The US Department of Justice has found a way to get into the iPhone 5C owned by Syed Farook, one of the San Bernardino shooters.
With a short status report filed with the Central California District Court on Monday, they noted that “the government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016,” and they asked that that court order be vacated.
The status report does not say whether the DoJ found any helpful data on the phone in question, does not explain how they managed to break into the device, whether they will share this technique with Apple, or whether the same technique can be used to access the data in other locked iPhones that the various US law enforcement agencies were unable to unlock so far.
Last week the prosecutors in the case stated that they have been appraised by a third party about a possible way to bypass the PIN lock of the iPhone. The identity of this third party was not revealed, but speculations point to Israeli cybersecurity firm Cellebrite.
iPhone forensics experts also speculated about the method used, and proposed some potential solutions to the problem. Jonathan Zdziarski proved that one of the methods, which involves NAND mirroring, could definitely work in this particular case.
Whatever the case turns out to be, this particular lawsuit is seemingly over, but the conversation about user security and privacy is only just starting.
Apple released a statement late Monday saying that the case should never have been brought in the first place. “We will continue to help law enforcement with their investigations, as we have done all along, and we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated,” they noted.
“EFF is pleased that the Justice Department has retreated from its dangerous and unconstitutional attempt to force Apple to subvert the security of its iOS operating system,” Electronic Frontier Foundation staff attorney Andrew Crocker commented. “In addition, this new method of accessing the phone raises questions about the government’s apparent use of security vulnerabilities in iOS and whether it will inform Apple about these vulnerabilities.”
“As a panel of experts hand-picked by the White House recognized, any decision to withhold a security vulnerability for intelligence or law enforcement purposes leaves ordinary users at risk from malicious third parties who also may use the vulnerability,” he also pointed out.
“Thanks to a lawsuit by EFF, the government has released its official policy for determining when to disclose security vulnerabilities, the Vulnerabilities Equities Process (VEP). If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply, meaning that there should be a very strong bias in favor of informing Apple of the vulnerability. That would allow Apple to fix the flaw and protect the security of all its users.”