When the FBI paid someone to crack the San Bernardino shooter’s iPhone, it didn’t just deftly bypass Apple’s objections. It also made the public aware of the business side of hacking – a business that is apparently as lucrative as it is discreet. “The recent argument between Apple and the FBI over unlocking an iPhone has likely revealed to the public for the first time that companies who specialise in cracking mobile devices even exist,” says Bill Anderson, chief product officer at OptioLabs, a mobile-security developer.
Everything we learn about the FBI’s hackers makes the situation more intriguing. Initial reports indicated the feds were using the services of Israeli mobile forensics firm Cellebrite to crack open Syed Rizwan Farook’s iPhone. Since then, a Washington Post report has claimed the FBI hired independent professional hackers, who used a zero-day exploit (a vulnerability unknown to Apple). Another April report showed that the FBI is now willing to help local law enforcement agencies around the country crack iPhones they have in evidence.
Cellebrite, or whoever it may be, is just one company that can attempt to unlock a phone in law enforcement’s possession, but now we – and profit-minded hackers – also know how profitable this business can be, points out Shane McGee, chief privacy officer at cyber-security firm FireEye. “That publicity is like a beacon to vulnerability researchers and security experts that would otherwise show little interest in hacking iOS,” he says.
Beyond one phone
Farook was using an iPhone 5c, so there could be other vulnerabilities in this phone and others that have yet to be found – and possibly monetised. “While most researchers that discover vulnerabilities practise responsible disclosure and communicate those vulnerabilities to Apple so they can be patched,” McGee adds, “I’m sure we’ll also see some trying to sell their exploits to the highest bidder, including the Department of Justice.”
Forensic scientist and iOS security expert Jonathan Zdziarski says he believes it will be business as usual for mobile forensics startups, but the veil has been lifted somewhat.
“I believe the only thing this case has done is it’s made the public more aware of what goes on daily,” says Lewis Daniels from Secure Any Mobile, on the business of breaking encryption. “This of course will make the hacking community more attractive,” he says, “as working with the authorities to do what they have the passion for doing is a great opportunity and legal.”
Braden Perry, a Kansas City attorney specialising in regulatory and governmental matters, says the Apple-FBI case could encourage security companies to help authorities and compete for what he called “lucrative contracts”. Perry notes that these companies would have to adhere to strict guidelines in their business relationships, but where this could get muddy is in places outside of the US’s jurisdiction. This could open up a new avenue for individuals and companies to try to unlock phones for what Perry calls “more sinister purposes”.
“In the end, the public announcement that iPhones can be unlocked through an outside party empowers others to attempt the same,” he says.
That said, there is a mixed view among many of the people I spoke with over whether law enforcement agencies will now seek out external companies’ help rather than serve notice to an OS maker, like Apple.
Dr Yehuda Lindell, of Israeli encryption startup Dyadic Security, suggests the FBI may decide to streamline the process by hiring its own hackers. “It would make more sense to me that the way law enforcement respond to this is to develop in-house expertise to do it themselves,” Lindell says. “I can’t see them always going to an external company.”
Making an exception
There’s another side to the encryption debate, where people want to access a phone for more sentimental reasons. An Italian man wrote a public letter to Apple in March asking the company to circumvent the encryption on his deceased son’s iPhone to retrieve photographs stored on the device. “Don’t deny me the memories of my son,” he wrote. Much like some of the families of victims in Farook’s crimes, he may be struggling to understand why an exception can’t be made in such heartbreaking circumstances.
Mark Grabowski, communications professor at Adelphi University in New York, points out that phone-cracking services have always been available on the Deep Web. “Despite all the publicity the FBI’s hacking of the iPhone has brought, that’s where they will likely remain since it is a crime to hack into someone else’s phone,” Grabowski says.
The very nature of phone hacking means that even legitimate professionals have good reason to maintain a low profile. “While the US Government wants companies to help them hack into others’ phones, I don’t think they want these tricks shared with others,” Grabowski explains. “So, I don’t expect companies to be openly advertising these services anytime soon – at least not to hack into third-party [mobile] phones – unless it’s an ‘ethical hacking’ service where they’re hired to test their own client’s cell phone security.”