A few days ago the FBI announced that it was able to get into the San Bernadino shooter’s iPhone without Apple’s help after all. So ends the current chapter in the saga of Apple vs. the FBI.
But it opens up a new questions about how the FBI got in, and whether the same thing could be done on other iPhones. We tapped Sean Sullivan, F-Secure Security Advisor, for the answers to those questions.
How did the FBI crack into the iPhone?
All we know for sure is that a third party helped them do it. As to the method, there are two possibilities: It could have been a forensic technique, or it could have been a software-based exploit of a vulnerability that Apple wasn’t aware of.
What does that mean for me as an iPhone user? Can someone crack my iPhone?
If it’s a forensic technique, it would not affect anyone in the real world as long as the technique is kept secret. If the technique becomes known however, then there would be a risk of having your phone stolen… and the thief would be able to unlock, reset, and sell your device.
If it’s a software-based zero-day vulnerability exploit, then it is very important that the FBI keeps it secret if it is to remain effective. If there’s any evidence that the exploit has become known, the FBI should disclose the issue to Apple so it can be patched. Then iPhone users would want to update their OS to the latest version to make sure they’re not vulnerable.
In any case, there is no evidence they used any technique that would work remotely – the phone needs to be in somebody’s physical possession.
It’s worth noting that the exploit or technique might only apply to older iPhones such as the 5c involved in the California case. And it’s probably worth noting that even with there being some potential issue, Apple devices are still more difficult to crack than most Android devices.
So, what next?
Well, there are other similar cases going on. The US congress will return from its Easter break next week. Senators Richard Burr and Dianne Feinstein could introduce a new bill that updates the responsibilities of tech firms. All of the existing cases involve a very old law, and thus, it’s a legal issue.
All of that becomes moot if a new law is passed. And an update to US law would undoubtedly affect Europe, as EU countries would move to match it. So, that’s the bigger thing on the horizon.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018