When the FBI was still demanding Apple’s help to access a work iPhone used by one of the San Bernardino killers, security firm Trail of Bits wrote a blog post claiming that the phone could be accessed without Apple’s assistance. A Cambridge University researcher has now successfully demonstrated that the method proposed would have worked.
It’s just ten days since I pointed to a Microsoft security leak as proof of my point that any iPhone master key created by Apple would inevitably fall into the wrong hands in time – and even more powerful support for that position now exists.
It was revealed last week that powerful hacking tools created by the NSA have been leaked, and are now being auctioned to the highest bidder. Christopher Soghoian, Principal Technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, summarised that argument in a single tweet.
https://twitter.com/csoghoian/status/765785340892372992
Update: Steve Gibson has taken issue with the ‘golden key’ term used by Ars, arguing that it overplays the significance of the vulnerability.
I wrote an opinion piece predating the San Bernardino shootings on why Apple was right to stand firm on encryption even in the face of terrorist attacks, and another one afterwards explaining why it would be too dangerous to give the FBI the iPhone master key they demanded.
My main argument was that something as powerful as a master key to unlock an iPhone would eventually fall into the wrong hands.
So soon, the FBI would hold the key. Then other law enforcement agencies. In time, that key would be held in every police precinct house. We would then be trusting more than a million people with access to that key to abide by the rules. Government agencies don’t always have the best of track-records in doing that.
And Microsoft has just proven my point, even with code that was never intended to leave the company’s possession …
A second federal judge has ruled that a suspect can be compelled to unlock their iPhone using their fingerprint in order to give investigators access to data which can be used as evidence against them. The first time this ever happened in a federal case was back in May, following a District Court ruling in 2014.
The latest case involves a suspect accused of particularly unpleasant crimes, reports Ars Technica.
A Dallas, Texas man accused of prostituting underage girls was secretly ordered by a federal judge to unlock his iPhone using his fingerprint, according to federal court documents that are now unsealed.
The legal position of forcing suspects to use their fingerprints to unlock devices won’t be known with certainty until a case reaches the U.S. Supreme Court, but lower court rulings so far appear to establish a precedent which is at odds with that concerning passcodes …
There must be some kind of irony award for using a security summit to attack the use of strong encryption, and BlackBerry CEO John Chen seems determined to win it. Speaking at the BlackBerry Security Summit, Chen said that he is ‘disturbed’ by Apple’s decision to work hard to keep its devices and messaging services secure, reports Patently Apple.
The fallout from the standoff between Apple and the FBI in the San Bernardino case continues. Following the introduction of one bipartisan bill in the House of Representives in February, seeking to protect encryption against any state-level legislation that might compromise it, a new bill has now been introduced in the Senate ,,,
Something that has been bugging me for some time is that my iPhone, normally unlocked with Touch ID, asks for my passcode way more often than it ought to. That mystery has now been solved by a bullet-point that Apple added to its iOS Security Guide earlier this month – though the behavior has been there a lot longer.
Previous versions of the document said that iOS devices should only ask Touch ID users for their passcode in one of five circumstances. I found I was frequently asked for my passcode when none of these applied, but a sixth, recently-added bullet-point explains it …
Even though the FBI’s battle with Apple over the San Bernardino iPhone is essentially over, FBI director James Comey today explained that the case is just the beginning of litigation over accessing smartphones and other devices. As reported by Reuters, Comey explained that there will be more litigation between the FBI and manufacturers over accessing locked devices, noting that encryption is “essential tradecraft” of terrorist groups.
Reuters is reporting that Apple CEO Tim Cook will visit China later in May to meet with government officials and address current tensions between Apple and China, seen by many as the main driver of revenue growth for the company going forward.
Apple has faced some significant setbacks in China in the last few weeks. The company has had to stop selling iBooks and iTunes Movies in the region following new governmental policy that restricts online publishing. Apple also ceded exclusive rights to the iPhone trademark after losing a court case, although it plans to appeal.
