The President's Phone OPSEC Continues To Be, Well, Crap

from the ill-communication dept

By now the President's unwillingness to adhere to anything close to reasonable security when using his mobile phones has been made pretty clear. Whereas the Defense Information Systems Agency (DISA) and the NSA usually work in concert providing state leaders with "hardened" devices that are heavily encrypted, routinely updated, and frequently swapped out, Trump has refused to use these more secure DMCC-S devices (effectively a Samsung Galaxy S4 device utilizing Samsung's Knox security architecture), because it might infringe on his ability to Tweet.

Past reports have suggested that security advisors have at least convinced him to use two iPhones: one locked down specifically for Twitter, and the other specifically tasked with making phone calls. But as a new report this week from the New York Times makes clear, Trump's lax phone security is being pretty routinely taken advatage of by foreign intelligence agencies:

"When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing, American intelligence reports indicate that Chinese spies are often listening — and putting to use invaluable insights into how to best work the president and affect administration policy, current and former American officials said."

Senators sent a letter to Trump back in April expressing concern at his abysmal operational security, but that message still hasn't gotten through to the aggressively cocksure President, according to the Times report:

"Mr. Trump’s aides have repeatedly warned him that his cellphone calls are not secure, and they have told him that Russian spies are routinely eavesdropping on the calls, as well. But aides say the voluble president, who has been pressured into using his secure White House landline more often these days, has still refused to give up his iPhones. White House officials say they can only hope he refrains from discussing classified information when he is on them."

The Times quotes numerous anonymous experts who say their claims come from sources in these foreign governments. And while the Times story doesn't get technical about how foreign intelligence agencies are tapping into the calls, many surmise they're exploiting, among other things, the cellular network Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US) flaw that the industry has been refusing to fix for the better part of the last decade. The flaw can be exploited to track user location, dodge encryption, and even record private conversations if strict countermeasures aren't adhered to.

That said, security experts were quick to point out there's an ocean of ways that foreign intelligence agencies could be intercepting Trump's calls in transit via passive decryption as the calls travel between the phone and cellular tower:

Of course intel agencies could also be targeting his most-commonly called individuals on the other end. As is his way, the President was quick to issue a Tweet insisting the entire story was false...while using his iPhone:

To let Trump's ego dictate his security practices is obviously still problematic, potentially even to the point of putting lives at risk. It's also incredibly ironic given all the time Trump spends complaining about potential Chinese spying habits, including the Trump-driven blacklist of all Huawei products in the United States. It's a blackballing that's not based on much in the way of evidence, but is certainly appreciated in a protectionist capacity by the U.S. networking and cell phone vendors who didn't want to have to compete with cheaper Chinese gear. Huawei, for its part, was quick to make light of the report:

Trump's phone habits continues to be a giant middle finger toward transparency (like adhering to the Presidential Records Act) and fundamental opsec, but neither Trump nor the adults tasked with his daily supervision appear to much care.

Filed Under: china, donald trump, iphone, listening in, opsec, phones, russia, surveillance, wiretap

FBI Officials Were Angry That An iPhone Hack Blocked Them From Getting Court To Force Apple To Break Encryption

from the agency-actually-doesn't-care-much-about-the-public-or-safety dept

As you probably recall, last year the FBI tried to force a court to effectively create a backdoor for encrypted iPhones, using the high profile San Bernardino shootings as the wedge. It seemed quite obvious with how the whole thing played out that the FBI didn't really need to get into Syed Farook's work iPhone, but that it hoped leverage the high profile nature of the case and the "fear, uncertainty and doubt" around a "terrorist" attack to finally get a court to force Apple to do this. A new report reveals that the FBI was very much focused on using this case to force the issue to the point that top officials were angry that a vendor figured out another way into the iPhone, and stopped the court proceedings.

Again: if the real goal (as stated publicly by the FBI at the time) was to find a way into this phone for important reasons, then you'd think the FBI would be excited when they found a way in, rather than pissed that a court wasn't needed to force a backdoor. But that's not what happened.

