Influencers: FBI should disclose San Bernardino iPhone security hole to Apple
Now that American law enforcement may have a way into the iPhone used by the San Bernardino, Calif., shooter, it should also disclose details about the security hole to Apple, said 81 percent of Passcode鈥檚 Influencers.
The Justice Department pulled out of a much-anticipated court hearing with Apple less than a day before it was set to begin Tuesday. Law enforcement said an 鈥渙utside party鈥 presented a new way to unlock Syed Rizwan Farook鈥檚 device without Apple鈥檚 help and it is optimistic the method will听work.
While the government had previously insisted there was no other way to get the potentially critical data from the iPhone without Apple writing software to bypass security features, the FBI may now face a new conundrum: Should it inform the company so it can fix a vulnerability that may affect millions of consumer devices 鈥 even if that disclosure could make it harder for law enforcement to unlock iPhones in the听future?
But a strong majority of security and privacy experts from across government and the private sector, surveyed by Passcode this week, cautioned about serious security risks if investigators don鈥檛 reveal the security flaw, and the dangerous precedent it might听set.
鈥淭he security of a product used by so many people 鈥 including and especially Americans 鈥 is part of national security,鈥 said Jonathan Zittrain, professor of law and computer science at Harvard Law School. 鈥淲hile it is appropriate for law enforcement, with a warrant, to use a security flaw to gain access to which it is legally entitled, the flaw should be patched as soon as possible for everyone else鈥檚听sake.鈥
If a previously unknown security vulnerability 鈥減uts current users of those devices at risk for increased likelihood of criminal conduct such as identity theft,鈥 the FBI should inform Apple to 鈥渇ulfill its law enforcement mission,鈥 said one Influencer who chose to remain anonymous. 鈥淔ighting crime isn鈥檛 just about catching criminals after the fact; it鈥檚 about reasonable measures to prevent avoidable criminality from happening as well.鈥 To preserve the candor of their responses, Influencers have the option to reply either on record or anonymously.
If the government has actually found a way into locked iPhones, adds Kevin Bankston, director of New America鈥檚 Open Technology Institute, 鈥淭hen bad guys can find it,听too.鈥
鈥淚t would be dangerously shortsighted and irresponsible for the government to stockpile that vulnerability for its own use and leave every iPhone user at risk,鈥 Mr. Bankston continued. 鈥淚ndeed, this case highlights the need for the government to have a strict process in place 鈥 a process required by law 鈥 that ensures government disclosure of vulnerabilities as quickly as possible.鈥
For its part, Apple听听the government share the details of its iPhone hack tactics if the case continues. But on Thursday, FBI Director James Comey听听to comment about whether he would tell Apple the details 鈥 and officials have so far said nothing about whether it would be subject to what鈥檚 known as the Vulnerability Equities听Process.
The equities review, chaired by White House cybersecurity coordinator Michael Daniel, is a relatively secretive process in which multiple agencies help determine whether security flaws in government hands must be disclosed to companies for fixing 鈥 or kept secret for national security reasons. As part of the decisionmaking process, officials consider whether keeping the vulnerabilities secret would result in significant risks to consumers, Mr. Daniel has previously explained in a 2014听听about how the US decides about when to disclose vulnerabilities.听(Editor鈥檚 note: Daniel is also an Influencer.)
However, the high profile nature of this case, and public knowledge that a vulnerability exists, bolsters the case for disclosure here, said Robert M. Lee, cofounder of Dragos Security.
鈥淚鈥檓 normally for the government disclosing vulnerabilities anyway, but after publicly touting it, [the FBI has] to 鈥 as there would be potential financial impact through customer confidence issues in Apple if the FBI did not,鈥 Mr. Lee said. 鈥淚n other words, the current policy is to disclose vulnerabilities anyway, but if you were going to hide one you can鈥檛 do so after putting it in the听press.鈥
What鈥檚 more, added Steve Weber, professor at the University of California at Berkeley鈥檚 School of Information, the discussion between the government and tech sector is more important than any one security hole. 听鈥淭he two sides need to establish a new foundation of shared interests on which to deal with this kind of problem in the future. And the DoJ could send an important signal to Apple: it would say, 鈥榃e believe in security as deeply as you do. We may disagree over lawful access, but that doesn鈥檛 mean we want to weaken encryption鈥.鈥
A small but vocal 19 percent minority said the US government should not tell Apple about the security听hole.
