it remains undisclosed and undiscovered, it potentially puts innocent users at risk of data breach," AVG's Olsson said.

Apple stated in court filings that part of the reason its executives feared developing software to circumvent iPhone security features was that once created, it could end up in the wrong hands.

That same argument could come into play with the disclosure issue if Apple makes a public plea that the government and the outside group can't properly safeguard the technique. Last year, an Italian company that bought and sold bugs saw its entire database leaked onto the Internet. The security issue could explain why the FBI and the outside party are being so secretive about the process.


Will the FBI share its iPhone-cracking method with police? Probably not

There's also the concern that now that an iPhone can be hacked, others will try. The iPhone has been seen as "a tiny little Fort Knox that from the outside has shown very hard to get into," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

The San Bernardino situation changes the dynamics, providing a reason for "cybercriminals and amateur hackers to come out of the woodwork," said Peter Tran, a general manager at RSA's advanced cyber defense group.

Although someone helped the FBI crack the iPhone, probably in exchange for money, other people who stumble upon the same hacking technique could choose to sell to cyberthieves or other governments. An extensive underground online network, concentrated in Eastern Europe, does just that everyday, Bocek said.

Apple generally doesn't reward bug-finders with cash. But given the publicity in this instance, experts said Apple could turn to the black market too.

"It proves once again that what you don't know, you can buy," said Nikias Bassen, principal mobile security researcher at Zimperium.

http://www.latimes.com/business/tech...330-story.html

£120 code cracker that can unlock an iPhone in six hours: So hands up, FBI, why did it take you FOUR MONTHS to access jihadi's phone?

By BEN ELLERY FOR THE MAIL ON SUNDAY PUBLISHED: 16:39 EST, 2 April 2016 | UPDATED: 05:51 EST, 3 April 2016

Device, called an IP Box, can be purchased openly on the internet

Mail on Sunday investigation showed it took just six hours to crack code

FBI entered battle with Apple to unlock phone of San Bernardino shooter

After two month stalemate, FBI announced it unlocked the phone last week

Tens of millions of bestselling smartphones can easily be hacked by criminals using a £120 device that cracks their four-digit passcode.

An investigation by The Mail on Sunday found the gadget, sold openly on the internet, could be used to gain access to private and confidential details stored on Apple iPhones, including photographs, emails, contact details and call histories.

Using the device – called an IP Box – this newspaper was able to break the passcode of an Apple iPhone 5C, the model that America’s Federal Bureau of Investigation had been fighting to access in order to gain information about a terrorist massacre.

The FBI entered a high-stakes legal battle with Apple over the handset belonging to Syed Farook, who died with his wife in a gun battle with police after the couple killed 14 people in December in San Bernardino, California.

Read more: £120 code cracker that can unlock an iPhone in six hours: so hands up, FBI, why did it take you FOUR months to access jihadi's phone? | Daily Mail Online

FBI paid over $1 mn for iPhone hack

by Staff Writers Washington (AFP) April 21, 2016

The Federal Bureau of Investigation paid hackers more than $1 million to break into the iPhone used by one of the San Bernardino attackers, director James Comey said Thursday.

Asked at the Aspen Security Forum in London how much the US agency paid for help to get into the phone, Comey replied, "A lot."

"More than I will make in the remainder of this job, which is seven years and four months, for sure. But it was, in my view, worth it," Comey said.

Based on Comey's salary, listed at about $14,900 a month, that comes to more than $1.3 million for the hack, the results of which have still not been divulged.

A video of Comey's talk was streamed on the Aspen Security Institute website.

Apple and the FBI were headed for a court showdown setting national security needs against privacy principles after the agency took the smartphone maker to court to force it to break into the encryption-protected iPhone 5C.

The phone had been used by Syed Farook, who along with his wife Tashfeen Malik slaughtered 14 people at a party in San Bernardino, California on December 2 before dying in a firefight with police.

Apple, backed by a broad coalition of technology giants like Google and Facebook, was fiercely opposed to assisting the government in unlocking the phone on grounds it would have wide-reaching implications on digital security and privacy.

Comey said the litigation in the case had inspired a "marketplace around the world" for people to break into an Apple 5C running IOS 9, the phone Farook used.

"Somebody approached us from outside of the government and said, 'We think we've come up with a solution.' And we tested and tested and tested it, and then we purchased it."

He acknowledged the fundamental principles in conflict in the case and said he was glad that, at least in this instance, a way outside the court was found.

"Litigation is not a great place to resolve hard values questions that implicate all kinds of things that all of us care about," he said.

"We have a problem where all of us share a set of values that are in conflict. We have to figure out how to resolve privacy and security on the Internet and on our devices with public safety."

FBI paid over $1 mn for iPhone hack