Apple remains in dark how FBI hacked iPhone without its help

March 29, 2016 by Tami Abdollah
FBI's hack into iPhone increases pressure on Apple security
In this Feb. 17, 2016 file photo, an iPhone is seen in Washington. The FBI's announcement that it mysteriously hacked into an iPhone is a setback for Apple and increases pressure on the technology company to restore the security of its flagship product. (AP Photo/Carolyn Kaster, File)

The FBI's announcement that it mysteriously hacked into an iPhone is a public setback for Apple Inc., as consumers suddenly discover they can't keep their most personal information safe. Meanwhile, Apple remains in the dark about how to restore the security of its flagship product.

The government said it was able to break into an iPhone used by a gunman in a mass shooting in California, but it didn't say how. That puzzled Apple software engineers—and outside experts—about how the FBI broke the digital locks on the phone without Apple's help. It also complicated Apple's job repairing flaws that jeopardize its software.

The Justice Department's announcement that it was dropping a legal fight to compel Apple to help it access the phone also took away any obvious legal avenues Apple might have used to learn how the FBI did it. The Justice Department declined through a spokeswoman to comment Tuesday.

It is a closely held secret how the FBI hacked the iPhone, but a few clues have emerged. A senior law enforcement official told The Associated Press that the FBI managed to defeat an Apple security feature that threatened to delete the phone's contents if the FBI failed to enter the correct passcode combination after 10 tries. That allowed the government to guess the correct passcode by trying random combinations until the software accepted the right one.

In this Friday, Sept. 25, 2015, file photo, an Apple iPhone 6s Plus smartphone is displayed at the Apple store at The Grove in Los Angeles. The FBI said Monday, March 28, 2016, it successfully used a mysterious technique without Apple Inc.'s help to hack into the iPhone used by a gunman in a mass shooting in California, effectively ending a pitched court battle between the Obama administration and one of the world's leading technology companies. (AP Photo/Ringo H.W. Chiu, File)

It wasn't clear how the FBI dealt with a related Apple security feature that deliberately introduces increasing time delays between guesses. The official spoke on condition of anonymity because this person was not authorized to discuss the technique publicly.

The FBI hacked into the iPhone used by gunman Syed Farook, who died with his wife in a gun battle with police after they killed 14 people in December in San Bernardino, California. The iPhone, issued to Farook by his employer, the county health department, was found in a vehicle the day after the shooting; two personal phones were found destroyed and the FBI couldn't recover information.

The FBI was reviewing information from the iPhone, and it was unclear whether anything useful would be found.

Apple said in a statement Monday that the legal case to force its cooperation "should never have been brought," and it promised to increase the security of its products. CEO Tim Cook has said the Cupertino-based company is constantly trying to improve security for its users.

The FBI's announcement—even without revealing precise details—that it had hacked the iPhone was at odds with the U.S. government's firm recommendations for nearly two decades that security researchers always work cooperatively and confidentially with software manufacturers before revealing that a product might be susceptible to hackers.

Those guidelines lay out a process about how and when to announce that commercial software might be vulnerable. The aim is to ensure that American consumers stay as safe online as possible and prevent premature disclosures that might damage a U.S. company or the economy.

As far back as 2002, the Homeland Security Department ran a working group that included leading industry technology industry executives to advise the president on how to keep confidential discoveries by independent researchers that a company's software could be hacked until it was already fixed. Even now, the Commerce Department has been trying to fine-tune those rules to protect the digital economy. The next meeting of a conference on the subject is April 8 in Chicago and it's unclear how the FBI's behavior in the current case might influence the government's fragile relationship with technology companies or researchers.

The industry's rules are not legally binding, but the government's top intelligence agency said in 2014 that such vulnerabilities should be reported to companies.

"When federal agencies discover a new vulnerability in commercial and open source software - a so-called 'zero day' vulnerability because the developers of the vulnerable software have had zero days to fix it - it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose," the Office of the Director of National Intelligence said in a statement in April 2014.

