115 comments

[ 3.1 ms ] story [ 203 ms ] thread
If the FBI can pay a million for the hack, what's stopping Apple? I'd expect them to be fully aware of it by now.
I would think the fact that they don't have an official bug bounty program makes it unlikely they have an unofficial one. If you are buying, it doesn't harm to make that public.

On the other hand, cases like these may make them consider starting a bug bounty program. and of course, they may already be advertising where it matters (e.g. by calling various hackers, or by using an intermediary to buy hacks) without telling the whole world.

I think it would be against Apple's brand image to publicly invite people to break their software, but your last point could be the case in a very limited fashion.

Apple has persisted its appearances in shipping stable, valuable software and hardware the first time quite well. No hiccups allowed here.

Admitting they can't catch every last bug before release would be killing this advantage in public perception they have over competitors like Microsoft.

I don't think the general public has this perception at all. Many of the non-tech (and tech) people I talk to hold off on updating iOS because they think it's always more buggy. I know people who swear by buying only the S models because they assume by then all the kinks would be ironed out and the phone will be more stable.
I would think the fact that they don't have an official bug bounty program makes it unlikely they have an unofficial one.

Why is that? It seems to me that there are a lot of ways to run bug bounties, although I haven't thought through the details of Apple keeping theirs official / unofficial, it seems one could have arguments for having none, both, or either, depending on who you are and what kinds of bugs you are trying to get people to tell you about.

Well, even if they're buying, that doesn't mean someone is selling.

If I owned an apple tree and merchants were willing to give me $5 per piece of fruit, why would I sell the tree to a farmer for $10? That's assuming that I even want the farmer to know how I grew the tree.

The farmer could maybe bid even higher than $10 since he's sitting on reserves of $200+ billion.
With that kind of reserve, is it possible that Apple simply outbids everyone for any security vulnerability placed on any market they can get in on?
It might be a hardware flaw/hack what the company they contracted with had exploited.
> If the FBI can pay a million for the hack, what's stopping Apple?

Apple is not a government and does not act "in good faith of all - we the people".

In other words - its okay for the GOV to pay a company to extract data from someone's phone (aka "hacking"), it is illegal for a citizen to do so, whether you're paying to crack a phone, or paying to break into someone's house.

They can do it all they want on their own hardware, it's called 'pen testing' (short for 'penetration').
Organizations can also legally do that to their employees (assuming that that phone is a company phone). I've heard that some companies are very interested in restoring phones from former employers
I don't think Apple would pay. It is a previous gen phone, and Apple isn't going to work very hard to try to secure it.

The big question that looms in everyone's mind is if the hack can be used against next gen phones.

It Apple paid for the exploit, then they could assess if it's usable against next-gen phones.
But would they sell to Apple? If they do, they'd lose out on sales to other governments. Apple would probably have to pay far more than other governments who would sit on the exploit privately.
How would they necessarily know that it was apple they were selling to?
Yeah I always wonder what kind of "black ops" such huge companies/fortunes end up with. Do they really not have this kind of stuff? I have first/second-hand knowledge they have fairly competent internal affairs people that will do things akin to spying to find, say, internal corruption. (i.e. a manager in one part of the corp stealing money.)

Seems like for critical things they should have no problem setting up fake companies or handling espionage, etc. What stops them, from, say, paying an employee a large bonus to work for a competitor while feeding back information?

Depends who they're willing to sell to obviously. If they're only looking to sell to governmental agencies, it should be easy enough to confirm the people they're selling to are such agents.

It's definitely true of a $10k exploit which might be readily available on the market, but for something more unique like this they might be more selective with their buyers to protect future profits.