A recently-released Inspector General's report [PDF] shows the FBI jumped the gun in the San Bernardino case. The FBI insisted it had no other options when it asked a judge to grant its All Writs Act request to compel Apple to break into the shooter's recovered iPhone. But this report shows these claims -- one repeated by the DOJ in its legal filings and by James Comey in testimony to Congress -- weren't actually true.

The ROU [Remote Operations Unit] Chief told us that, at a monthly OTD managers’ meeting on February 11, 2016, the Chief of DFAS (of which CEAU [Cryptographic and Electronics Analysis Unit] is a part but ROU is not), indicated that CEAU was having problems accessing the data on the Farook iPhone and was preparing for court. The ROU Chief, who told the OIG that his unit did not have a technique for accessing the iPhone at the time, said that it was only after this meeting that he started contacting vendors and that ROU “got the word out” that it was looking for a solution. As discussed further below, at that time, he was aware that one of the vendors that he worked closely with was almost 90 percent of the way toward a solution that the vendor had been working on for many months, and he asked the vendor to prioritize completion of the solution.

There was a another option available at the time the DOJ filed its All Writs Request (February 16). It may not have been complete yet, but the FBI had reason to believe it would be soon. Instead of giving this option a shot, the FBI tried to secure a favorable ruling compelling Apple to crack the shooter's iPhone. This wasn't what was presented to the judge in the DOJ's filing.

Comey testified before Congress on February 9th. If there had been better communication between the FBI's Operational Technology Division (OTD) and the Cryptographic and Electronic Analysis Unit (CEAU), Comey may have been apprised of this fact before his first testimonial appearance. Given the national attention being paid to this case, there's no reason Comey should have been out of the operational loop, even at this early date.

But Comey repeated the same claim nearly a month later (March 1st): the FBI could not get into the iPhone without Apple's assistance. (And again three weeks later in an angry letter to the editor published by the Wall Street Journal.) There's no way Comey could not have been aware of these developments, not with the DOJ engaged in a high-profile courtroom battle with Apple over compelled assistance.

The Inspector General finds Comey's claims to be technically true: the breakthrough offered by the still-undisclosed vendor was not passed on to the FBI until March 16th and successfully demonstrated for agents on March 20th. The following day, the US Attorney's Office informed the court of this development and withdrew its All Writs request.

Comey's statements were technically true but not the parts where he insisted the only way to access the iPhone's contents was with Apple's assistance. If he was not being informed of ongoing developments on the tech side, that's inexplicable behavior by FBI entities directly tasked with cracking the shooter's iPhone. Given the high-profile status of this case, it's not just inexplicable. It's literally unbelievable.

But that's not the only concerning aspect of this report. The head of the FBI's Remote Operations Unit (ROU) -- the person who reached out to the vendor about the progress of its iPhone crack -- was never contacted or consulted by the other offices working on the same problem. As the ROU Chief stated, the ROU walled itself off to prevent national security tools from being used in normal criminal cases.

This would seem to be good news -- the FBI drawing internal lines in the sand between natsec and normal criminal investigations -- but it actually isn't. The CEAU head believed no line existed and it could bring tools over from the natsec side any time it wanted to. But that's not the worst of it. The CEAU actually did not want a solution found.

According to the ROU Chief, his only conversation with the CEAU Chief was well after the fact, during which the CEAU Chief “was definitely not happy” that the legal proceeding against Apple could no longer go forward.

This is further backed up by statements made to the IG by FBI Executive Assistant Director (EAD) Amy Hess.

After the outside vendor successfully demonstrated its technique to the FBI in late March, EAD Hess learned of an alleged disagreement between the CEAU and ROU Chiefs over the use of this technique to exploit the Farook iPhone – the ROU Chief wanted to use capabilities available to national security programs, and the CEAU Chief did not. She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.

This was also admitted by the CEAU Chief in his interview with the Inspector General.

