clock menu more-arrow no yes mobile

Filed under:

Plenty of Unanswered Questions Remain in the San Bernardino iPhone Case

Is Cellebrite giving the FBI a technical assist? Is it some other group?

Shutterstock / Recode

Government officials have expressed optimism about their ability to unlock the iPhone used by one of the San Bernardino attackers without Apple’s help, possibly making moot a contentious court case.

FBI Director James Comey said Thursday that publicity surrounding the high-profile case prompted people from around the globe to come forward with ideas and offers of help, and “it looks like we now have one that may work.”

But there are plenty of questions that still haven’t been answered:

Is Israeli Firm Cellebrite Really Providing an Assist?

The government has offered few details about the mysterious third party that materialized, just days before a court showdown, with an offer to help the FBI bypass the encryption on the iPhone 5c used by one of the Dec. 2 attackers, Syed Rizwan Farook.

Clearly, the method was promising enough for the government to call off a scheduled hearing over whether Apple could be forced to write software to defeat the security measures on the device.

An Israeli publication identified mobile forensics firm Cellebrite, a company with a long relationship with the FBI and other law-enforcement agencies, as the technological white knight. Bolstering the theory is an FBI purchase order for $15,278 issued on March 21 — the same day the government asked the a federal judge to cancel the hearing.

Security expert Bruce Schneier, chief technology officer for Resilient Systems and a fellow at Harvard’s Berkman Center, suspects the timing of the purchase order is mere coincidence — that if the company had an ongoing relationship with the FBI, and if it could crack the phone, the firm would have done so months ago.

“Why would it show up in the 11th hour?” Schneier said. “It makes little sense.”

Did the Government Lie About Its Access to the San Bernardino Killer’s Phone?

If the government is working with Cellebrite — one of its existing technology partners — to unlock Farook’s phone, was the Justice Department truthful when it repeatedly asserted that it had exhausted all its options for accessing the information on the device and needed Apple’s help?

“The FBI’s last-minute excuse is about as believable as an undergrad who comes down with the flu the night before their paper is due,” said one activist, Evan Greer. “They should come clean immediately and admit that they misled the court and the public, to avoid further damaging what’s left of their credibility.”

This suspicion feeds the perception within the tech community that the San Bernardino case is really about establishing a legal precedent — not obtaining evidence in the domestic terror attack, said Chenxi Wang, chief strategy officer at cloud security firm Twistlock.

Comey dismissed any suggestion that the government misled anyone about its inability to access the information locked on the phone.

“Lots of folks came to us with ideas,” Comey wrote in a letter to the Wall Street Journal’s editors. “It looks like one of those ideas may work and that is a very good thing, because the San Bernardino case was not about trying to send a message or set a precedent; it was and is about fully investigating a terrorist attack.”

If It’s Not Cellebrite, Who Is Helping the FBI?

None of the parties involved are talking. Not the FBI, not the Justice Department and not Cellebrite. And we may never know, since this new approach may well be classified, according to the Guardian.

But there are plenty of security researchers around the world — hackers to you and me — who dedicate themselves to finding and developing software to exploit computer vulnerabilities. Selling that information to corporations or governments can be a lucrative business.

“Exploits can go for hundreds of thousands or millions of dollars,” said Area 1 Security co-founder Oren Falkowitz, who worked for a decade for the NSA.

Many companies (though not Apple) offer bounties for finding bugs, as the New York Times reported ($100,000 can be yours if you can find a way to compromise the Chromebook). Governments similarly pay big for this kind of information.

Last summer, some embarrassing details emerged about a group of hackers-for-hire known as the Hacking Team, which has been accused of selling software tools to repressive governments. The Milan group was itself the subject of a hack that laid bare details of its business practices — including emails and customer invoices.

“There are many companies around the world — hacking teams — who trade in the exploit markets,” Falkowitz said. “It’s not surprising people would come out of the woodwork.”

Is The Government Under Any Obligation to Tell Apple What It Found?

If the FBI’s new method for accessing the iPhone exploits some vulnerability, the government may be obligated to tell Apple — unless it can prove it’s in the national security’s interest to keep the glitch secret, according to Bloomberg. A process known as an equities review will determine whether a new security flaw is kept secret or disclosed.

“I do think it should be subject to an equities review,” Chris Inglis, former National Security Agency deputy director, told Bloomberg Business. “The government cannot choose sides in the tension between individual and collective security, so the equities process should be run to put both on a level playing field.”

This article originally appeared on Recode.net.