Maybe they don't want to sell it to apple because, assuming Apple hasn't already fixed it and it is found in further generation phones, they could sell this exploit once to Apple or to quite a few big companies, governments and other entities. Please keep in mind that we still don't know how they did that. They could have just dumped the flash memory And flashed it again if 10 passcodes failed (my guess), or they might have exploited a software bug.
In a fun turn of events, if Apple bought the exploit and it could be proven that they did, they could be expected to use it at the FBI's request in the future.
You buy it to learn its function and then patch. The whole idea is to make attack method worthless.
Yeah, but for iPhones that haven't received said patch, you provably know how to exploit them.
I expect that the FBI bought an exclusive
If I was the 3rd party and was being paid $1m a pop to use the exploit, why would they want to give the details to Apple to get it patched and lose their pay-day?
Micro-probing the bus lines, to disable the self-destruct or time-delay counter ? Or perhaps "glitching", sending badly-timed signals to the specific part of the asic that keeps count of the number of bad tries, causing it to lock up. Then brute forcing it at high speed.
> sending badly-timed signals to the specific part of the asic

I would imagine that sort of thing would be very expensive to do correctly, unless you are only talking about feeding badly-timed signals at the asic pins.

someone out there helped design the asic/MCU that does this. individuals on that team would know how to do it very easily because they built the freakin' thing.
I assume Apple already knows the hack/vulnerability. Apple should announce they know it, fix it, and give the FBI a big F-U.
What makes you assume that?
Why would you assume that?
Uh...this is probably a hardware flaw.

Without recalling all iPhones prior to the Secure Enclave, I'm not exactly sure how they would 'fix it'.

It's more likely that Apple did the work for them and they are both hiding it.
There is no reason to assume that apple is either aware of the bug, or that they assisted the FBI in breaking the phone.

It is not only common, but NORMAL for hackers to have unknown exploits before the vendor is aware of them. Where do you think 0-days come from? In fact, there is an annual competition to break these devices with previously unknown attacks at CanSecWest.

Example: http://9to5mac.com/2014/11/13/iphone-5s-samsung-galaxy-s5-ne...

How would Apple know that _a_ vulnerability they know of is _the_ vulnerability that the FBI used, and that the FBI does not want to talk about, other than that it gave it access to one iPhone 5?
I personally don't have a problem with this, just as I had no problem with Apple not wanting to help the government with an investigation. I don't think it is right to want it both ways.
I'm not sure I have a problem with this, but I think it's perfectly consistent to want it both ways. There are plenty of rights that accrue to citizens that don't accrue to government actors and vice versa.
> rights that accrue to citizens that don't accrue to government

Apple should not be compelled to help the government break into one of its devices. But they can "choose" to help the government break in. Likewise, government should not be compelled to help secure its companies by buying zero-days off the black market for public security. But again they can "choose" to.

The cooperation of corporations and goverments is a symbol of trade and teamwork. The lack of cooperation is a symbol of distrust and hostility.

> ...government should not be compelled...

Yes, it should. Who is working for who here? I can understand someone delegating the initial implementation details of a public service to the state, but to say that the state shouldn't be subject to the demands of the public - well that is just insane.

> ...trade and teamwork. The lack of cooperation is a symbol of distrust and hostility.

Teamwork conveys some idea of equality, which isn't going to work if you're interested in maintaining the idea of "public servant". The state's degree of trust in the public (corporate or individual) is irrelevant, the state doesn't get to selectively perform its duties on such a basis.

The government doesn't get to play by the same rules as private companies. They don't get to operate under a veil of secrecy unless they can justify why so. They really didn't provide useful details in this article but claiming ignorance seems absurd and a bit of an eye for an eye mentality...
If the FBI were a private organization, I'd agree with you, but the FBI is paid by the public and is supposed to be protecting the public, so they should not leave the public open to a gaping security hole in a product that millions of people use.

They can't even pretend that the technique would never be utilized by "bad guys" outside of the USA government since whatever the technique is, it's already available for purchase.

They are protecting the public. Just a question if it's the best decision to make for the public. Without backdoors, 0-days are a legit tool for law enforcement. Even Bruce Schneier likes it as a compromise IIRC.
Yeah, and British intelligence should have just called up the Germans to tell them that their Enigma machines weren't configured correctly.
I'm guessing you are just trolling, but still going to address this.

Every time an american agency finds a vulnerability they are faced with a choice: - Use it, possibly against foreign targets - Share it with american vendors to make the country and its businesses safer

It should be clear that in most cases the value of protecting american interest is vastly more valuable than attacking foreign interests.