The CEAU Chief told the OIG that, after the outside vendor came forward, he became frustrated that the case against Apple could no longer go forward, and he vented his frustration to the ROU Chief. He acknowledged that during this conversation between the two, he expressed disappointment that the ROU Chief had engaged an outside vendor to assist with the Farook iPhone, asking the ROU Chief, “Why did you do that for?”

The report makes it clear those steering the iPhone-cracking efforts were less interested in an outside vendor cracking the phone than obtaining a precedential decision. In doing so, the DOJ ended up filing false statements as sworn assertions, claiming it had exhausted every option before approaching the court with an All Writs Request. This report may sort of clear Comey and the DOJ, but it exposes something much uglier: FBI officials are not making good faith efforts to find outside solutions to the FBI's supposed "going dark" problem. They'd much rather have favorable court decisions and legislative mandates than work with the tools others are crafting for them. This all but guarantees the number of uncracked phones in the FBI's possession will continue to grow. But they should never be viewed as investigative dead ends. They should be seen for what they are: rhetorical devices.

Update: Sen. Ron Wyden sees the report for what it is. Here's his statement on the matter:

"The FBI's leadership went straight to the nuclear option -- attempting to force Apple to circumvent its encryption -- before attempting to see if their in-house hackers or trusted outside suppliers had the technical capability to break into the San Bernardino terrorist's iPhone," Wyden said. "It's clear now that the FBI was far more interested in using this horrific terrorist attack to establish a powerful legal precedent than they were in promptly gaining access to the terrorist's phone."

Filed Under: all writs act, encryption, fbi, going dark, iphone, syed farook
Companies: apple

Israeli Tech Company Says It Can Crack Any Apple Smartphone

from the thus-endeth-the-going-dark-conversation dept

Could this be the answer to FBI Director Chris Wray's call for broken device encryption?

In what appears to be a major breakthrough for law enforcement, and a possible privacy problem for Apple customers, a major U.S. government contractor claims to have found a way to unlock pretty much every iPhone on the market.

Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.

Big, if true, but not exactly the answer Wray, and others like him, are seeking. Cellebrite claims it can crack any Apple device, including Apple's latest iPhone. This is a boon for law enforcement, as long as they have the money to spend on it and the time to send the device to Cellebrite to crack it.

It won't scale because it can't. The FBI claims it has thousands of locked devices -- not all of them Apple products -- and no one from Cellebrite is promising fast turnaround times. Even if it was low-cost and relatively scalable, it's unlikely to keep Wray from pushing for a government mandate. Whatever flaw in the architecture is being exploited by Cellebrite is likely to be patched up by Apple as soon as it can figure out the company's attack vector. And, ultimately, the fact that it doesn't scale isn't something to worry about (though the FBI doubtless will). No one said investigating criminal activity was supposed to easy and, in fact, a handful of Constitutional amendments are in place to slow law enforcement's roll to prevent the steamrolling of US citizens.

Cellebrite's service apparently disables lockscreen protection, allowing the company to root around in the phone's innards to pull out whatever law enforcement is seeking. This also apparently works with Android devices, although that news is far less surprising than discovering Apple's security measures have been defeated. Default encryption isn't an option for all Android devices and that operating system is generally considered to be the a pile of vulnerabilities d/b/a consumer software.

While this won't end calls for weakened encryption, it does at least give law enforcement agencies another option to deploy against locked devices. But I don't expect it to change the rhetoric. Those calling for "responsible encryption" don't really want private sector solutions, no matter how much they claim to want to hold a "conversation" about lawful access. They want tech company subservience. They want the government -- via judicial, executive, or legislative branch -- to put companies in their place. In their opinion, tech companies have been getting uppity and forgetting the private sector exists to serve the government. It's not just a Chris Wray problem. Plenty of government officials feel the same way. But the complaints about "going dark" are going to ring that much hollower when solutions are being offered by private companies other than the ones the FBI is just dying to smack around.