LAPD detectives have successfully hacked into a locked iPhone 5s despite the phone having a Secure Enclave, according to an LA Times report.
Los Angeles police investigators obtained a method to open the locked iPhone belonging to the slain wife of “The Shield” actor Michael Jace, according to court papers reviewed by The Times.
LAPD detectives found an alternative way to bypass the security features on the white iPhone 5S belonging to April Jace, whom the actor is accused of killing at their South L.A. home in 2014, according to a search warrant filed in Los Angeles County Superior Court.
More intriguingly still, this appears to have occurred during the time that the FBI was still demanding that Apple help it unlock the less secure iPhone 5c in the San Bernardino shooting case …
For the first time in a federal case, a suspect has been ordered to use her fingerprint to unlock her iPhone using Touch ID. The LA Times reports that a federal judge signed a warrant allowing the FBI to compel a suspect in an identity theft case to to unlock the phone just 45 minutes after her arrest.
Authorities obtained a search warrant compelling the girlfriend of an alleged Armenian gang member to press her finger against an iPhone that had been seized from a Glendale home […]
In the Glendale case, the FBI wanted the fingerprint of Paytsar Bkhchadzhyan, a 29-year-old woman from L.A. with a string of criminal convictions who pleaded no contest to a felony count of identity theft.
The warrant is consistent with a 2014 case where a Virginia District Court ruled that while passcodes are protected by the 5th Amendment right against self-incrimination, fingerprints are not. Legal experts, however, have differing views …
The FBI has decided it will not divulge the details of how it successfully hacked into the San Bernardino iPhone to Apple, having found a method at the last-minute just hours before going to court in late March. However, in an attempt to appear helpful and cooperative, the FBI gave Apple its first security tipoff under the Vulnerability Equities Process this month.
Reuters reports the FBI informed Apple of a security flaw affecting iOS and Mac software on April 14th, as part of a process that balances the needs of law enforcement to hack devices and the needs of manufacturers to patch found flaws before criminals can use them …
Speaking to a security conference in London today, FBI director James Comey suggested that the agency paid more than $1 million for the iPhone 5c exploit used to unlock the San Bernardino shooter’s device last month. NBC News reports that Comey didn’t explicitly reveal the price of the hack, but instead hinted at its price based on his salary:
Just a day after a prominent legal expert described the proposed anti-encryption Burr-Feinstein bill as unconstitutional, unenforceable and harmful, Apple has called the proposal ‘well-intentioned but ultimately unworkable.’
The description is in an open letter from the Reform Government Surveillance coalition, of which Apple is a key member, alongside companies such as Google, Dropbox, Facebook, Microsoft and Twitter. The letter, addressed to the two Senators behind the proposed bill, explains why it would be harmful to the interests of both the U.S. people and American businesses …
CNN today reports that while the FBI did not find anything new on the San Bernardino iPhone 5c that it unlocked without Apple’s help, it has “produced data the FBI didn’t have before.” Essentially, not finding anything new on the device is what the FBI needed to know in order to answer some of its remaining questions regarding the case.
It was announced last week that Apple would once again face off against the FBI in Congress this week after its previous testimony over the FBI’s request in the San Bernardino gunmen case. During the hearing today, which was entitled “Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives,” Apple’s General Counsel Bruce Sewell continued to defend the need for strong user encryption. He also clarified, however, that Apple has refused requests from China for source code.
While the FBI abandoned its court case against Apple, the dispute of course still rumbles on in Congress, with hearings today and a proposed bill to force U.S. tech companies to break encrypted devices on demand. But at least one legal expert thinks the Feinstein-Burr bill is deeply flawed, arguing that it is unconstitutional, unenforceable and would harm U.S. investigative capabilities.