The statement, which referenced new guidelines by the Obama administration on such disclosures, recommended generally divulging such flaws to manufacturers "unless there is a clear national security or law enforcement need."

Last week a team from Johns Hopkins University said they had found a security bug in Apple's iMessage service that would allow hackers under certain circumstances to decrypt some text messages. The team reported its findings to Apple in November and published an academic paper after Apple fixed it.

"That's the way the research community handles the situation. And that's appropriate," said Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute. She said it was acceptable for the government to find a way to unlock the phone but said the government should reveal its method to Apple.

Mobile phones are frequently used to improve cybersecurity in the private sector or federal agencies, for example, as a place to send a backup code to access a website or authenticate a user for a work system.

The chief technologist at the Center for Democracy and Technology, Joseph Lorenzo Hall, said keeping details secret about a flaw affecting millions of iPhone users "is exactly opposite the disclosure practices of the security research community. The FBI and Apple have a common goal here: to keep people safe and secure. This is the FBI prioritizing an investigation over the interests of hundreds of millions of people worldwide."

Explore further: Protests planned across US to back Apple in battle with FBI

Related Stories

Protests planned across US to back Apple in battle with FBI

February 21, 2016

Protesters are preparing to assemble in more than 30 cities to lash out at the FBI for obtaining a court order that requires Apple to make it easier to unlock an encrypted iPhone used by a gunman in December's mass shootings ...

Q&A: A look at the Apple vs US Justice Dept. court fight

February 17, 2016

A U.S. magistrate judge has ordered Apple to help the FBI break into a work-issued iPhone used by a gunman in the mass shooting in San Bernardino, California. Apple chief executive Tim Cook immediately objected, setting the ...

Explainer: Apple vs. FBI—What Happened?

March 29, 2016

Apple's legal standoff with the FBI ended Monday, but experts say the issues behind it will come up again, as more tech companies take measures to guard their customers' messages, photos, business records and other files.

Recommended for you

Startup Pi out to slice the charging cord

September 19, 2017

Silicon Valley youngster Pi on Monday claimed it had developed the world's first wireless charger that does away with cords or mats to charge devices.

A solar cell you can put in the wash

September 18, 2017

Scientists from RIKEN and the University of Tokyo have developed a new type of ultra-thin photovoltaic device, coated on both sides with stretchable and waterproof films, which can continue to provide electricity from sunlight ...


Adjust slider to filter visible comments by rank

Display comments: newest first

2.3 / 5 (3) Mar 29, 2016
Wow, how quick the worm turns. :-)
Apple won't help the government because they don't want the secret of how to break the encryption out.
Now that the government broke the encryption without apple, apple tells the government they want that secret out.
I hope the government tells them where to stick it :-)
If Trump were involved he would make a deal with apple to give them what they want in exchange for apple decrypting messages on any future IPhones.
5 / 5 (1) Mar 29, 2016
Apple remains in dark...

Hmmm... isn't there an App for that, I believe it's called SuckIt.
1 / 5 (2) Mar 29, 2016
Professor Susan says:
"it was acceptable for the government to find a way to unlock the phone but said the government should reveal its method to Apple...."

What a crazed idot. Sorry for my language. Does this "professor" really think the government is going to give away their tools to combat crime? To the company that didn't want to help the govt at all?

She is a lunatic.

5 / 5 (1) Mar 29, 2016
This is about ensuring that we all have the right to privacy and to protect our data from criminals, terrorists or police states. The technology companies need to make their products more secure and leave no backdoors that they could be forced to use by authorities.

If technology companies actually provide products where it is impossible for them to access customer data, they cannot be ordered to do so.

Weak security and backdoors only helps criminals and terrorists. Just look at the huge growth in ransomware that poor security allows. Hacks of large corporations and government agencies have exposed our personal data to criminals because their security was not good enough.

Third party applications are available for secure communications that leave nothing on devices for authorities to find which means the authorities might only have small gains by compromising our security and increasing our exposure to criminals.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.