Does the FBI's move mean iPhones are hackable?
SAN FRANCISCO — On Monday the FBI announced it was withdrawing its legal attempt to force Apple to aid it in unlocking the iPhone that had been used by San Bernardino terrorist Syed Rizwan Farook. The agency said it had found another way to get at the phone's data.
The immediate question for many users is: Are iPhones now hackable? The immediate answer is: We don't know.
Official: Justice Department to withdraw legal action against Apple
The FBI has not shared what methods it was using to attempt to get into the phone, what method finally worked or even the name of the "outside party" that came forward with the method last week. It's only disclosed what method it didn't use: it didn't try making a digital copy of the iPhone's chips, FBI Director James Comey said last week.
Apple had no comment for this story.
Without the FBI's information, it's impossible to know what the security vulnerability the agency found is, said Jonathan Ździarski, an iOS forensic expert and author of a book on how to both hack and secure Apple devices.
Given that, it's difficult to assess the potential security issues for other iPhones.
“If a software method was used (as have been successfully over the years), then all bets are off,” Ździarski said via email.
If the FBI was using physical methods to slice open and read the contents of the chip containing the phone's encryption key —a highly expensive, time-consuming and potentially destructive method — it's unlikely the world's phones are suddenly any more vulnerable than they were.
3 other hacks FBI could use on killer's iPhone besides an Apple key
It's also possible that the phone Farook used, an iPhone 5C, is more easily broken into than the iPhone 6 series, which is overall more sophisticated and more secure.
Mechanism to disclose
While the FBI is under no obligation to disclose how it got into the phone, there is a framework under which it could do so, said Andrew Crocker, a staff lawyer with the Electronic Frontier Foundation, a San Francisco-based digital liberties group.
The U.S. government has a stated policy of disclosing computer security vulnerabilities that it has discovered or that have been made known to it, in most cases, he said.
Called the Vulnerabilities Equities Process, it requires law enforcement and intelligence agencies to weigh the positives and negatives of such disclosures. The inter-agency group was established under the direction of the Director of National Intelligence.
“The government has said that in the vast majority of cases it will disclose security vulnerabilities, though in a small handful it doesn't,” said Crocker, who spent the last year and a half litigating to gain access to documents explaining the policy.
“It would be good for everyone’s security if they disclosed, but they probably won’t,” he said.
Joseph Lorenzo Hall, with the Center for Democracy and Technology, a digital rights organization, said he thinks Apple will "find and fix the relevant bug."
This entire process will increase scrutiny on the process of how government agencies disclose computer security vulnerabilities, he believes. "When should the FBI be obligated to inform Apple of the details of this bug?" he said.
Users have the power
Apple will likely beef up the security of its devices based on speculation about all of the different methods, said Ździarski, though that won't necessarily solve the problem if the company doesn't know what it's protecting against.
Users do have the ability to make themselves less hackable, however, though it means memorizing a longer passcode.
"I cannot stress how important it is that those looking to protect their privacy use a complex, alphanumeric passcode as opposed to a simple numeric pin" on their phones, he said.
A passcode to unlock an iPhone that uses a string of letters and numbers is much harder to break than a simple four- or six-digit code, he said.
Information on how to lock a phone with a passcode longer than six digits is available on Apple's website.