In its ongoing tussle with the FBI,
At first glance, this line of thinking might appear odd. Given all the anxiety over the NSA’s broad hacking powers, surely expanding them in handing over tools and techniques to the FBI would be a loss for privacy. Not so, according to Dave Aitel, former NSA research scientist and CEO of security firm Immunity, who says the attempt to have Apple create a bespoke, hackable version of iOS that allows for unlimited guesses for passcodes on all iPhones is far worse. “What they’re asking from Apple is pretty much as bad as it gets.”
The NSA could and should help the FBI, says Aitel, suggesting to FORBES other nations’ hackers could assist too. “If this was a piece of Russian equipment, how would we do that? We would hire the guys at the NSA whose job it is to do this stuff to do it using a bunch of different techniques. That’s the much more traditional way of dealing with any kind of forensics.
“This about dealing with a terrorist threat [where] you’d normally cooperate with foreign nations as well. It shouldn’t just be limited to the NSA... The Chinese have no problem probably helping us. Could be the Germans next time.”
What could the NSA even do?
Whilst FBI director James Comey claimed in Congressional hearings the NSA had been asked to help break into Farook's iPhone but couldn't assist, experts FORBES spoke with believe the intelligence agency's hackers could get in if required.
If the NSA did supply its hacking services to the FBI, it would have to use up a few of its “zero-days”, the otherwise unknown, unpatched vulnerabilities that allow it to break the defences of secured technologies. The NSA both finds its own zero-days and buys them from contractors, keeping them secret, to the dismay of some in the security community who believe vendors should be informed of every bug affecting their software so they can patch and protect all users from attack.
Aitel thinks the San Bernardino case proves the worth of the zero-day exploit market, which his company facilitates and takes part in. “Everyone’s so anti-zero-days but this is what zero-days were for," he says. "This is an example of the strategic value of investing in your zero-days, solving really hard policy problems.”
What zero-days would the NSA have to supply to crack this particular iPhone? The FBI have had trouble accessing Syed’s device as they believe it has a security protection turned on that burns keys used to encrypt, lock and unlock information on the iPhone when 10 passcode attempts have been made. It asked Apple to create a special version of iOS that would allow infinite guesses of the password. As previously described to me by another former NSA staffer, Patrick Wardle, if the FBI had to do this without Apple’s assistance, it would need to trick the phone into believing it was running software signed by Apple, or to avoid that verification completely. He indicated an exploit targeting a USB driver could work, as communications take place between locked phones and tethered PCs.
CEO of Russian iPhone forensics vendor Elcomsoft, Vladmir Katalov, said any exploits would have to retrieve the encryption keys locking up the device, and this would require a zero-day in the iOS bootrom, or as Apple calls it the SecureROM. This contains the first code run by a processor in an iPhone after the power is turned on. If a vulnerability can be found at that low level and the code altered, it would be possible to access protected data. The hacker would first have to change the code at the kernel, the core program that loads after SecureROM and that iOS trusts to control everything that happens on the operating system, Katalov said. They could then grab the encryption keys. He noted that with 64-bit devices - iPhone 5S and above - his firm (recently implicated in 2014 leaks of celebrities' nude pictures) has found it impossible to grab those encryption keys after a SecureROM exploit. Farook’s phone, handed to him by the San Bernardino County he worked for, was an iPhone 5C running iOS 9 that would be vulnerable to an effective SecureROM attack.
Other security experts have suggested an exploit of the separate operating system on the iPhone’s baseband chip, which handles the device’s cellular connections, would be effective. Once a hacker has control of the baseband, they can change the wider operating system’s code even when the device is locked, such as allowing repeat guesses of a password. It may also be possible to find a basic passcode bypass, as has been demonstrated on some iPhones before, though this may require repeated guesses the FBI does not want to take.
Hardware hacks could also prove fruitful. This is something Aitel believes the NSA is capable of too, decapping the iPhone’s memory chip and probing it with a laser to expose the portion of the chip that contains the relevant key data. That information could then be extracted and the passcode subsequently computed. As ABC News noted, this would be extremely risky as the laser could easily fry the chip, rendering it worthless. But it’s one of a number of possible avenues into the specific device the FBI wants to open.
Why the NSA won’t want to “burn” its exploits
Evidently there are many possible ways government snoops could crack Farook's phone open. But the NSA might not want to “burn” its exploits on that iPhone, says Ben Johnson, co-founder of endpoint security firm Carbon Black and former NSA computer scientist. Not only was the iPhone left in a draw, it wasn’t even Farook’s main phone (a device that he destroyed), leading some, such as creator of encrypted chat app Signal Moxie Marlinspike, to believe the iPhone doesn’t contain much useful evidence.
So sensitive are the resources and methods the NSA has that it’ll only use them up where fully necessary, Johnson says. “Losing that is so damaging,” he tells FORBES. “I don’t believe the NSA would think that this one case would be that valuable especially when Apple already provided the iCloud data [from Farook's account].
“I don’t doubt that capabilities exist I just feel like in this situation it isn’t something that the US government’s national security mission would want to potentially burn.”
American cops need better hackers
If the NSA won’t work with the FBI, the agency might want to look at its own capability. In this week's filing for its appeal, Apple had some choice words to say about the FBI’s forensic capabilities. “Defining the scope of the All Writs Act as inversely proportional to the capabilities of the FBI removes any incentive for it to innovate and develop more robust forensic capabilities,” a filing footnote read. The suggestion being that the FBI is being lazy, using the All Writs Act instead of developing its own hacker workforce. “The government’s showing of need for this unprecedented order is speculative at best,” Apple added.
Aitel thinks Apple is right. “I don’t think they [the FBI] want to pay for it, but sometimes you have to pay for things you don’t want to pay for. It’s not cheap either. But they’re getting a lot of stuff for free. It’s been easy for so long and they want it to stay easy and cheap, but that’s just not the way the future of the world is going to be.
“There are centres of excellence for forensics, they clearly need to be massively expanded, that’s the future of crime solving.
“It’s poor strategic planning that we got to this point without them already having made that investment. “
