FBI’s secret iPhone hacking tool must stay under wraps, court rules

Here’s what we know about the tool that the FBI used to break into the San Bernardino terrorist’s encrypted iPhone:

  • It cost $900,000, as confirmed by Sen. Dianne Feinstein during an open hearing with then-FBI director James Comey in May.
  • It only works on a “narrow slice of phones,” according to Comey. The process, or tool, or whatever it is, doesn’t work on an iPhone 5s or later. It was narrowly tailored to only work on an iPhone 5C operating on iOS 9, according to Comey.

That’s it. News agencies that filed a Freedom of Information Act (FOIA) request can take a hike with their quest for more details: the mystery company that sold the tool to the FBI can’t be identified because it’s got sub-par security and the tool could be hacked out of it, according to the FBI.

Thus wraps up the quest to find out the tool vendor and its cost, according to a court decision on Saturday that sided with the FBI in finding that it’s allowed to keep the tool secret.

The iPhone in question was that of Syed Rizwan Farook. He and his wife were allegedly responsible for the 2015 mass shooting in San Bernardino, California. Fourteen people were murdered before the couple fled the scene in a rented vehicle, only to end up dead themselves after trying to shoot it out with the police from inside their car.

The couple had apparently destroyed their own mobile phones before the attack, but the husband’s work phone – technically, it belonged to his employer – was bagged by the FBI to see what evidence it might reveal.

After the password for Farook’s iCloud backup account was changed – either accidentally or on purpose – the FBI took Apple to court, demanding that the iPhone maker install a backdoor in its encryption to enable law enforcement to crack the iPhone.

But just as the court ordered Apple to weaken its encryption, suddenly, there was no need, the FBI said. It had figured out, with the help of the mystery vendor, how to get into the phone without Apple’s help.

Ever since the FBI threw in the towel on the court case, people have wanted to know a whole lot more about how the bureau pulled it off. The Associated Press, Vice News and USA Today had each filed FOIA requests relating to the FBI’s agreement with the hacking tool vendor. After getting some material out of the FBI, the media companies had narrowed their requests to two specific pieces of information: the name of the vendor and how much the tool cost.

In spite of Feinstein and Comey having publicly disclosed the cost of the tool, the court said that putting an exact figure on the sale could help hackers figure out where to target their efforts to get their hands on it. From the decision:

Releasing the purchase price would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices.

The court also dismissed the notion that Comey’s statements about the price of the tool amounts to an “official disclosure” that compels the release of information.

As far as the vendor’s ability to ward off thieves goes, the FBI had argued that its networks weren’t as sophisticated as the bureau’s cyber security facilities. Releasing its name would thus mean that a company with unhardened security would have a bulls-eye painted on its back.

If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool’s technological design. Adversaries could use this information to enhance their own encryption technologies to better guard against this tool or tools the vendor develops for the FBI in the future.

The plaintiffs had argued that it’s not plausible that the FBI would have left the tool – one that’s “critically important to national security,” as the FBI claims – in the hands of a “poorly guarded vendor.”

The court didn’t buy it, saying that there are any number of reasons relating to national security why the tool should stay in the hands of the vendor.

That’s it, case closed: the media companies won’t be allowed to appeal the case.

If the court decision makes it harder for unknown adversaries to steal a tool that can crack open an iPhone 5C that’s a good thing. However, it seems we’ll never know how the FBI cracked Syed Rizwan Farook’s iPhone, whether or not there’s an unpatched iPhone vulnerability, how successful the crack was, if the phone contained anything of value and what value for money US taxpayers got from what seems to have been a very expensive tool.