The FBI has been embroiled in a fierce legal battle with tech giant Apple over whether the company needs to include a security backdoor to allow the FBI access a smartphone. However, this was not just any smartphone. This was the phone of one of the deceased perpetrators of the San Bernardino shootings, a violent attack that left 14 dead and 22 injured.
With the owner of the phone dead and unable to provide a password, the FBI sought and received a court order demanding that Apple write software allowing them to bypass the phone’s “auto-destruct” feature. This is a feature on iPhones which wipes information on the phone after ten failed attempts. Normally, with only a four-digit password, there are a fairly limited number of password possibilities and the FBI could just brute force the phone open.
Apple refused the FBI, pointing out the archaic nature of the law that the order was granted under, the concerning precedent if law enforcement is allowed to force companies to write software against their will, as well as the privacy implications of creating a security backdoor would render the phones of all their users vulnerable.
After a wildly publicized battle in the courts between the FBI and Apple over this issue, the FBI suddenly dropped the case. They announced that they had unlocked the iPhone on their own—with the help of a private hacking business.
The FBI Has Ways of Making Your Phone Talk
Unable to hack the phone themselves, or easily make Apple comply with their wishes, the FBI turned to the open market to solve their problem. While it was originally reported that the FBI turned to an Israeli company to fix their phone headaches, it is now known that the FBI turned to a domestic company of “grey-hat” hackers.
Many have compared the world of computer hacking to the Wild West, and the lingo has reflected this. “White-hat” hackers search for security vulnerabilities on behalf of tech companies to allow the companies to fix the problem before it’s exploited. “Black-hat” hackers are just in it for malicious fun and profit. “Grey-hat” hackers are in between, hacking software and hardware without permission but with the intent of selling the vulnerability back to the victim—or in this case selling to the government.
The grey-hat hackers hired by the FBI used what is known as a “zero-day” hack to exploit a vulnerability in either the iPhone 5c or iOS 9 to bypass the “auto-destruct” feature. A “zero-day” is called such because normally hackers exploit the vulnerability repeatedly in one day before it is discovered and patched. However, Apple can’t stop that zero-day from coming because now that the FBI knows the vulnerability they refuse to spill the beans.
The Vulnerabilities Equities Process
Apple has asked the FBI to reveal the hack to them so they can fix it but the FBI has not been forthcoming. So the question is, does the FBI need to reveal Apple’s vulnerability to them?
The government finding and using security vulnerabilities is a common practice--so much so that there is policy in place to deal with whether the government should disclose. This policy is called the Vulnerabilities Equities Process (VEP).
The unredacted version of the VEP reveals the process by which the government decides whether to disclose the hacks and vulnerabilities it discovers. When the U.S. Government or somebody working with the government finds a security vulnerability in any government or commercial software or hardware, they report it. The National Security Agency (NSA) is then notified of the vulnerability and must report it to a (heavily redacted) list of government agencies and officials by the end of the day they are notified.
Once notified, these groups are then called upon to produce experts to argue whether the vulnerability should either be revealed or concealed. These recommendations are given to an interagency Equities Review Board (ERB) to consider. While the permanent members of the ERB are redacted, interested government agencies may appoint a representative to the ERB for any single decision.
Should the FBI Have to Disclose the Hack?
The VEP is not a legal obligation to disclose and totally up to the discretion of the government. Normally, the very existence of a vulnerability existing can be classified under the VEP. In this case, the case is so publicized that everybody knows about Apple’s vulnerability.
It’s unclear how serious of a vulnerability exists, a vulnerability requiring a physical phone is much less exploitable than one that can be implemented remotely. There is also a legal tension between the government revealing trade secret security vulnerabilities that they learn from hacking companies trying to sell these vulnerabilities and the dangers concealing those vulnerabilities creates. A world where the government can force companies to reveal trade secrets that they are trying to sell has its own disturbing implications.
While the simplest solution seems to be the FBI privately disclosing the hack to Apple, this has its own issues. If the FBI discloses the hack, it loses all value, damaging the hackers the FBI worked with. This may affect the willingness of hackers to work with law enforcement in the future. However, this difficulty seems minor when compared to allowing a security vulnerability to exist which has the potential to compromise the privacy and financial security of millions of iPhone users.
Where Will Apple Go From Here
As it stands, Apple is forced to play a game of wait and see. Apple has stated that they won’t sue the government to reveal the flaw. However, it’s questionable whether they have legal recourse allowing them to sue in the first place.
White House cybersecurity coordinator Michael Daniels says the VEP has a bias towards disclosure. However, statements from the FBI sound like they’re dragging their feet. FBI Director James Conway was quoted saying that “if the government shares data on the flaws with Apple, “they’re going to fix it and then we’re back where we started.”
Daniels later stated the FBI was considering whether to disclose. However, this still isn’t encouraging. A security vulnerability in millions of iPhones could be up for sale to whoever is willing to pay the price and Apple won’t be able to even begin patching the hole until the FBI decides they’re done with it.
Authored by Jonathan Lurie, LegalMatch Legal Writer and Attorney at Law