FBI Exploits Zero-Day On iOS To Hack Terrorist’s iPhone

BLOG: The FBI was able to get access to the data on a terrorist’s iPhone 5c without Apple’s help. What does that mean for iPhone security?

A new zero-day exploit against Apple’s iOS mobile operating system enables an attacker to bypass a security lockout feature that will erase the device’s contents after 10 unsuccessful passcode tries. The group taking credit for the new zero-day is none other than the FBI.

As reported on eWEEK this week, the FBI has ended its legal case against Apple in which it was trying to force the tech giant to provide a way to help get access to the contents of an iPhone 5c used by Syed Rizwan Farook, a gunman in the Dec. 2 shooting spree in San Bernardino, Calif.

“The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016,” the Department of Justice’s legal filing on the matter simply states.

The original court order had asked Apple to assist the DOJ by helping the FBI “bypass or disable the auto-erase function” on the iPhone 5c.  As part of iOS’ security, iPhones have a passcode that protects access to the device and its contents. An additional security capability can be enabled that will erase the contents of a device after a specified number of incorrect passcode attempts. The FBI obviously didn’t want to trigger the auto-erase function; otherwise, the agency could have attempted to just “brute-force” the password, spooling through all the possible passcode combinations.

As part of the original court order, the DOJ also requested that Apple’s technical assistance include “providing the FBI with a signed iPhone Software file, recovery bundle or other Software Image File (‘SIF’) that can be loaded on the subject device.”

Apple CEO Tim Cook balked at the request, steadfastly claiming that such a bypass would undermine the security of all iPhone users.

Now, despite Cook’s lack of cooperation, the FBI has what it wants.


Apple Launch Tim Cook 1The precise method used by the FBI has not been publicly disclosed, though there is no shortage of speculation and possible options. Perhaps the FBI has in fact found a flaw in iOS and/or the mobile device management capability that would have triggered the auto-erase function. Perhaps the FBI found a way to clone the contents of the entire device, such that they can in fact attempt to brute-force the password without fear of erasing the only version of the data. Or perhaps the FBI found a way to physically bypass the software security provided by Apple by directly accessing the hardware on the iPhone 5c to pull data from the device at the electrical level or some other intricate means.

Whatever the method, the simple fact of the matter is that it is now possible to bypass the passcode security auto-erase function on an iPhone 5c, and there is no known fix. In the security business, that’s typically what security researchers will call a zero-day exploit.

So far as is publicly known at this point, only the FBI has this powerful new zero-day exploit. There is no way of knowing if the exploit has been made available to other governments around the world. There was some speculation last week, when the DOJ first asked to delay a legal court hearing with Apple, that an Israeli firm was now on the FBI payroll helping to bypass the iPhone 5c’s security. That speculation has not been officially confirmed, nor has any public admission yet been made by the DOJ or the FBI that it paid to acquire the bypass from any third party.

No doubt, Apple today is pressuring the DOJ to find out what the bypass is so that it can fix the issue, protecting all iOS users. In a normal responsible disclosure process, a security researcher would report a zero-day issue to a vendor, so that the vendor could fix the issue before it becomes widely exploited. It’s not clear what, if any, formal disclosure will happen in this case.

Of all the possible situations that could have enabled the iPhone 5c bypass, this scenario—where the FBI now has access to such an exploit that neither Apple nor anyone else knows about—is not a great one. Had Apple been forced to comply with the DOJ, perhaps there could have been some controls in place on usage of the mechanism and some form of tracking. Now Apple is on the outside looking in, wondering how this all happened.

What exists now is a dangerous situation, where a working bypass, or a zero-day exploit, exists for one of the most popular technology platforms on the planet. Hopefully, this bypass only exists in the hands of good, law-abiding people who will not abuse this power and only use it in the interest of national security.

Originally published on eWeek.