It's like Clinton lobbying cruise missiles at Afghanistan, whatever they destroyed was worth a lot less than the missile itself. If for example Apple and Google can be protected that is probably worth a lot more than whatever can be gained by using this offensively.

And note that every time a cyber weapon is used there is a large risk that the entity being attacked can learn how the attack worked and use this back at your interests.

You're absolutely right that there's multiple interests being balanced here. That's the point I was trying to make.

I think the FBI is making the right call here. An exploit that requires physical access to the phone and that sells for a million dollars per use is not a big risk to anyone.

I've never seen government decision-making work first-hand, so I wouldn't claim that this speculation should carry weight.

But if I was someone on the FBI side who wanted to "win" this somehow, I could imagine how this might look like a victory. Apple wanted for its phones to look so secure that they will even stand up to the government to protect them. In response, the FBI made Apple's phones look so weak that anyone who has $1M to spend on the black market can get in.

spending $1m to get into a 5c isn't exactly a PR disaster for apple.
Exactly - anyone security conscious and even partially informed (or relying on those who are informed) would see this as a reason to upgrade to secure-enclave enabled device (ie, iPhone5S or better).
I don't think this is a victory. They wanted to backdoor every future IPhone. They did not get that. If they had to pay 1M+ to break an iphone, it means it is not cheap to break an IPhone which is the whole point of encryption.
Just seems petty of the FBI to actually make an official announcement like this. I get if it's understood that they're not releasing it, but why make a formal press release about it?
What would stop one or couple of apple engineers from creating a backdoor and then selling a "unlock service" trough some foreign intermediary making $1 mil each time?
probably the threat of being caught and subsequent consequences probably stop them. also (not saying Apple does and it's hard to do) but companies compartmentalize portions of software making it difficult for an individual to go rouge and break apart the security. higher up engineers probably could but the risk is pretty crazy especially with the new "we can just do whatever we want" terror laws that they would probably lay on them
> not saying Apple does and it's hard to do) but companies compartmentalize portions of software making it difficult for an individual to go rouge and break apart the security

Apple does this to an extreme. You can't even see the code to projects you are not on. Oh someone else's code has a bug? Well, you can do symbol search across the entire codebase but you will get the line featuring the symbol, the line above it and the line below it.

What would stop one or couple of TLA agents to get jobs as apple engineers, create a backdoor and then selling a "unlock service" trough some foreign intermediary making $1 mil each time to avoid VEP?
Would FOIA apply here in any way?
They could just reject the FOIA claim, stating it's part of an 'active investigation' for the next decade or so.
The FBI is the criminal government.
This is a scary precedent.

From the bits I've seen of it, the Vulnerabilities Equities Process is a really great bit of government transparency, run by a group of people who understand that the best interests of different parts of the government and the citizens of the country often end up at odds. The process allows for vulnerabilities to be periodically reviewed so that the costs and benefits of not disclosing can be weighed over time, and by an at-least-somewhat independent group.

Just skipping it altogether because "we paid a contractor" completely subverts the process. What's stopping all the TLAs from simply routing all their vulns through a private third party and bypassing the VEP altogether?

Makes you wonder who is really "Public Enemy No. 1" now.
How are they supposed to submit a vulnerability they don't know about? I'm willing to bet they chose to remain willfully ignorant of the details. Are you saying they should not be allowed to outsource the work but instead must obtain the full exploit or nothing?

The real scary precedent is that they paid that much without obtaining the vulnerability exclusively and the technical aspect behind it. Or maybe it's not a scary precedent (except in tax monies) that they outsourced the vulnerability without obtaining the know-how to reuse it on a whim.

Either way you look at it, it is opaque, regardless of whether it goes through the VEP (and the ERB within) or they use a secret company. Were one way more transparent than the other then we should definitely favor that approach.

(comment deleted)
It's bad enough that the VEP was bypassed, but the high-profile, 7-figure payout for the security researchers who had their hands on the bug is a problem too. Plenty of bug bounty programs have remote code execution at $10k, but the FBI paid _100 times_ that. That's an amount of money that some bug hunters might find very challenging to turn down. And this is "above board", with no shady bitcoin payments from dingy IRC channels.
Even with it 100 times more, its still cheaper than the legal fees they were facing.
I think you miss the point.
Those are my tax dollars at work.
The payout wasn't particularly big, bug bounty rewards are just a bit of a joke.
You assume they were "security researchers" and not, say, a black-hat syndicate based out of Anonymouskaya Oblast.
Why do you think SAIC has so many government contracts?