鈥淚t鈥檚 Apple鈥檚 job to create the best security that it can,鈥 said Jeffrey Carr, president and CEO of Taia Global. 鈥淚t鈥檚 the government鈥檚 job to find ways, under cover of law, to break encryption for law enforcement and national security reasons. As long as both do their respective jobs, everything works as it should. Apple asking the FBI to reveal its methods is as bad as the FBI asking Apple to weaken its encryption. Both need to stay in their respective听lanes.鈥
Ultimately, it might not be beneficial for Apple to tell them about the flaw, one Influencer said. After all, it wouldn鈥檛 be forced to create new software to bypass its own security. 鈥淚f Apple鈥檚 goal is a phone they can鈥檛 open with a gun to their head 鈥 and a highly resources law enforcement agency can do it without them 鈥 do they really want to know?鈥 one Influencer听said.
While 鈥渋t would be polite鈥 to tell Apple about it, added another anonymous Influencer, it鈥檚 up to the FBI. 鈥淟awful hacking is a technique they should be using, and they have to decide where they are in the [breach prevention] community 鈥 in it or outside of听it.鈥
What do you think?听听of the Passcode Influencers Poll.
Who are the Passcode Influencers? For a full list, check out our听
Comments:
听
YES
鈥淲e must stop hoarding zero-days and responsibly disclose them to everyone.鈥 -听Nico Sell, Wickr
鈥淪trong security is paramount to public safety and trust.鈥 -听Chris Young, Intel Security Group
鈥淚n a perfect world the FBI would disclose all vulnerabilities to vendors. But we don鈥檛 live in a perfect world. More generally: my guess is that Apple already knows what this vulnerability is 鈥 replay attacks on NAND Flash memory. Apple has already addressed this attack vector in their A7 and later processors.鈥 -Matthew Green, Johns Hopkins University
鈥淭he FBI should follow the equities process, chaired by the White House cybersecurity coordinator, on whether to reveal exploits known the government.鈥 -听Peter Swire, Georgia Tech Scheller College of Business
鈥淭he US government has a policy on how it handles 0-days, unfortunately not much is known about the policy as extracting information via FOIA requests has been difficult at best. I would presume that the policy has some sort of exemption for National Security and or Law Enforcement activity. While I would love for the FBI to disclose whatever method they are using in this case I would be very surprised if they actually did so.鈥 -听Cris Thomas, aka Space Rogue, Tenable Network Security
鈥淭he government absolutely needs to inform Apple, or any company, of any security hole they discover. 听Failure to do so could compromise public safety, privacy and national security. Tens of millions of people use iPhones. 听We know that criminals, terrorists and spies are actively searching for flaws they can exploit, in order to steal information. 听The government has an obligation to do all it can to prevent this.鈥 -听Jenny Durkan, Quinn Emanuel
鈥淚t is irresponsible of the FBI to let a vulnerability go un-patched in a device used by millions of people around the world. Not reporting the vulnerability to Apple so that it can be patched leaves all of those users exposed.鈥 -听Amie Stepanovich, Access Now
鈥淭he role of the government should be to strengthen, not weaken, security. This means that the government should report zero-day exploits to the private sector rather than hoarding them for its own purposes. At a minimum, the FBI should release its vulnerability disclosure policy so there can be a public discussion on what responsible disclosure should look like for the government.鈥 -Daniel Castro, Information Technology and Innovation Foundation
鈥淭he government should discretely disclose security vulnerabilities once intelligence gain/loss equities are properly considered, as well as the privacy, data security and economic implications. 听In this case, the chief problem was the way the Justice Department, and particularly the FBI, publicly handled the case. I鈥檓 not sure you could craft a faster way to move terrorists to foreign-made devices and open source encryption apps. The fact that they also managed to hurt US tech competitiveness in the process made this a masterpiece of incompetence.鈥 -听Chris Finan, Manifold Security
鈥淚f the FBI wants to be seen as not abusing their power to invade the privacy of US citizens, then they must turn over the vulnerabilities this outside party is exploiting to gain access to the iPhone. Any other behavior from them will confirm the fears of the American public that the US is entering a surveillance state in which privacy is no longer a right that Americans have. They will be in line policy-wise with non-Western values of freedom of expression. This road is dangerous to freedom, and will ultimately erode American technology companies鈥 ability to compete in a global market. If users can鈥檛 trust the services they use, they will turn to technologies that are safer, and that won鈥檛 be subject to arbitrary, warrantless invasions of privacy.鈥 -听Katie Moussouris, HackerOne