Filed Under: cracking, encryption, going dark, iphone, privacy, responsible encryption
Companies: apple, cellebrite

Apple, Verizon Continue to Lobby Against The Right To Repair Your Own Devices

from the monopolizing-repair dept

A few years back, frustration at John Deere's draconian tractor DRM resulted in a grassroots tech movement. John Deere's decision to implement a lockdown on "unauthorized repairs" turned countless ordinary citizens into technology policy activists, after DRM and the company's EULA prohibited the lion-share of repair or modification of tractors customers thought they owned. These restrictions only worked to drive up costs for owners, who faced either paying significantly more money for "authorized" repair, or toying around with pirated firmware just to ensure the products they owned actually worked.

The John Deere fiasco resulted in the push for a new "right to repair" law in Nebraska. This push then quickly spread to multiple other states, driven in part by consumer repair monopolization efforts by other companies including Apple, Sony and Microsoft. Lobbyists for these companies quickly got to work trying to claim that by allowing consumers to repair products they own (or take them to third-party repair shops) they were endangering public safety. Apple went so far as to argue that if Nebraska passed such a law, it would become a dangerous "mecca for hackers" and other rabble rousers.

In the wake of Apple's recent iPhone battery PR kerfuffle (in which it claimed it throttled the performance of older iPhones to protect device integrity from dwindling battery performance), longer than normal repair waits have resulted in renewed interest in such laws. A new bill that would make it easier for consumers to repair their own electronics or utilize third-party repair shops is quickly winding its way through the Washington state legislature. That bill would not only protect the consumers' right to repair, but prevent the use of batteries that are difficult or impossible to replace:

"Starting in 2019, the bill would ban the sale of electronics that are designed “in such a way as to prevent reasonable diagnostic or repair functions by an independent repair provider. Preventing reasonable diagnostic or repair functions includes permanently affixing a battery in a manner that makes it difficult or impossible to remove."

Washington State Representative Jeff Morris says the bill was born directly from frustration by consumers and third-party repair shops in the wake of Apple's PR face-plant late last year:

"Morris told me this provision in the bill came out of a conversation with an independent repair shop owner in his district, who noted that many electronics now use glued-down batteries, which makes them difficult to repair and much harder to recycle, because batteries are flammable when shredded. There is currently no easy way for recyclers to remove the batteries from MacBook Pros at scale, for instance.

“With Apple phones in particular, they glue the battery in the case, so for me, that sounds like a purposeful attempt to make it so you couldn’t repair the phone,” Morris said. “It helps accelerate the path of those devices to the waste stream. So we’re trying to keep the philosophy our state is behind, which is recycle, repair, reuse."

Needless to say, Apple is furiously lobbying to kill Washington State's new law. As are fourteen other lobbying organizations representing hardware companies. Verizon's also lobbying against the bill (via the CTIA and the Telecommunications Industry Association), obviously concerned such a law would hurt the company's phone repair and insurance business it runs with Asurian. Unfortunately for Verizon and Apple, with 12 states introducing such bills last year and 17 such laws already proposed so far this year, this isn't an issue that's going away anytime soon.

Filed Under: drm, eula, iphone, iphone battery, ownership, right to repair, washington
Companies: apple, verizon

Apple Facing A Bunch Of Lawsuits After Admitting It Slows Down Older Devices, But Insisting It's For A Good Reason

from the yes,-but... dept

There was a bit of controversy last week concerning Apple slowing down older devices. It started, as so many things do, with a Reddit post, noting that Apple appeared to be slowing down the processor on phones with older batteries. Geekbench's John Poole then ran some tests confirming this. Apple then confirmed that it was doing so. All three of those links above also present the reason for this -- which is not necessarily a nefarious one -- though that doesn't necessarily mean it's a good explanation either. In short, it was a solution to a problem of older batteries causing "spontaneous" or "unexpected shutdowns."

But, of course, slowing down the phone to avoid those kinds of shutdowns still has the impact of reduced performance on older phones -- which ultimately angers users or makes them feel like they need to upgrade before they really do. This wouldn't necessarily be a huge issue if two things were true: (1) it was easy to replace the batteries and (2) Apple was clear and upfront about this -- telling people they could avoid this issue by replacing the battery. Neither of those things are true. Apple makes it quite difficult to replace the batteries (though, not impossible) and only now is explaining this "hack."