Part of it is that the government can have SAIC or their subcontractors do the shady things that the government might actually get taken to task for.

(comment deleted)
Well, what I read this as is "the FBI supports organised crime".

I mean, they've paid black hats for an exploit, and are now protecting their identities.

What if the FBI colluded with a mobster - oh, Bulger. Yeah, nothing new here, just the same old crooks being the same old crooks.

This might be great for the FBI right up until they actually try to use the evidence in court. The defense attorney can claim (rightly so) that unless they can examine the unlock method to verify it doesn't tamper with any of the data on the phone, the evidence is inadmissible.

The only way the FBI will be able to use this data in court is if they turn the process over to the defense so they can have the process independently verified. Since the article states that they don't have access to the "technical details" of the hack, they have no way to prove the method doesn't manipulate the data on the device.

This was never intended to be used in court - the guy who carried the phone is dead, as is his wife and partner-in-slaughter.
Information obtained from the phone could have been used to implicate a third party, though.
That's what parallel construction is for :(
If they already had all the logs of everything happening on the Internet and cell networks for that device, why even go through hacking the device?
My understanding is that the FBI wanted to see which, if any, third party messaging services the phone's owner was using and his usernames so they could serve a subpoena to those services.
To set a precedent.
I don't even really trust that they _did_ hack it. Could just be a safe way out when they realized apple wouldn't back down.
This! Why does everyone believe this FBI PR bullshit? It's classic propaganda to save face.
At which point they'd trot out some parallel construction claims and make the 3rd party stuff admissible.
The information might not be admissible to implicate someone, but it should still count as probable cause (IANAL). So they could legally use it to then search whoever may be implicated, and any evidence from that should be admissible.

There's no claim that they violated any rights searching the phone (which after all belonged to them), but that the process may be unreliable. That means it's still enough for probable cause, or that seems plausible to me. I don't know whether this is right.

Edit: I did some searching, and this seems to be correct. https://en.wikipedia.org/wiki/Taint_(legal)

>The most common of such usage is with reference to evidence, testimony, identification by witnesses, or confessions that have been obtained by law enforcement illegally.

If it's obtained legally, it doesn't count as tainted. http://legal-dictionary.thefreedictionary.com/tainted+eviden... has the same illegal language.

>> "...the phone (which after all belonged to them)..."

Pretty sure the phone was the property of whomever was named as the dead guy's inheritor in his will. Absent a will it should have gone to the next of kin or probate court or similar. One place the dead guy's property should not go is to the FBI. That's not how property rights work.

I recognize that in practice the FBI will do as they damn well please, but in principle we do have laws for this.

Warrants trump property rights here, and on top of that it was the county's phone, not the dead guy's.

http://gizmodo.com/the-san-bernardino-terrorists-icloud-pass...

> Technically, the iPhone in question (the one the FBI is demanding that Apple unlock) was purchased by the San Bernardino Department of Health. And as security researcher Christopher Soghoian has pointed out on Twitter, the Department tried to reset the phone’s iCloud password remotely in the hours after the attack. The department hoped to gain information from a possible back-up of the phone to iCloud. Instead, it rendered the account useless.

My point is that a warrant allowing seizure of evidence does not transfer legal ownership to the the FBI. If the county owned the phone, then fine. It remained the county's, not the FBI's, regardless of any investigative warrants.
Assuming there was ever any useful evidence on it.
Not to be a conspiracy theorist, but maybe they don't actually have a hack. Maybe they just want people to think they do.
That seems like the most likely explanation to me too.
Really the most likely explanation is that Apple writes security bug free code? My guess is the FBI found someone who knew how to exploit the phone or asked a 3rd party with connections to the NSA so there is a level of plausible deniability on the origins.
There are obviously security bugs in Apple's code, almost certainly some which allow for breaking into a device. That's even more likely to be true because the device in question wasn't fully updated.