And not just any legal expert: you can’t really ask for better credentials in this area than those of Paul Rosenzweig.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company [and] formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Distinguished Visiting Fellow at the Homeland Security Studies and Analysis Institute. He also serves as a Professorial Lecturer in Law at George Washington University [and] a Senior Editor of the Journal of National Security Law & Policy.
In a blog post on Lawfare, Rosenzweig sets out the three problems he sees with the Feinstein-Burr bill …
Apple had published its latest Transparency Report on Government Information Requests, covering the second half of last year. It revealed that it received over 30,000 requests last year, and complied with up to 82% of them. It is not allowed to specify the exact number of National Security Requests, but says they fell into the 1250-1499 band.
Apple breaks down the numbers by country, region and type of request. It says that most fall into what it terms device requests. Apple’s compliance here ranges from 52% in EMEA (Europe, Middle East, Africa) and India, to 80% in the USA.
The vast majority of the requests we receive from law enforcement relate to information about lost or stolen devices, and we report these as device requests. Device requests may include requests for customer contact information provided to register a device with Apple or the date(s) the device used Apple services. We count devices based on the individual serial or IMEI numbers related to an investigation. We encourage any customer who suspects their device is stolen to contact their local law enforcement agency.
Of perhaps greater interest are account requests, where the government is asking for information ranging from names and addresses to copies of iCloud backups …
In what feels like a never-ending battle, Apple and the FBI will once again testify in Congress next week regarding encryption. Reuters reports that Apple general counsel Bruce Sewell and FBI executive assistant director Amy Hess will testify on separate panels before House Energy and Commerce subcommittee next Tuesday, April 19th.
A proposed law that would force Apple and other tech companies to decrypt devices for law enforcement agencies has reached the stage of a draft bill – but one Senator has vowed to filibuster it. A filibuster is when a parliamentarian makes a lengthy, uninterrupted speech which results in running out of time to debate the bill, causing it to fail.
The Senate Intelligence Committee first proposed to introduce the bill in February, and the FBI lent its support by briefing two sponsoring senators. However, many lawmakers oppose the bill, and it has been reported that the White House will not publicly support it.
The Verge now reports that one senator has pledged to filibuster the bill if it gets as far as a Senate debate …
The FBI has so far been ambivalent about whether or not it will reveal to Apple the method used to access the San Bernardino iPhone, but a Reuters report suggests that the agency may not even know – or have the legal right to disclose it if it does.
The Washington Post reported yesterday that it was freelance hackers, and not Cellebrite, who sold the FBI the tool used to access the phone. But the group may not have revealed the vulnerability on which it was based, and the government process that decides which vulnerabilities to share with companies does not apply in this case …
Earlier today, more details regarding how the FBI was able to gain access to the iPhone 5c used by one of the San Bernardino gunmen emerged. Now, a new report from CBS News is offering some information as to the contents of the device, or lack thereof rather. The report says that, as of right now, the FBI has not found anything of “real significance” on the device.
Unnamed sources cited by the Washington Post contradict the widely-held belief that it was Israel-based mobile forensics company Cellebrite which helped the FBI hack into the locked San Bernardino iPhone. The report say that the agency was instead approached by a group of freelance hackers who revealed an iPhone passcode vulnerability to the FBI in return for a one-time fee.
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter […]
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution …
The WSJ has illustrated the stark contrast in Apple’s attitude to assisting law enforcement to access iPhones before and after the Snowden revelations about mass surveillance of private data. It was already known that Apple had helped access more than 70 pre-iOS 8 iPhones, and the paper today reports that – in the earliest known case – the company went as far as drafting the language for the court order.
Lawyers and investigators involved in the 2008 prosecution of Amanda and Christopher Jansen, a young married couple from Watertown, N.Y., remember it as one of the most horrific cases of child sex abuse they had ever seen.
History may remember it for another reason. It is believed to be the first case of a federal judge ordering Apple to assist the government in unlocking an iPhone—and the technology giant not only complied; it helped prosecutors draft the court order requiring it to do so …