FBI Got Into San Bernardino Killer’s iPhone Without Apple’s Help

AFTER MORE THAN a month of insisting that Apple weaken its security to help the FBI break into San Bernardino killer Syed Rizwan Farook’s iPhone, the government has dropped its legal fight.

“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple,” wrote attorneys for the Department of Justice on Monday evening.

It’s not yet known if anything valuable was stored on the phone, however. “The FBI is currently reviewing the information on the phone, consistent with standard investigatory procedures,” said Department of Justice spokesperson Melanie Newman in a statement.

The news is a partial victory for Apple. The government doesn’t get to establish a legal precedent that would allow it to access other devices in the future, and Apple doesn’t have to design malware to hack its own phones. “Broadly, digital security wins,” David Kaye, U.N. special rapporteur on freedom of opinion and expression, tweeted about Apple’s “victory.”

This doesn’t mean the pressure on Silicon Valley to help law enforcement access unencrypted data will disappear. At least a dozen more cases are being pursued at the federal level, according to court documents from Apple’s attorneys.

“One down, 200+ more to go,” wrote Matt Blaze, associate professor of computer science at the University of Pennsylvania, in a tweet responding to the DOJ’s brief.

Lawmakers are also still threatening to craft legislation that would penalize companies for refusing to decrypt communications for law enforcement.

It’s unclear who helped the FBI access the phone, or whether they’ll tell Apple about it so the company can patch the security hole; the Israeli press reported that forensics company Cellebrite, known worldwide for helping law enforcement hack into phones, was responsible.

Security researchers think the FBI is either using a software-based attack or a technique that involves copying a chip in the phone in order to trick it into allowing more than 10 password guesses.

“Those two are likely the only ones they’d have had time to develop in such a short time,” Jonathan Zdziarski, a security researcher, wrote in a message to The Intercept. “This whole case lasted less [time] than some people’s European vacations.”

Ryan Duff, an information security researcher, thinks the solution is most likely software-based, “unless [the FBI] got really lucky,” he wrote in a tweet.

And if indeed software was the key, then Zdziarski believes that the FBI might be able to use the tool on other versions of Apple’s software — leaving many other iPhones vulnerable.

Though some security researchers have suggested the FBI might be forced to reveal the security flaw because of a little-known White House “Vulnerabilities Equity Process” — a system designed to protect cybersecurity by revealing bugs discovered by the government — others are doubtful the FBI will have to oblige.

“The FBI has been sitting on a Firefox/Tor exploit for more than a year,” tweeted Chris Soghoian, principal technologist for the American Civil Liberties Union. “The equities process is a farce.”