However, the situation as I see it is this: The FBI realized they were going to lose their legal battle to compel Apple to unlock the phone in question. They then retracted their suit to avoid a precedent being set against them, and announced "don't worry guys, we got in anyway" to deflect attention from that particular iPhone, which they had argued was where the situation would end in the first place.

Your explanation is certainly possible, I just don't think it's as likely that they would really spend $1m on this phone which in all likelihood has nothing of value on it to begin with.

For a government agency to spend money is not as undesirable as it would be for you and me. Budgets have to be justified, and not spending money leads to reduced budgets (and hence reduced influence). Spending budget on high-profile projects can be seen as beneficial to career advancement. Though, $1 million wouldn't get you far if it wasn't for the high-profile nature of this "project"...
Although I'm skeptical of that idea, it does follow the popular narrative of "The actual goal of this was to force Apple to make a back-door, not to get info from the phone"
Did any of the commenters here actually read the article?

Although the FBI paid more than $1.3 million for the method, Amy Hess, the agency’s executive assistant director for science and technology, said Wednesday that it didn’t purchase the rights to the technical details and therefore doesn’t have the necessary information to submit the method for an Obama administration review known as the Vulnerabilities Equities Process. "The FBI assesses that it cannot submit the method to the VEP," Hess said in a statement. "We do not have enough technical information about any vulnerability that would permit any meaningful review.”

...

The law enforcement agency bought the hacking tool from an entity it hasn’t identified and then used it to access data on an encrypted iPhone

It sounds like the FBI doesn't actually understand the details of how the crack worked and was hand-holded through the process.

How could any information obtained in such a way be useful to them, as there is no way to prove it is not tainted (chain of custody and all that?)
It's not useful for them for any specific investigation, but it certainly can tell them where they might stick their fingers next.
I think the general implication that's being suggested is that the FBI is all too happy to not know the details. It sets a dangerous precedent where these sorts of things are routed through contractors so that safeguards like the VEP are bypassed.
Exactly. The 3rd party will hold this method (until patched some day in the future possibly) and they FBI will keep coming back, paying an initial seed round equivalent for possibly no usable data, claiming the same 'defense'.

This just shows typical contempt for the public in general. Why should we be surprised?

Is there any sort of path to holding the FBI responsible for aiding and abetting a criminal organization, or even working with domestic terrorists? I imagine that's what I'd be labeled by the FBI if I hacked someone's phone (or many peoples' phones) with this exploit.
The only phone we know has been hacked by this method is in the FBI's hands: they have a warrant.

It's possible the contractor in question is a gray-hat hacker who really hasn't ever performed the hack on any phones they don't own, which makes everything they've done perfectly legal.

So, if I understand correctly, the FBI doesn't really know how the phone was hacked? Wouldn't that also mean that they don't really know if the data their contractors retrieved from the phone is really from the phone?
"randomly" generated data, to assure accuracy
Translation: We got taken for a $1M ride, and have neither a valid exploit nor any data to disclose.
Isn't this title a little misleading if they never knew the actual technical process of hacking the iPhone? They can't share what they don't know.
I hope that the security community reciprocates: if the FBI won't disclose security flaws to the community, then neither should the security community give the FBI any special privilege or notice in disclosing flaws in FBI software. The FBI might then learn about the benefits of disclosure the hard way.
These times are so interesting. The FBI is making policy that they wont expose the 0 days they bought for over a million USD. We need to consider the amount of cool things we learn right now and appreciate it.
Are we sure the FBI is not bluffing?
Ive got a friend at Sun Corporation who, a few weeks ago, when I congratulated her on the recent (unconfirmed) news of her company, she said it was Cellebrite's news and not theirs.
I am really beginning to think if the FBI actually used a hack. There were reports that the passcode was changed when in FBI's possession, what if this was just a deliberate attempt to force Apple to create a backdoor?
You mean they had access in the first place, and this is all smoke and mirrors to cover the fact that they were bluffing when they were trying to subvert apple, and there is no hack?

Plausible, actually - and if they wanted a cover story that would cause apple as much collateral damage as possible, they've chosen well - as blowback doesn't matter to the FBI. They're untouchable gods, above the law, above public sentiment.