FBI hack may raise questions about iPhone security

The FBI hack of an iPhone 5c running iOS 9 may have left the device just a little bit insecure in the eyes of some users, as the agency has not provided details of how it was able to access data on the phone used by the San Bernardino terrorist.

On Monday, the FBI told the court that the government had successfully accessed the data stored on the iPhone used by Syed Rizwan Farook and no longer required the assistance it was demanding in court from Apple.

But the FBI did not disclose in the court filing whether it would pass the information on the hack to Apple, raising questions whether there is a vulnerability in the device that Apple may not know about.

The iPhone maker did not comment Monday on whether it would ask the FBI for information on the hack through a court or directly. If the case is vacated as recommended by the FBI, that option may not be available to Apple. But the company told reporters last week that if a new vulnerability was found in iOS by the FBI and its partner, it will want to find out what it is.

“The minute I saw the news I got worried that corporate customers of Apple might raise questions about whether their enterprise data thus could be compromised too,” said Bryan Ma, vice president for devices research at IDC. But Apple can still use the argument that the device in question was only a 5c, which didn't have Touch ID and Secure Enclave, according to Ma. Even if it was on iOS 9, it didn't have the hardware, he added.

Apple and its enterprise-focused partners like IBM can still point to the security of newer models, Ma said.

Apple was ordered in February by the U.S. District Court for the Central District in California, Eastern Division, to help the FBI unlock by brute force the iPhone used by Farook. The company was ordered by Magistrate Judge Sheri Pym to offer its technical assistance, including if required, provide signed software to bypass or disable an auto-erase function on the phone. The FBI was apprehensive that if the function had been turned on, the auto-erase function would delete the data on the phone after 10 unsuccessful tries.

Apple declined to provide the assistance and its CEO Tim Cook said that the government has demanded that Apple take an unprecedented step which threatens the security of its customers.

"Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation," Cook said in an open letter to customers. "In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession."

Earlier this month, the FBI said it had found a third party that could possibly help the agency crack the terrorist’s iPhone. Against the background of the alarm raised by Cook about providing a solution to the FBI, there is likely to be concern whether the third party assisting the agency found a flaw across Apple devices or found a workaround only to the specific phone.

“That it took a U.S. state agency months to get it should not concern the average, or above average person,” said Simon Piff, another IDC analyst. “The iPhone is still infinitely more secure than Android, which is not at all, and as a result of this public bullying by the U.S. government I am sure Apple will be looking to ensure they are beyond reproach.”

Some members of the IT security community believe that the FBI has had access to the technology and skills to hack the phone for a number of years and that its request is “more politically motivated than technologically challenged,” Piff added.

Digital rights group Electronic Frontier Foundation has asked that if the FBI has used a vulnerability to get into the iPhone, under a government policy for disclosing security vulnerabilities, called the Vulnerabilities Equities Process, there should be "a very strong bias" in favor of informing Apple of the vulnerability, which would help the company fix the flaw and secure its users.