And, because this is America, lawsuits are already being filed. Multiple lawsuits. I imagine that they'll all be combined at some point into a giant class action, though I'm not sure how much of a chance this case has of going very far. Either way, I'd post the lawsuits, but as I type this PACER appears to not be working properly, and I really doubt there's much that's interesting in the complaints anyway.

What's more interesting here is the troubling nature of just how much control over our devices we've given to the companies who sell us stuff. This all goes back to the theme that we've discussed many times around here, of how we no longer seem to own what we've ostensibly purchased. The fact that a company such as Apple can sneak in and change our settings in a way that harms overall performance -- even if it claims it has a good reason to -- is something that concern us all. And that's especially true as more and more of our devices have such connectivity... and our own ability to get in and fix stuff is more and more limited.

Filed Under: batteries, class action lawsuit, iphone
Companies: apple

Apple Takes Heat For Software Lock That Prevents iPhone 7 Home Button Replacement By Third-Party Vendors

from the right-to-repair dept

We've been discussing for some time how John Deere, Apple, Sony and Microsoft are among a laundry list of companies fighting against so-called "right to repair" bills. The bills, currently being pushed in a handful of different states, make it easier for consumers to repair their own products and find replacement parts and tools. The bills are an organic consumer response to the attempts of many of these companies to monopolize repair, driven in large part by John Deere's draconian lockdown on "unauthorized repairs" -- forcing tractor owners to pirate tractor firmware and maintenance tools just to repair products they thought they owned.

Apple's been notably vocal on this subject, recently trying to shut down a Nebraska right to repair bill by proclaiming that it would turn the state into a dangerous hacker playground. Of course, propped up by the DMCA's anti-circumvention rules, Apple has utilized a rotating crop of tools to try and protect this repair monopoly. Last year, for example, Apple caused a bit of a shitstorm due to "Error 53", part of an iOS update that bricked phones that had their screens replaced by third party repair vendors.

Having apparently learned no lessons from the backlash from that use of repair locks, Apple is once again taking heat for new software locks cooked into the iPhone 7, which prevent the device's home button from working after it has been replaced. Unless, that is, the replacement is performed by a certified Apple technician with the proper "re-calibration" software. The home button is used to unlock the phone, and to return the user to the home screen when pressed.

In previous iPhone versions (iPhone 5S, 6, and 6S) if you replaced the home button you lost the security function, but users could still login via pin -- and the button still worked to bring users "home." But with the iPhone 7, replacing the home button via third-party vendor results in the button not working at all -- unless you take the device to Apple's Genius bar. This is, independent repair shops claim, just part of Apple's overall strategy of monopolizing repair, hampering third-party repair vendors, and restricting consumer choice:

"In a video demonstrating the block, Michael Oberdick, owner of the independent iPhone repair shop iOutlet, swapped the front displays (and home buttons) of two iPhone 7 devices. When swapped, the phone displays an error message that says "The Home Button May Need Service." Its functionality is disabled and "Assistive Touch" automatically pops up on the device, creating an onscreen, software-based home button."

This is, Oberdick argues, little more than a vindictive, anti-consumer move on the part of Apple:

"Not supporting that menu function makes no sense," Justin Carroll, owner of FruitFixed, an independent iPhone repair shop, told me. "Just a sad and petulant move on their part that will directly affect consumers especially after their one year manufacturer warranty is up."...This may sound like an esoteric issue, and to some extent it is—screen replacements can still be done so long as the original home button is carefully removed and moved to the new screen. But software locks specifically designed to prevent repair are a monopolistic, anti-consumer move that attempts to "tie" an electronic to the manufacturer even after it's already been sold.

