Will recycling the San Bernardino iPhone hack put consumers at risk?

Now that the FBI has unlocked the San Bernardino iPhone, there's a new public debate over how to responsibly disclose vulnerabilities the government finds. Security pros say that once a technical flaw is announced, it must be patched quickly – but law enforcement may be able to reuse them in future cases. 

Outside an Apple Store in Santa Monica, Calif., in February, demonstrators supported Apple's refusal to help the FBI access the cellphone of a gunman involved in the killings of 14 people in San Bernardino.

Lucy Nicholson/Reuters

April 6, 2016

Thanks to high profile lawsuits and a barrage of media coverage, it’s no secret the FBI hacked the San Bernardino shooter’s iPhone.

And that in itself may pose a risk to public safety.

Malicious hackers and nation-states are always looking for ways to bypass iPhone security features to steal personal information, trade secrets, or gather intelligence. Now, cybersecurity experts say the fact that the FBI has announced it has a way to break into an iPhone that Apple doesn't know about puts a bullseye on an entire class of consumer devices.

"Given enough time, all things can be broken. The mere fact the FBI has acknowledged there’s a vulnerability in the iPhone 5C is essentially like a treasure map" for other people to break in, says Ashkan Soltani, prominent security researcher who until recently was the chief technologist for the Federal Trade Commission. The FBI, he says, is basically "drawing a big, fat X on where to look" for security gaps.

The FBI was inundated with technical suggestions to hack smartphones from outside the government, after it went to court to compel Apple to help unlock the iPhone used by Syed Rizwan Farook, who along with his wife shot and killed 14 people in December. After one technique proved successful in bypassing the phone's security measures, the FBI no longer needed Apple's help and dropped the case. 

But it still hasn't revealed the vulnerability. "We have a way to solve the problem, with respect to the class of devices, or the device that was at issue in San Bernardino," said James Baker, the FBI’s top lawyer, at an International Association of Privacy Professionals conference Tuesday.

Mr. Baker says discussions are still ongoing about whether the White House-run Vulnerability Equities Process might apply here. That review involves multiple agencies that decide whether security flaws in government hands should be disclosed or kept secret for national security reasons.

The FBI originally wanted Apple to write and install new software that could make it easier for investigators to access the iPhone’s data by "brute force," using programs designed to try millions of password combinations quickly without erasing the data. The FBI has not disclosed anything about how it ultimately gained access to the iPhone nor the name of the outside party who helped or how much it paid for any contract. 

Still, the spotlight on this case kicked off a global technical debate about possible ways to hack the iPhone. "You know that there is a vulnerability there, you just need to find it," says Mr. Soltani.

The high profile nature of the lawsuit means dozens of nation-states and hundreds of teams of hackers are likely already trying to replicate the hole – or have already found it, says Nico Sell, cofounder of secure messaging app Wickr.

"To assume the FBI is the only one that found this when the hole has been talked about publicly is very naive," says Ms. Sell. "The criticality of this vulnerability increased exponentially when it became public... . I don’t think any security expert would think [FBI agents are] the only ones who know the way in – and it’s better for public safety and national security to plug it."

That's something the FBI worries about, too, according to Baker. In response to a question from Passcode, he acknowledged there's a concern that the vulnerability the FBI used could get into the wrong hands after so much public chatter about it. "Bad guys are out there all the time looking for vulnerabilities. And they find them with regularity. And they exploit them," he said.

But to the FBI, getting into the San Bernardino iPhone was worth that risk. "Given the severity of this case, we thought it was appropriate to try to do this – but there are risks associated with this. We try to mitigate it, but yes, there are risks."

Cybersecurity experts say that the vulnerability the FBI relied on in this case probably affects only the iPhone 5C. What's more, these phones would likely need to be in the physical possession of those seeking to hack them. That's still a concern, says the FTC technologist Soltani, because of the large amount of iPhone theft that occurs. If criminals are able to replicate the security hole, they'll be able to more easily access victims' personal data. 

Despite the risks, the FBI may be tempted to keep the flaw secret so it can open iPhones in the future. New York District Attorney Cyrus Vance Jr. has said his office alone has 175 Apple devices it can’t access.

On Friday, the FBI sent a letter, obtained by Buzzfeed News, to local law enforcement offering assistance unlocking devices. Though it did not explicitly say whether the San Bernardino iPhone vulnerability would be applied, it promised: "We will continue to do everything we can to help you consistent with our legal and policy constraints."

But if the agency doesn't reveal this vulnerability, that sets a dangerous precedent, say many security experts. "If tomorrow, [the FBI] says, 'We found an iMessage bug that affects all phones,' that means everybody in real time could be covertly intercepted,” Soltani says.

After all, while this case garnered worldwide attention, it's unlikely to be the last example of federal agencies looking for creative ways to decrypt private communications as more companies offer end-to-end encryption.

"For decades, we have relied on a key investigative tool to deal with the adversaries that we have: electronic surveillance,” said the FBI's Baker. "The tool we have relied on is becoming less and less effective every day. That is to a large degree because of encryption."

The popular messaging app WhatsApp this week announced it added default end-to-end encryption to service – meaning it has no way of turing over customers' information even when served with a court order.

"If the country does nothing, encryption like that will continue to roll out across the technological landscape," Baker said. "It has public safety costs. People have to understand that. Who do they want to bear those costs? Do they want the public to bear those costs? Victims of crime to bear those costs? Victims of terrorism to bear those costs?"

Yet Baker acknowledges the benefits of encryption – and the difficult tradeoffs in this debate. 

"I personally have been a victim of privacy crimes multiple times, including in [the Office of Personnel Management hack]. My private data, my family’s data, was all stolen. I wish that data had been encrypted. We clearly see the benefit of it. If more was encrypted, more would be protected from the unbelievable cyberthreats we face."