FBI Spent $1.3 Million To Not Even Learn The Details Of The iPhone Hack... So Now It Says It Can't Tell Apple
from the wtf dept
Once the DOJ told the court in San Bernardino that it had succeeded in hacking into the iPhone of Syed Farook, the big question people asked is whether or not the FBI would then tell Apple about the vulnerability. After all, the administration set up the so-called "Vulnerabilities Equities Policy" (VEP) with the idea of sharing most vulnerabilities it discovers with companies. The White House directly stated:One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.Of course, there's a big "but" there -- and it's that there's an "exception" for law enforcement. Last fall, after (yet another) big legal fight, the good folks over at the EFF finally got access to the VEP details and you can now read a (heavily redacted) version.
This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities – so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.
Still, one could make a strong case that this vulnerability should be disclosed... even if almost no one expected it to be. Amusingly, just a few days ago, Apple revealed that the FBI used the VEP to disclose a vulnerability for the very first time, on April 14th, just as everyone was arguing about this. Of course, the flaw it revealed was not about hacking into the iPhone, and was actually about a flaw that Apple had discovered and fixed... nine months ago. But, again, if this is the very first time the FBI has disclosed something to Apple, it certainly suggests that the VEP process generally means nothing gets disclosed. In fact, the timing of this really suggests that someone in the DOJ recently flipped out and realized that there's now going to be scrutiny on the VEP, so they might as well disclose something. Thus, they found an old bug that had already been patched and "revealed" it.
Either way, things got stranger a couple of days later, when the FBI -- which had already admitted to paying over $1 million to access Farook's iPhone, said that, for all that money, the people it hired never explained the vulnerability. They just opened the phone. Really.
“The F.B.I. purchased the method from an outside party so that we could unlock the San Bernardino device,” Amy S. Hess, executive assistant director for science and technology, said in a statement.Now, some are arguing that this suggests absolutely terrible bargaining on the side of the DOJ/FBI. But, another interpretation is that it's how the DOJ knew that it wouldn't have to reveal the flaw to Apple. Of course, this might also explain why the DOJ at one point appeared to claim that the hack in question only worked for Farook's phone. They later claimed that was a misstatement, and it really meant that it only applied to that iPhone configuration. But, if the FBI never actually got the details, then in some sense they'd be right that for the FBI the crack only worked for that one phone. And if they wanted to do it on another phone, they'd have to shell out another ~$1 million or so...
“We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review” by the White House examiners, she said.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, encryption, fbi, going dark, vep, vulnerabilities, vulnerabilities equity policy
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
In other words, they do not even know if the method modified the contents of the phone in any way. In other words they paid a lot of money to allow them to escape from a court case that they started.
[ link to this | view in chronology ]
Re:
They royally screwed up an investigation into a single, solitary cell phone, and these jackholes want access to everything?
Federal Bureau of Incompetence
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
So, what if the FBI found that the phone looked just like one that had been recently wiped? Just coincidence, I'm sure, and it only cost them $1.3 million dollars.
Hey, FBI, next time you need one cracked I'll do it for a million bucks, even. Heck, I might even give you a two-fer. Of course, I can't guarantee what will be found. They might turn out looking like they've been recently wiped.
[ link to this | view in chronology ]
Discovery
[ link to this | view in chronology ]
Re: Discovery
[ link to this | view in chronology ]
Re: Re: Discovery
Personally, I wouldn't mind if they gave me over a million dollars to unlock a phone. Since I'm not the government, a wrench would likely be enough in most cases. In others, I could supply them with phone contents tailored to whatever they were looking for.
I hope the FBI at least got some confirmation that the data they received actually came from the phone in question....
[ link to this | view in chronology ]
Re: Discovery
[ link to this | view in chronology ]
Re: Discovery
You're missing the fact that these hacking companies sell products. Just like Google sells advertising products, not advertising data, hacking companies sell hacking products not hacking methods.
It's simple economics, you make more money selling fish than teaching fishing lessons.
