Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Threat Intelligence, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Amidst calls for iPhone transparency, FBI offers anti-encryption help to local law enforcement

Privacy advocates and digital rights proponents are leaning on the FBI to disclose the method it used to break into the iPhone of the San Bernardino shooter, but the agency so far remains mum, while also reasserting its commitment to helping state and local law enforcement with their own digital investigations.

While the FBI did not specifically promise to apply its newfound technique toward other cases, the agency did write an open letter, published on BuzzFeed, addressed to state and local law enforcement officials, stating that the law enforcement agency would “of course consider any tool that might be helpful to our partners,” so long as it was consistent with legal and policy constraints.

Signed by Kerry Sleeper, assistant director of the FBI's Office of Partner Engagement, the letter also acknowledged that “the absence of lawful, critical investigative tools due to the ‘Going Dark' problem is a substantial state and local law enforcement challenge.”

This outreach to state and local governments likely did not sit well with privacy and technology influencers who are placing mounting pressure on the FBI to reveal to Apple how it was able to circumvent or defeat the encryption on the phone belonging to terrorist Syed Rizwan Farook. (It has been widely reported that third-party contractor Cellebrite provided the method.)

"If the FBI is, in fact, sharing the technique that it used in the San Bernardino case with local law enforcement, this only increases the likelihood that bad actors will uncover the technique and the underlying vulnerability, putting ordinary iPhone users at risk," said Eliza Sweren-Becker, an attorney with the American Civil Liberties Union, in an emailed statement to SCMagazine.com.

“If they really care about public safety, they must disclose the vulnerability they used to Apple to prevent criminals, hackers, and terrorists from exploiting the same security flaw and using it to do harm,” read another online statement from digital advocacy group Fight for the Future.

Chenxi Wang, chief strategy officer for enterprise cloud security company Twistlock, told SCMagazine.com in an email interview that if the FBI truly succeeded in breaking into Farook's phone, then “by the spirit of responsible disclosure, to which most of the security industry organizations and professionals subscribe, the FBI should disclose the existence of such vulnerability to the manufacturer."

"If the FBI fails to do that, this will become an open invitation for hackers and underground profit-seekers to focus their attention on hacking iPhones in order to discover this vulnerability,” she continued.

Oren Falkowitz, CEO of anti-phishing tech firm Area 1 Security and a former NSA analyst, agreed in an email interview with SCMagazine.com, noting, “We are more secure if there are less vulnerabilities that can be exploited. There are approximately 24 million of these phones and the potential exposure is high if we don't plug known security gaps.”

Independent of this disclosure decision, Falkowitz noted that he expects the government to “use every possible method to ensure the safety of our nation and its citizens,” including potentially the same technique used on Farook's phone. Of course, should the tactic be disclosed, Apple would almost certainly develop a fix for the vulnerability behind it.

In a recent Ars Technica report, an anonymous federal law enforcement official was quoted as saying: "We cannot comment on the possibility of future disclosures to Apple.” Apple, which could try to compel the FBI in court to disclose the vulnerability, has not responded to SCMagazine.com's request for comment.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.