Whether coming from Apple, Sony, or Microsoft, opposition to "right to repair" bills usually focuses on the three (false) ideas: the bills will make users less safe, somehow "compromise" intellectual property, and open the door to cybersecurity theft. Apple will be sure to breathlessly insist that they're only making the iPhone 7's home button impossible to repair to protect consumer security, hoping you'll ignore the entire practice of such software locks simply allows the company to monopolize repair, drive up the cost of overall ownership for all of its customers, and make life harder for third-party repair vendors.

Filed Under: digital locks, home button, iphone, right to repair, software lock
Companies: apple

DOJ Argues For iPhone Hack Secrecy By Contradicting Statements Made By The DOJ

from the one-body,-multiple-mouths,-ears-unconfirmed dept

The DOJ is still fighting a lawsuit over the iPhone exploit the FBI purchased to access the (worthless) contents of a phone used by a participant in the San Bernardino shooting. FBI director James Comey and the DOJ made comments at the time stating a couple of things:

1. The phone crack was expensive.

Specifically, Comey said that buying the exploit from this group cost the FBI "more than I will make in the remainder of this job, which is seven years and four months, for sure." Comey makes $185,100 per year at his job, implying that buying the exploit cost at least $1.3 million or so.

2. The phone crack only applied to a small subset of iPhones.

A DOJ spokesperson says... the crack only applied to iPhone 5C devices.

These statements are being wielded against the DOJ by the new agencies bringing this FOIA lawsuit. The DOJ isn't happy seeing the FBI director's words (along with its own) being used to undermine its arguments: namely, that almost nothing about the iPhone exploit can be revealed without ripping holes in the national security fabric or nullifying the FBI's intelligence-gathering techniques.

In its latest filing [PDF] in the lawsuit, the DOJ seemingly contradicts itself while arguing against revealing the contractor's name or even the amount paid for the iPhone crack. (h/t Brad Heath)

Plaintiffs remaining objection is unavailing. They claim that the iPhone tool itself is of no current value. See Opp’n at 15-16 (“Acceptance of the FBI’s argument would also require this Court to ignore that the FBI has been exceedingly public about the fact that the tool applies only to a specific model of phone (the iPhone 5c) running a specific, and already outdated, operating system (iOS9). Were adversaries on the hunt for actually effective countermeasures, they need only to heed [Director] Comey’s public statement and simply use a different kind of phone, or a different operating system.”) (citation omitted). But this argument is unvarnished speculation about the efficacy of this intelligence tool – and this Circuit has made exceedingly clear that such speculation cannot defeat an agency’s summary judgment claim.

Someone's assertions are wrong. Either the DOJ was lying when it said it would only work on certain iPhones, or it's lying now to protect its secrecy by implying the purchased exploit is usable on other iPhones.

The DOJ clarified last spring the exploit affected any iPhone 5c and wasn't limited to those running iOS9. But even if that clarification is applied to its arguments in this lawsuit, this paragraph stills points to someone at the DOJ being dishonest. The counterargument that people wishing to prevent the FBI from accessing their phone's contents could just switch to a newer iPhone still applies. And that's the part the DOJ is calling "unvarnished speculation."

Of course, the plaintiffs are in the unfortunate position of having little more than unvarnished speculation to work with. Some documents pertaining to the purchased iPhone crack have been released, but have been almost completely redacted, save for some standard contractual language of no informational value. The DOJ is leveraging information it doesn't want to release to argue against being forced to release it. That's certainly convenient for the DOJ, as are any of its intelligence gathering arguments, which grant it the power to dispel questions about over-redaction without having to explain its side of the issue.

Thus, while the identity of the vendor may not itself be an intelligence source or method, see Opp’n at 18, releasing that information leads “logically or plausibly” to information about the intelligence source or method, see Judicial Watch, 715 F.3d at 941, and is thus exempt from disclosure under Exemption 3. That is particularly true in light of the “considerable deference” owed to the FBI in this context. Leopold, 106 F. Supp. 3d at 58; see also Ctr. for Nat’l Sec. Studies v. Dep’t of Justice, 331 F.3d 918, 927 (D.C. Cir. 2003) (“[W]e have consistently deferred to executive affidavits predicting harm to the national security, and have found it unwise to undertake searching judicial review.”). Accordingly, the FBI has appropriately applied Exemption 3 to these two pieces of information.