[ link to this | view in chronology ]
Alternate explanation for disclosing old bug
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Empty gestures
Yeah, going to have to agree with the article here, I'm guessing the only reason they 'reported' the flaw was because it had been patched and was therefore useless to them. I really doubt they'd be willing to report an active flaw, given doing so would reduce their ability to access devices affected by it, and they care more about that than protecting the public from the repercussions of others using the flaw.
[ link to this | view in chronology ]
What a cost
That pretty starkly illustrates their motives in wanting the phone unlocked in the first place. They probably had to pay more to NOT find out the details of the vulnerability since just revealing its existence would lower its market value, and it's likely that they reflexively asked for plenty of safeguards like exclusive ongoing access and complete secrecy.
[ link to this | view in chronology ]
Handy that
Cyber pathogens?
The Ultimate Question?
A bunch of sudoku puzzle answers?
What appears to be a bunch of lurid poetry with innuendos that are almost, but not quite enough to make a nun blush, but which is actually perfectly tame and only masterfully written to seem questionable?
Then when it started to look like the case might not go their way, overnight and like magic they suddenly found out that they didn't in fact need Apple's forced assistance, and ran away from the case fast enough to set speed records. Yet despite managing to do what they claimed was impossible previously, they remained silent on how they did it, and the only thing known was the crazy price-tag on how much it took.
And now they claim that they handed over both phone and $1.4 million to a company or group that only unlocked the phone, and didn't tell them how they did it, not only making anything found on the phone absolutely worthless as far as evidence goes(which assumes that they cared about the contents in the first place of course), because if they don't know how it was done they have no assurance that the process didn't change anything, and oh would you look at that, they can't tell anyone how it was done so that anyone can check to see if the technique used actually exists.
It's not a question of if they lied, but when and how much, and the more I read the more I come to believe that the answer to that question is 'At every step of the process, and in every possible way'.
[ link to this | view in chronology ]
So tell us who did it and get out of the way as a useless middleman
[ link to this | view in chronology ]
She could have stopped right there.
[ link to this | view in chronology ]
And if you believe that...
A public defender could get most suspects off with this lame story, especially when they ask to see 'validated data the proves the resource discovered in the illegal hack wasn't fabricated evidence'.
Show me a C-programmer that will code it for free, and i'll give you an entirely unbreakable encryption algorithm in a day that you can post the code as GPL, and it will still never be hacked. This isn't rocket science, this is a fun-house with scary mirrors - and the NSA owns it.
[ link to this | view in chronology ]
Re: And if you believe that...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Whether or not that will get by a judge in an evidence hearing is anyone's guess. Some judges are sticklers on questionable procedures, others don't give a damn and tend to side with the prosecution because well... "The King can do no wrong." The person is guilty as hell cuz we said so!
All it takes is one judge to accept the questionable procedure and it becomes a precedent prosecutors can use in the future to allow the same thing to happen again in another case in another jurisdiction. Besides it's an annar... er commu... err drug... er terrorist suspect, yeah that's it!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
They drop the case by claiming that it's not needed, but of course people want to know how they got in, and since they didn't they need some excuse for how they got in but can't tell people who they did it. Out of nowhere an unknown group steps in that unlocks the phone but doesn't tell the FBI how they did it, and as a result the FBI can't tell anyone else how it was done either.
The entire thing positively reeks of lie after lie, attempting to use the court system to set the precedent they can't get via the lawmakers and running away when it starts to look like the 'wrong' precedent will be set.
[ link to this | view in chronology ]
Re: Re: Re:
It's a lot more probable to believe that no device is invulnerable and those businesses who profit from finding these vulnerabilities also profit from not disclosing them and instead packaging them into products and services they can sell for exorbitant sums to nation states on a per-use basis.
[ link to this | view in chronology ]
Re: Re: Re: Re:
'The FBI lied to get out of a case that was going poorly for them, and then lied again to cover for the first lie' is much more likely to me at least than 'The FBI found just at the right time a group willing to unlock the phone but not tell how it was done, and the FBI accepted this despite the fact that it made any potential evidence on the phone completely useless.' Slightly less likely than #1, but still more likely than option #2 of course is 'The FBI lied when they claimed they didn't have the ability to access the phone in the first place, and just wanted to force Apple to do what they could have done to set the legal precedent they wanted.'
