When the FBI paid someone to crack the San Bernardino shooter’s iPhone, it didn’t just deftly bypass Apple’s objections. It also made the public aware of the business side of hacking—a business that is apparently as lucrative as it is discreet. “The recent argument between Apple and the FBI over unlocking an iPhone has likely revealed to the public for the first time that companies who specialize in cracking mobile devices even exist,” said Bill Anderson, chief product officer at OptioLabs, a mobile-security developer.
Everything we learn about the FBI’s hackers makes the situation more intriguing. Initial reports indicated the feds were using the services of Israeli mobile forensics firm Cellebrite to crack open Syed Rizwan Farook’s iPhone. Since then, a Washington Post report claimed the FBI hired independent professional hackers, who used a zero-day exploit (a vulnerability unknown to Apple). Another April report showed that the FBI is now willing to help local law enforcement agencies around the country crack iPhones they have in evidence.
Though the FBI has remained mum on any specifics, a recent remark by FBI Director James Comey suggested the fee for the hack was well over a million dollars. Most recently, the FBI declined to divulge details to another government program (the Vulnerabilities Equities Process), claiming ignorance of how the hack actually worked.
Cellebrite, or whoever it may be, is just one company that can attempt to unlock a phone in law enforcement’s possession, but now we—and profit-minded hackers—also know how profitable this business can be, pointed out Shane McGee, chief privacy officer at cyber-security firm FireEye. “That publicity is like a beacon to vulnerability researchers and security experts that would otherwise show little interest in hacking iOS,” he told me.
Beyond one phone
Farook was using an iPhone 5c, so there could be other vulnerabilities in this phone and others that have yet to be found—and possibly monetized. “While most researchers that discover vulnerabilities practice responsible disclosure and communicate those vulnerabilities to Apple so they can be patched,” McGee added, “I’m sure we’ll also see some trying to sell their exploits to the highest bidder, including the Department of Justice.”
Forensic scientist and iOS security expert Jonathan Zdziarski told me he believes it will be business as usual for mobile forensics startups, but the veil has been lifted somewhat.
“I believe the only thing this case has done is it’s made the public more aware of what goes on daily,” added Lewis Daniels from Secure Any Mobile, on the business of breaking encryption. “This of course will make the hacking community more attractive,” he said, “as working with the authorities to do what they have the passion for doing is a great opportunity and legal.”
Braden Perry, a Kansas City attorney specializing in regulatory and governmental matters, told me the Apple-FBI case could encourage security companies to help authorities and compete for what he called “lucrative contracts.” Perry noted that these companies would have to adhere to strict guidelines in their business relationships, but where this could get muddy is in places outside of the United States’ jurisdiction. This could open up a new avenue for individuals and companies to try to unlock phones for what Perry called “more sinister purposes.”
“In the end, the public announcement that iPhones can be unlocked through an outside party empowers others to attempt the same,” he said.
That said, there was a mixed view among many of the people I spoke with over whether law enforcement agencies will now seek out external companies’ help rather than serve notice to an OS maker, like Apple.
Dr. Yehuda Lindell, of Israeli encryption startup Dyadic Security, suggested the FBI might decide to streamline the process by hiring its own hackers. “It would make more sense to me that the way law enforcement respond to this is to develop in-house expertise to do it themselves,” Lindell said. “I can’t see them always going to an external company.”
Making an exception
There’s another side to the encryption debate, where people want to access a phone for more sentimental reasons. An Italian man wrote a public letter to Apple in March asking the company to circumvent the encryption on his deceased son’s iPhone to retrieve photographs stored on the device. “Don’t deny me the memories of my son,” he wrote. Much like some of the families of victims in Farook’s crimes, he may be struggling to understand why an exception can’t be made in such heartbreaking circumstances.
Mark Grabowski, communications professor at Adelphi University in New York, points out that phone-cracking services have always been available on the Deep Web. “Despite all the publicity the FBI’s hacking of the iPhone has brought, that’s where they will likely remain since it is a crime to hack into someone else’s phone,” Grabowski said.
The very nature of phone hacking means that even legitimate professionals have good reason to maintain a low profile. “While the U.S. government wants companies to help them hack into others’ phones, I don’t think they want these tricks shared with others,” Grabowski explained. “So, I don’t expect companies to be openly advertising these services anytime soon—at least not to hack into third-party cell phones—unless it’s an ‘ethical hacking’ service where they’re hired to test their own client’s cell phone security.”