Should The FBI Disclose The iPhone Vulnerability?
The hoopla surrounding the question of whether or not Apple should create a “backdoor” for the FBI in order to access the phone used by San Bernardino gunman Syed Rizwan Farook gave way to the announcement that the FBI had gone ahead and somehow gained access anyway. After delaying the court order that Apple create a backdoor, the Justice Department then concluded that the order should be abandoned as the FBI had found an alternate method to extract the data.
However, there is now demand that the FBI disclose how they did it.
Disclosure might be required under the Vulnerabilities Equities Process (VEP), which is the process by which the US Government decides whether or not to disclose a computer vulnerability. The process was written about in a 2014 blog post (originally discussing the Heartbleed vulnerability) by Special Assistant to the President and Cybersecurity Coordinator Michael Daniel. In it he laid out the criteria he uses in order to determine whether or not a vulnerability should be disclosed.
In an article on Defense One, author Rob Knacke argues that there are seven out of nine reasons that the FBI should disclose the vulnerability. Especially convincing are the arguments that yes indeed the iPhone is such a widely used device in the economy that a vulnerability could pose a major hazard if left unpatched – especially since now it is highly likely someone else will find out how to do it since it is now known that it’s possible.
However, there are two compelling reasons that the FBI might opt to keep this one a secret for now: the fact that the US Government probably really needs the intelligence that could be gained through this vulnerability and there are no other ways to obtain said intelligence.
Unless the US Government declassifies the method they used to get into the phone, the security community and Apple itself may never know if they actually did it or whether they are lying to save face and withdraw the court order. It is known that the government had the aid of a third party – perhaps a security contracting firm that specializes in selling these types of vulnerabilities – but nothing is known about how the access was gained or anything about the method used.
Some people in the security community have guessed at the method. Some think that NAND mirroring was used. This is a method in which the chip on the phone is extracted and mirrored so that after the 10 guesses at the passcode are used up, another version of the chip can be created and 10 more guesses used. It’s like playing the same level over and over again in a video game until you get it right – you’re just restoring the game from your last “save point”.
It’s a tough position for Apple to be in as they rely on the public perception of the security of their devices – if the devices can be hacked they lose public trust. What Apple really needs to do is to figure out how the government did it – and it’s basically a cat and mouse game between the two.