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
So it's completely believable to you that an agency would lie as a matter of course yet for some reason be above parallel construction, which has already been proven to be widespread?
It's much more plausible to think that the FBI would not stop searching for other ways to access the contents of the iPhone, and the official story is an outside hacking group approached them which would make sense given the high profile nature of the proceeding.
There are irrefutable givens:
* Vulnerabilities exist in hardware and software
* Companies exist to find these vulns and sell hacking products (i.e. Hacking Team, Cellebrite)
* It is in the best business interest of the kinds of companies above NOT to disclose their sources and methods
What is the most likely in my view, and anyone who analyzes the likely motives of all involved parties, is that FBI realized it had the clear legal right to attempt to access the iPhone and would pursue all legal methods of doing so. This doesn't mean it is only about one phone, it isn't and Comey's statements to that effect are carefully worded to be misleading, but not outright dishonest.
If you look at the history of US government it has become increasingly difficult to tell an absolute lie. Even Clapper's infamous statement "not wittingly" was a tell. It's a travesty of democracy that one must think like a legal scholar to understand the meaning of the words of our officials, but that is another matter.
Occam's razor cannot support the mass conspiracy needed to explain outright lies, a $1.3m budget item, and the idea that FBI is so competent as to orchestrate a long running subversion of the legal system (somehow countering the checks and balances of gov't too) at the expense of their primary investigative goal.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Not at all, however evidence laundering against who? The 'suspects' in this case are quite dead, and if they were going to lie and claim that some vital information had been 'found' on the phone I imagine they'd have done it already. Instead they seem to be hoping that the matter will blow over and be forgotten for when they try again the next time a tempting case comes along.
It's much more plausible to think that the FBI would not stop searching for other ways to access the contents of the iPhone, and the official story is an outside hacking group approached them which would make sense given the high profile nature of the proceeding.
To what end though? Unless I'm off by miles they do not and never did actually care what was on the phone itself, all they cared about was the legal precedent they thought it could get them. Once it looked like that wasn't going to happen they dropped the case to avoid the 'wrong' precedent being set.
Occam's razor cannot support the mass conspiracy needed to explain outright lies, a $1.3m budget item, and the idea that FBI is so competent as to orchestrate a long running subversion of the legal system (somehow countering the checks and balances of gov't too) at the expense of their primary investigative goal.
You might be overthinking it, there's no need for a 'mass conspiracy', just good old perjury in an attempt to get through the courts what they couldn't get through the lawmakers.
As I see it there were several points at which a lie was possible:
1) In the beginning, when they claimed that they couldn't unlock the phone without Apple's forced assistance. For this to be a lie it would require them to already have access in some way, perhaps by a previously discovered flaw in the security.
Odds: Low to mid.
2) Also in the beginning, when they claimed that they had 'exhausted all other options', and tried everything with no success. For this to be a lie they'd simply need to not try all other possibilities such as getting in contact with other agencies or specialists and soliciting their help/advice.
Odds: Mid to high.
3) When they claimed that they'd found another way in and no longer needed to force Apple to help them. This was a lie either in the sense that they didn't 'just' find the exploit, they'd had it the entire time, or in the sense that they hadn't found a way to unlock the device and were just claiming otherwise in order to drop the case.
Odds: Mid to high. I'd put this one as the most likely given the timing.
And finally 4) When they claimed that a mystery company/group sold them the unlocked phone but didn't tell them how it was done, so they in turn couldn't tell anyone else how it was done(and more importantly so that other people couldn't check if the hack even existed).
In the end it's the timing that strikes me as the greatest indicator that the 'We found a way in' was a lie. They spend considerable resources trying to swing public opinion in their favor, and just as it seems the case is going to go south on them like magic they 'find' another way in and drop the case.
It's not like this was a small, relatively unknown case, if there really was someone willing to sell them an exploit to unlock the phone I imagine they would have approached the FBI with it early on, not waited that late in the case to sell it(though I suppose in that scenario doing so would give them quite the bargaining chip).
[ link to this | view in chronology ]
Re: Re: Re: Re:
You are incorrect. I in no way believe my devices are secure from government or corporate intrusion.
[ link to this | view in chronology ]