The FBI is under pressure to reveal how it was able to unlock the iPhone of one of the San Bernardino shooters.
Technologists and digital rights activists warn that whatever security hole the agency was able to exploit to gain access to the device has been left wide open for online criminals to find — leaving everyday users of Apple products vulnerable to identity theft and other crime.
But the government may have a good reason to keep the knowledge to itself, given that Apple says it will reject orders to help hack phones in the future. The FBI has obtained court orders seeking access to dozens of locked iPhones across the country, many of which Apple is opposing.
The Justice Department has only confirmed that the method used to hack shooter Syed Rizwan Farook’s phone worked on that one phone, an iPhone 5c running a version of Apple’s iOS 9 operating system.
But the agency is reportedly testing the method on devices in other cases.
“It’s premature to say anything about our ability to access other phones at this point,” a law enforcement official told reporters on Monday, but “we intend to continue assisting [state and local officials] in appropriate cases.”
It’s common for the FBI to classify a given hacking tool — which it calls a network investigative technique, or NIT — if the agency believes it will be useful in future investigations, experts say.
Once a NIT is out in the public eye, it loses its value. The targets of a given investigation may abandon the platform, or the manufacturer might patch the vulnerability that the FBI used to gain access.
There are two ways the government might be forced to disclose how it hacked into Farook’s device, experts say.
One is through the discovery process in a criminal trial.
In one closely-watched case, the FBI has been guarding a NIT used to hack over a thousand computers and identify users of Playpen, one of the largest child pornography sites on the dark Web.
The agency is pushing back against an order from a judge that it provide defense lawyers with the method used to hack their clients’ computers. The defense wants to know whether the NIT in question carried out any functions beyond what it was authorized by a warrant to do.
But the FBI has argued that how it was able to hack users doesn’t have any bearing on the defendant’s case — and that disclosing its methods would be “harmful to the public interest.”
“It could diminish the future value of important investigative techniques, allow individuals to devise measures to counteract these techniques in order to evade detection, discourage cooperation from third parties and other governmental agencies who rely on these techniques in critical situations, and possibly lead to other harmful consequences,” prosecutors wrote in a December filing.
Some expect that if the government succeeds in rebuffing the judge’s order, it will set a precedent that it will cite in future cases involving Apple devices to avoid disclosing any flaws it exploits.
Because of the risk that it will be forced to disclose a NIT during the discovery process in a criminal case — as opposed to a national security investigation, where it’s easier to keep its methods secret — the FBI is often very judicious in selecting the cases in which it deploys a given tool.
“The question often is, what is the greater good and how will impact ongoing national security operations?" said Milan Patel, a former supervisory special agent of the FBI Cyber Division and current managing director at K2 Intelligence's cyber defense practice.
"For example, to go after hundreds of pedophiles in the Dark Net or continue to use the capability to monitor state-sponsored cyber actors or terrorists, who would ‘scatter’ if they knew they were being monitored?” he said.
He notes that the decision-making process becomes “more complex” when another agency owns the classified capability.
The other way the feds might have to tell Apple how it got into Farook’s device is through a White House review panel created under a little-known cybersecurity rule adopted by the Obama administration in 2010.
When the government finds a previously-undiscovered hack, the panel determines whether it should be disclosed to the manufacturer.
But the rule leaves a carve-out for national security concerns that the government might take advantage of in this case.
“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack,” White House Cybersecurity Coordinator Michael Daniel said in a 2014 blog post outlining the decision-making process.
Critics say the so-called Vulnerability Equities Process allows the government too much wiggle-room to hoard exploits at the expense of cybersecurity.
“Our concern for a long time is these exceptions would basically be loopholes big enough to drive a truck through,” said Christopher Soghoian, chief technologist at the American Civil Liberties Union.
Soghoian says the fact that government has been able to hold onto its exploit in the Playpen case for so long is a sign that the process is “broken.”
He argues that the makeup of the review board — which isn’t public — is disproportionately weighted toward intelligence and defense officials without representing privacy or technology experts from agencies like the Federal Trade Commission or the National Institute of Standards and Technology.
“There are not a lot of people who are hopeful about the Vulnerability Equities Process,” Soghoian said.
The result, onlookers say, is that the government is alienating tech companies by not disclosing vulnerabilities it finds — a common practice in the cybersecurity industry.
And in the meantime, Apple is likely racing to identify and patch whatever weaknesses the FBI used to access Farook’s phone.