鈥淔laws should be fixed. It really is that simple.鈥 -听Marc Rotenberg, Electronic Privacy Information Center
鈥淪ecurity is a shared responsibility. How can government officials expect to be trusted if they don鈥檛 do their part?鈥 -听Influencer
鈥淲ith the caveat that the FBI does not need to give out full information on how it gets in, but enough for Apple to fix vulnerabilities.鈥 -听John Pescatore, SANS Institute
鈥淭he Bureau is a consumer of Apple goods as well as an LEA. They鈥檒l want the flaw remediated for their own users as well as law-abiding citizens.鈥 -听Scott Montgomery, Intel Security
鈥淪ecurity is hard enough without your government refusing to assist and actually treating you like an adversary. The US government should be helping Apple increase its security, not becoming a threat to it.鈥 -听Cindy Cohn, Electronic Frontier Foundation
鈥淭rust must be a two- way street and law enforcement and government agencies have as great a duty to collaborate and share sensitive information as vendors of technology products.鈥 -Influencer
鈥淢aybe it should, it certainly won鈥檛 with all but the most extraordinary flaws. If you want bugs to get fixed you need organization鈥檚 not rewarded by them.鈥 -听Dan Kaminsky, White Ops
鈥淜nown security exploits should always be reported. 听The FBI would otherwise be doing an end run on the legal controls that are in place to limit law enforcement access to data.鈥 -听Influencer
鈥淵es, but only if Apple pays them a bug bounty.鈥 -听Influencer
鈥淚t doesn鈥檛 matter whether it鈥檚 the FBI or the NSA 鈥 closing security holes makes us all safer and should be a standard practice for the US government.鈥 -听Sascha Meinrath, X-Lab
鈥淐urrent US law doesn鈥檛 seem to recognize an obligation on the part of law enforcement to prevent loss before-the-fact, so it isn鈥檛 clear that the FBI would have a legal obligation to do so. That having been said, if the FBI recognized that a bank had a back door that didn鈥檛 lock, one would hope that they would notify the operators about the vulnerability. Given that there are quite a few people in the FBI investigating 鈥榗ybercrime鈥 these days, it would seem to be within their mission to let a vendor know about something like that.鈥 -听Influencer
鈥淚t鈥檚 standard good security practice to disclose vulnerabilities. The FBI should also explain whether it deliberately misled the court about the necessity of compelling Apple to help break the security of its devices or didn鈥檛 make a serious effort to explore the alternatives, which amounts to the same thing.鈥 -听Jim Harper, Cato Institute
鈥淚t is best overall for the good of the majority of people that their communications be protected.鈥 -听Influencers
听
NO
鈥淎pple can鈥檛 have it both ways. Either it is going to cooperate with legitimate law enforcement demands, or it can suffer the consequences.鈥 -听Influencer
鈥淚t is unlikely that the FBI has any new vulnerability information about the iPhone. There is a publicly disclosed technique that a vendor may have offered to perform, which involves copying the flash memory on the phone. 听In general, law enforcement and intelligence agencies face difficult tradeoffs with respect to vulnerability information that they possess. These agencies use vulnerabilities to collect intelligence, but if they fail to disclose them, they may miss an opportunity to prevent attacks in the event that the vulnerabilities are independently discovered by a malicious third party. The risks are heightened in the scenario where exploiting a vulnerability requires sending payloads to the target that contain vulnerability information, which the target might recover and use to launch their own attacks. Therefore, agencies must carefully balance the opportunities presented by a vulnerability against the infrastructural risks associated with holding on to them and using them. It鈥檚 reasonable to have concerns about this balancing process, because the decisions are opaque to the general public, and the risks are an externality to the agency鈥檚 mission, and therefore may be underestimated.鈥 -听Tom Cross, Drawbridge Networks
鈥淚f Apple鈥檚 goal is a phone they can鈥檛 open with a gun to their head - and a highly resources law enforcement agency can do it without them - do they really want to know? Why is law enforcement obliged to help Apple close off an important access point for them?鈥 -听Influencer
What do you think?听听of the Passcode Influencers Poll.
听