A version of this argument just helped the DOJ keep its journalist-surveilling secrets hidden from journalists (it possibly surveilled) in another FOIA lawsuit. Chances are, the court will side with the FBI and its national security assertions. Unfortunately, the DOJ's contradictory statements aren't on trial here -- just its broad assertions about national security and intelligence-collecting methods, both of which appear to be so easily compromised it can't even let the country know how much it paid to crack a single iPhone.

Filed Under: contradictions, doj, fbi, hack, iphone, james comey

FBI Releases A Stack Of Redactions In Response To FOIA Request For Info On Its Purchased iPhone Hack

from the nothing-in-here-you-haven't-not-seen-before dept

As the result of an FOIA lawsuit brought by the Associated Press, USA Today, and Vice, the FBI has finally released documents about the one-time iPhone exploit/hack it purchased from an unknown foreign vendor. Well, more accurately, the FBI released a bunch of paper with nearly nothing left unredacted, as USA Today's Brad Heath pointed out multiple times on Twitter.

Among the things the FBI withheld are the non-disclosure agreement it signed with the company, the vendor's clear air and water certification, the date it was given approval to purchase the exploit, and pretty much anything else the FBI felt it could cover with white space and variations of the letter "b."

Here's USA Today's summary of what was left unredacted.

Friday's data release included dozens of pages of contracting boilerplate but no information about the source of the exploit or its cost. The FBI indicated in the records that both of those details are classified. FBI Director James Comey intimated during a public forum last year that the price was more than $1 million.

The documents did show that after the FBI’s clash with Apple became public, at least three other companies expressed interest in cracking the phone, even though none of them had by that point started developing a tool that would have allowed them to do so.

The last part shows there's no shortage of "smart people" willing to help solve James Comey's encryption problems, even if these solutions might only work one time and be far more expensive than the precedential court decisions and/or favorable legislation Comey is seeking.

In all fairness to the FBI, the public received about as much useful information from this document release as the FBI received from its pricey, one-time phone cracking. A long list of FOIA exemptions were used to justify even boilerplate like clean air/water compliance, which is par for the course when the FBI feels its methods and techniques might be made public.

If these redactions are challenged, the FBI is going to have a fun time explaining why it couldn't even release the price of the exploit, much less large chunks of the standard contractual language it deploys when working with private companies -- whether they're cracking open iPhones or supplying toner cartridges.

Filed Under: fbi, foia, iphone, iphone hack, redactions

FBI Tests The Waters On Another Attempt To Force Apple To Unlock An iPhone

from the not-this-again dept

Earlier this year, as you recall, there were two big cases in which the DOJ and FBI sought to force Apple to make significant technological changes to iPhone software in order to allow the DOJ to brute force the passcode on some iPhones used by some criminals. Eventually, after Apple (and others) pushed back, and public opinion was turning against the FBI, the DOJ miraculously announced that it found its way into both iPhones and the cases were dropped. But the issue of forcing companies (and Apple especially) to backdoor their way into encrypted iPhones certainly has not been dropped. And it appears that the FBI may be testing the waters to see if it can try again.

You may recall the knife attack in a Minnesota mall last month that wounded 10 individuals. The attacker, Dahir Adan, was shot and killed by an off-duty police officer. The FBI is still investigating and guess what? Adan had an iPhone. And it's locked.

Thornton said the Federal Bureau of Investigation is still investigating Adan's activities and wants access to his cell phone.
"Dahir Adan's iPhone is locked and we are in the process of assessing our legal and technical options to gain access to this device and the data it may contain," Thornton said.

"Technical options" meaning if any of the previously obtained methods will work to break in... and "legal" options as in going back to court to try, once again, to abuse the All Writs Act to force Apple to create backdoored code. Stay tuned...

Filed Under: all writs act, dahir adan, doj, encryption, fbi, going dark, iphone
Companies: apple