FBI Director James Comey says the tool his agents bought and used to unlock the San Bernardino killer's iPhone will only work on a "narrow slice" of phones.
On Wednesday, Comey gave a lecture at Ohio's Kenyon College's Center for the Study of American Democracy in which he said the exploit only works on iOS 9 iPhone 5Cs. Apple only sold 24 million of them. That narrow. The FBI boss wouldn't say where the tool came from.
"The FBI is very good at keeping secrets," he said. "The people we bought this from – I know a fair amount about them and I have a high degree of confidence that they are very good at protecting it and that their motivations align with ours."
There has been a discussion within the US government about whether or not to tell Apple about the security flaw exploited by the tool, Comey said. The Feds may spill the beans eventually. But at the moment, telling Cook & Co would just mean the vulnerability would be fixed and the agency would be "back where we started from."
Nevertheless, people should not worry about the FBI's actions, he said, since every agent receives training in the importance of due process and respecting individual privacy rights. Comey said that he has a glass-topped desk at the bureau and in it is a letter from J Edgar Hoover requesting clearance to wiretap Martin Luther King – as a reminder of how important privacy is.
We are not living in a golden age of surveillance, he said, rather a golden age of communication. Ten years ago, Al Qaeda didn't have the techniques to communicate around the world in the way ISIS can, he opined, and that needs new law enforcement tools.
Comey also questioned whether people were not being a little too emotional about the whole issue, commenting that we all leave so much "digital dust" about ourselves on social media sites that there was very little need for the FBI to get involved in extreme device hacking scenarios.
So what's the frequency Kenneth?
Given the highly specific nature of his wording, the tool looks likely to be either a hardware technique for uncapping chips or a software exploit to allow the phone's password to be brute forced.
The 5C is the last of Apple's 32-bit smartphones (64-bit address spaces have stronger ASLR) and it doesn't have the Secure Enclave cryptographic coprocessor [PDF], which adds extra layers of protection mechanisms in hardware. Without 64-bit and the Secure Enclave, the 5C is theoretically easier to crack than other recent Apple models.
Computer forensics expert Jonathan Ździarski told The Register that is was highly unlikely that only the 5C was affected by the crack – older models are almost certainly vulnerable too, using the same technique, and newer iPhones could also be at risk.
While Ździarski said it was unlikely that the FBI had a working exploit for iPhone 5S and 6s, that still left around 24 million 5Cs and millions more older models crackable. Porting exploits to a 64-bit operating system isn't necessarily all that hard, Ździarski said, and simply admitting there was an exploit would galvanize security researchers to look for bugs.
"Any technique that can be exploited is like a dotted line on a blueprint; once you know the direct path then you can build an exploit," he said. "Security researchers now have a good idea what parts of the operating system they should be looking at, and at least two firms are actively investigating NAND mirroring as a result of the case."
Ździarski said that it was inconceivable that the details of the exploit wouldn't leak out if the FBI used it again. Defense counsel for defendants would want to test the exploit (as they have with other FBI tech), and code is easy to copy.
"I've had this happen with my tools when I help out police departments," Ździarski said. "Someone takes a copy, sends it to a friend, and it spreads. I'm pretty sure two commercial companies have reverse-engineered my tools and are now selling them to non-law enforcement and people who shouldn't have access to them."
As to the source of the exploit, Ździarski had no concrete information, but raised a couple of interesting possibilities. It's conceivable the crack came from a commercial company, or from the NSA, or possibly from a firm that was working with No Such Agency.
"It's plausible that the NSA might have seen how much of a media circus the San Bernardino trial turned into and may have opted not to help the FBI directly," he said.
"It's possible it really did come from a third-party supplier, who may have developed it for the NSA and got permission to sell it to the FBI rather than disclose it themselves."
One thing is certain, he said; over time the exploit will leak out and be used by malware writers unless it is patched. Sleep tight, iPhone users. ®
PS: Ździarski has written an open letter to Comey, here.