Update: The Department of Justice on March 28 announced it was dropping its lawsuit against Apple because it had unlocked the iPhone of one of the San Bernardino shooters with the help of a third party.
See Also: Threat Intelligence - Hype or Hope?
Neither Apple nor the FBI looks good in the days following the postponement of a hearing on whether Apple should be forced to help the bureau crack open the iPhone of one of the San Bernardino shooters. It's a lose-lose situation.
"The representations of Apple about their unbreakable security were very endearing, but naÃ¯ve."
A federal magistrate in Riverside, Calif., scheduled a hearing for March 22 on a Justice Department motion to compel Apple to help the FBI bypass the password to access the iPhone 5C issued to the assailant Syed Rizwan Farook by his employer, San Bernardino County government. But the FBI was granted a delay in the proceedings until April 5, saying it may have found a way to unlock the phone without Apple's assistance (see Feds Obtain Delay in Apple Hearing.)
The rationale for the delay makes the FBI look bad because leading up to the hearing date, it insisted it needed Apple's assistance, promoting the illusion that only Apple could create the software to unlock the iPhone.
Impact of the Delay
Apple, in opposing the Justice Department filing that it cooperate with the FBI to crack the password on the iPhone, positioned itself as the defender of users' security and privacy by providing safeguards on its devices that not even it could circumvent, and reinforcing the image of the unassailability of its security functions.
"We believe strongly that we have a responsibility to help you protect your data and protect your privacy," Apple CEO Tim Cook said at a March 21 press conference introducing new company products. "We owe it to our customers and we owe it to our country. This is an issue that affects all of us, and we will not shrink from our responsibility."
Despite Cook's strong words, the illusion of invincibility has been cracked. "The representations of Apple about their unbreakable security were very endearing, but naÃ¯ve," says Philip Lieberman, CEO at Lieberman Software, a privilege management solutions provider.
Comey on the Defense
Ever since the FBI revealed that it may have discovered a way to circumvent the password safeguards without the help of Apple, FBI Director James Comey has sounded a bit defensive. Responding to a Wall Street Journal editorial questioning the FBI's veracity, Comey, in a letter to the editor, wrote:
"You are simply wrong to assert that the FBI and the Justice Department lied about our ability to access the San Bernardino killer's phone. I would have thought that you, as advocates of market forces, would realize the impact of the San Bernardino litigation. It stimulated creative people around the world to see what they might be able to do. And I'm not embarrassed to admit that all technical creativity does not reside in government. Lots of folks came to us with ideas. It looks like one of those ideas may work and that is a very good thing, because the San Bernardino case was not about trying to send a message or set a precedent; it was and is about fully investigating a terrorist attack."
Who's providing the FBI with the critical know-how to crack Farook's iPhone? The FBI isn't saying, but the Israeli newspaper Yedioth Ahronoth identified the Israeli mobile forensics software provide Cellebrite as the company coming to the bureau's rescue. Cellebrite declined to comment on the report (see Legal Issues Persist as FBI Backs Off in iPhone Case).
A Mere Coincidence?
On March 21, the day the government sought a delay of the hearing, the FBI issued a purchase order for $15,278 to Cellebrite's U.S. unit for information technology software.
But cryptographer and author Bruce Schneier raises doubts that the purchase order is linked to having Cellebrite help the FBI crack the code, telling the online site Re/code the timing is mere coincidence: "Why would it show up in the 11th hour? It makes little sense."
If the FBI discovers a way to crack the iPhone password - with the help of outsiders, whether Cellebrite or someone else - will it classify that method as top secret? That wouldn't make Apple happy, would it? After all, shouldn't the FBI share the process to bypass the password with Apple so the iPhone maker can patch the vulnerability?
If not, iPhone users would remain vulnerable, and Apple's image as a maker of unbreakable encryption would be tarnished as the government's credibility remains suspect. There seems to be no winner here.