Apple has just released a new version of iOS, and it contains a number of important security fixes, notably one for a bug in iMessage. But there is at least one known vulnerability that isn’t patched in this version, and it’s in the hands of the FBI.
The details of the flaw aren’t known, and may not become public for some time. The bureau reportedly has used it to unlock and gain access to the iPhone 5C used by Syed Farook prior to the killings in San Bernardino last year. It was only after a short, nasty battle in federal court and the media with Apple that the FBI turned to this alternative. The agency’s initial choice was to have Apple build a special version of iOS that bypassed the security controls in the software, and then sign it so the FBI could install it on the phone.
The FBI didn’t develop the technique to get into the iPhone on its own. Rather, it was aided by an outside company that came forward and offered its assistance. The bureau has said that it plans to classify the technique, which means it may be quite a while before the details of the attack ever become known. That move has not done much to endear the FBI to the security community, which relies on vulnerability and attack details to defend networks and devices.
“The FBI is doing the exact opposite. It has been given whatever vulnerability it used to get into the San Bernardino phone in secret, and it is keeping it secret. All of our iPhones remain vulnerable to this exploit. This includes the iPhones used by elected officials and federal workers and the phones used by people who protect our nation’s critical infrastructure and carry out other law enforcement duties, including lots of FBI agents,” cryptographer Bruce Schneier wrote in an essay on the topic.
The animosity between the FBI and Apple over this case complicates the question of whether the FBI will eventually turn over the details of the technique to the vendor. Apple has established, if somewhat touchy, relationships with many security researchers, who regularly report vulnerabilities in OS X, iOS, and other products to Apple. But the FBI isn’t really in the business of making those disclosures to vendors.
However, the federal government has an established policy on how it handles vulnerabilities discovered by government agencies. That policy is designed to favor disclosure and protection over using bugs in offensive operations in most case.
“Whatever method the FBI used to get into the San Bernardino shooter’s iPhone is one such vulnerability. The FBI did the right thing by using an existing vulnerability rather than forcing Apple to create a new one, but it should be disclosed to Apple and patched immediately,” Schneier said.
Already, the FBI is reportedly testing the technique on other iPhones to see how well it works, despite arguing in its court documents that the case was centered on just the one phone used by Farook. If the technique is effective on other iPhone models, the bureau is unlikely to give it up voluntarily anytime soon.