Few individual electronic devices can have had as much impact on security and privacy as the ‘San Bernardino’ iPhone in the four months since it was siezed by the FBI. The twists and turns in its story have been dramatic, unpredictable, and for the moment seem to have come to a halt, with the FBI announcing that it has gained access to the iPhone without the help that Apple had in any case refused.
Of course the FBI has not revealed whether its third-party collaborator has been able to unlock the iPhone completely or has just provided sufficient information for the FBI’s investigation. The identity of that third party remains undisclosed, as does the technique employed to give the FBI access.
Apple’s brave stand against the FBI might now appear to have failed: in winning the battle of the San Bernardino iPhone, Apple may have lost the war to protect user privacy. Might it not have been better for Apple to have co-operated, kept control, and for whatever vulnerability the FBI’s partner has used to remain unexploited? Does this make all our iPhones now fair game for unlocking whenever a law enforcement agency wants? And how long will it be before ordinary criminals can unlock iPhones too?
Whatever means the FBI’s partner used, it must be rated as some form of security vulnerability. iPhones have had such vulnerabilities, and like every complex combination of hardware, firmware, and software, they will continue to suffer vulnerabilities – until Apple achieves perfection, pigs fly past windows, and hell is a great place for ice skating.
It is quite possible that the vulnerability is confined to older models of iPhone, and may in any case have been fixed in a recent release of iOS.
Although few press reports have noted its significance, the San Bernardino iPhone is a 5c, first released in September 2013, and lacks the hardware Secure Enclave included with iPhones such as the 5s and 6 models. As Dan Guido has explained carefully, there is a big practical difference between the security of iPhones with and without the Secure Enclave. Although exploiting any locked iPhone is hardly trivial, it is much more likely to be feasible without the Secure Enclave. Further details are given in Apple’s iOS Security Guide.
It is also quite possible that the vulnerability exploited by the FBI’s partner has already been closed by Apple in a subsequent iOS update. According to the FBI, the San Bernardino iPhone made its last data backup to iCloud on 19 October 2015, and they believe that it was used between then and the terrorist attack on 2 December 2015. Assuming that it was running iOS 9 (something which has not, I think, been officially confirmed), the latest version which it could have been running is iOS 9.1. The next update to 9.2 was not released until 8 December 2015, by which time the iPhone was already in the custody of the FBI.
Since it released iOS 9.1, Apple has released three updates to iOS: versions 9.2, 9.2.1, and 9.3. They have brought a total of 67 described security fixes, of which 11 have addressed vulnerabilities in the kernel, and 3 have addressed security-specific vulnerabilities. There is also the possibility that Apple has made other security improvements which have closed undisclosed vulnerabilities in the course of those updates.
The upshot is that there is a good prospect that whatever vulnerability was exploited to enable unlocking of the San Bernardino iPhone, assuming that it has been fully unlocked, that no longer exists in iPhones with the Secure Enclave which are running iOS 9.3, if it ever did exist on those models. Furthermore, the vulnerability may no longer exist in older iPhones running 9.3.
Even if this vulnerability does still exist in some iPhones running iOS 9.3, there is also the chance that the FBI and/or its partner will be obliged to disclose it to Apple. Given the histrionics which were bared during the FBI’s court battle with Apple, it might seem as if disclosure would come with the same flying pigs as device perfection, but the FBI may not have much say in the matter.
Thanks to the Electronic Frontier Foundation’s (EFF) efforts, US Government policy on such disclosure has been revealed, in its Vulnerabilities Equities Policy (VEP). That does not require disclosure, but it may well be difficult to avoid, particularly now that the EFF has called for it.
Apple’s stand remains resolute, and its position unaffected. It has refused to sell its users down the river, and has kept its promise. The FBI has probably not opened any floodgates on the unlocking of locked iPhones, and in any case may well end up having to disclose to Apple exactly how that was achieved in this singular case. If so, Apple can take any measures necessary to close the vulnerability which was exploited. And unless things go seriously wrong, there is no chance of a significant zero-day vulnerability falling into the hands of the more malicious – foreign security agencies or criminals – and putting our security at risk.
But if you think that this is an end to the story of the San Bernardino iPhone, be prepared for further surprises. It’s not done yet.