'Serious risk' that Apple-made iPhone cracking code will leak

04.03.2016
Security experts yesterday said that there is a "serious risk" that the special iPhone-cracking software sought by the FBI would fall into the wrong hands if Apple is forced to assist the government in accessing the data on an iPhone used by one of the San Bernardino shooters.

"Keeping the Custom Code secret is essential to ensuring that this forensic software not pose a broader security threat to iOS users," seven security experts said Thursday in a "friends-of-the-court" brief filed with a California federal court. "But the high demand [for this software] poses a serious risk that the Custom Code will leak outside of Apple's facilities."

The amicus brief -- submitted yesterday on behalf of the experts by the Center for Internet and Society (CIS) at Stanford Law School -- was aimed at the federal magistrate hearing a case involving Apple and the FBI. The agency wants Apple's assistance in getting into the passcode-locked iPhone 5C used by Syed Rizwan Farook, who along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif. on Dec. 2, 2015. After the pair died in a shootout with police, authorities labeled the attack an act of terrorism.

Last month, the magistrate ordered Apple to assist the FBI by creating a heavily modified version of iOS that would disable several security safeguards, then put the software on the device so authorities can bombard it with passcode guesses. The FBI has said it believes there is unique information on Farook's iPhone that will help its investigation.

Apple is fighting the order.

The experts, who include prominent iOS security and forensics researchers, as well as several academics whose focus is cryptography and digital security, were skeptical of the government's claim that Apple's custom software would remain in safe hands.

According to the order issued last month, Apple would retain possession of the special version of iOS. The iPhone would be delivered to Apple, which would also create code so that the FBI could access the device remotely as it tried to brute-force the passcode. And the government, whose representatives have waffled over whether this would be a one-time deal, has suggested that Apple then destroy the software.

Not only is the latter very unlikely, the experts asserted, but even with the most stringent security, there would be a good chance that the code would leak into the wild.

A rogue's list would be very interested in that code, the experts contended. And they would move heaven and earth to get the goods.

"Once created, this software is going to be very valuable to law enforcement, intelligence agencies, corporate spies, identity thieves, hackers, and other attackers who will want to steal or buy the Custom Code," the brief stated.

If the U.S. government succeeds in compelling Apple to do the work, other nations' authorities will follow, and could demand that Apple hand it over without supervision, pressuring the company with threats to its in-country employees or its right to do business. And once the code left Cupertino, the safe room-style protection would be moot. "Given the Custom Code's value, unscrupulous government officials in corruption-plagued jurisdictions could foreseeably sell the Custom Code to third parties," the experts speculated.

Apple employees might not be immune to hacking, blackmail or simply the dollars dangled in front of them. "Those technicians responsible for using the Custom Code to comply with access demands will likely be targeted by phishing attacks -- emails carefully designed to seem legitimate but which contain malware -- that seek to steal the Custom Code," the filing read. "The same technicians will be approached with offers to buy the software. The price offered could be irresistibly high, as the Custom Code will be worth a lot to foreign national security officials and organized crime syndicates, and can be sold to multiple customers."

While Apple has made some of the same general arguments -- specifically that once the tool was created, it's impossible to foresee how things will shake out in the end -- it has not gone into the dark details that the security experts laid out.

The seven amici curiae included some well-known iOS researchers, among them Charlie Miller, the first to find a vulnerability in Apple's mobile operating system; Dino Dai Zovi, who along with Miller wrote The iOS Hacker's Handbook; and Jonathan Zdziarski, a prominent forensics researcher. Others included Bruce Schneier, who designed the Blowfish encryption algorithm; Dan Boneh of Stanford; Dr. Hovav Shacham of the University of California at San Diego; and Dan Wallach of Rice University.

"As experts experienced in both analyzing and building security functionality on iOS-based devices, amici believe that any such Order poses a public-safety risk," the seven concluded.

This amicus brief was just one of many filed with the court this week -- others were submitted by the ACLU, privacy groups such as the Electronic Frontier Foundation, and a host of technology companies that included Facebook, Google, Microsoft, Twitter and Yahoo.

The court will hear oral arguments from Apple and the government on March 22.

(www.computerworld.com)

Gregg Keizer