Court Says FBI Doesn’t Have to Share San Bernardino iPhone Hack Details

Cellebrite's servers hit with data breach

The FBI gets to keeps its secrets about how it hacked into the iPhone 5C recovered from San Bernardino mass shooter Syed Farook. A federal court ruled over the weekend that the government doesn’t have to reveal the name of the company that provided the hack, or how much it cost.

The iPhone 5C was recovered from Farook after he, along with his wife Tashfeen Malik, were killed in a shootout with police. The two were on the run after launching on a terrorist shooting spree where they killed killed 14 of their San Bernardino County coworkers and injured 22 others in December 2015.

Cellebrite's servers hit with data breach
FBI doesn’t have to reveal San Bernardino iPhone 5C hacking partner

The iPhone 5C had been issued to Farook by his employer, San Bernardino County, but no one knew the passcode to get at the device’s encrypted contents. The FBI turned to Apple for help and was able to recover some data from the iCloud account linked to the phone.

The FBI wanted more, however, and told Apple to unlock the phone so they could view its contents. Apple said that wasn’t possible because it doesn’t have any way to bypass or override iPhone security passcodes.

That wasn’t the answer the FBI wanted so it obtained a court order to force Apple to make a version of iOS that removed the security features preventing brute force attacks on passcodes. Apple refused saying the government didn’t have authority to make the demand, and that such an operating system posed a serious security and privacy risk to all iPhone users.

FBI vs Apple vs Privacy

The FBI made its fight very public saying the hackable iOS would be used only once and just on Farook’s iPhone. That stood in contrast to other law enforcement agencies saying they had hundreds of iPhones lined up and ready to hack once Apple finished making the special operating system version.

Apple and the FBI were scheduled to face off in court over the order, but literally hours before the hearing the case was dropped. The FBI said it hacked into the iPhone with the help of a third party, but didn’t offer up any details.

Then FBI Director James Comey confirmed a company provided the iPhone hack, but never offered up a name. It’s widely assumed the company was Cellebrite, but that hasn’t ever been officially verified.

The cost of the hack hasn’t been officially confirmed, either, although Senator Diane Feinstein (D-CA) said during a Judiciary Committee meeting it was US$900,000.

Associated Press, USAToday, and Vice News wanted official confirmation so they filed a Freedom of Information Act lawsuit in December 2016. That case finally got a ruling on October 1st, 2017 when Judge Tanya Chutkan denied the request.

According to the ruling, exposing the name of the company would put it at risk of attack. The Judge said,

It is logical and plausible that the vendor may be less capable than the FBI of protecting its proprietary information in the face of a cyberattack.

On keeping the cost of the attack secret she said that knowing the value would let “adversaries determine whether the FBI can broadly utilize the technology.”

That means official confirmation that the FBI paid Cellebrite $900,000 for a way to hack into Syed Farook’s iPhone 5C isn’t happening, at least for now. The FBI can no doubt sleep better tonight knowing that secret is safe.

[Thanks to ZDNet for the heads up]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.