FBI Plans to Keep Apple iPhone-Hacking Method Secret
Move would likely keep Apple in the dark about security weakness
http://www.wsj.com/article_email/fbi-plans-to-keep-apple-iphone-hacking-method-secret-sources-say-1461694735-lMyQjAxMTE2MTI5NjcyMTYyWj

Joseph Menn / Reuters:
Apple says it received its first FBI tip via Vulnerability Equities Process on April 14; vulnerability already fixed on iOS9 and El Capitan — Apple says FBI gave it first vulnerability tip on April 14 — The FBI informed Apple Inc of a vulnerability in its iPhone and Mac software on April 14 …

Apple says FBI gave it first vulnerability tip on April 14
http://www.reuters.com/article/us-apple-encryption-fbi-disclosure-idUSKCN0XO00T

For the second time, the FBI has dropped a legal attempt to force Apple to unlock an iPhone at the last minute.

Earlier this month, the FBI backed away from the high-profile San Bernardino case the day before it was due in court by claiming it had paid a third party (apparently $1.2m) to unlock the phone.

FBI Director James Comey suggested to a conference in London that his agency paid more than $1.3 million to gray-hat hackers who were able to unlock the iPhone 5C that was used by Syed Farook Rizwan, the dead terrorist who masterminded the attack in San Bernardino, California, in December 2015.

According to Reuters, Comey was asked Thursday how much the FBI paid for the technique that eventually allowed investigators to access the locked phone.

“A lot. More than I will make in the remainder of this job, which is seven years and four months for sure,” Comey said. “But it was, in my view, worth it.”

FBI paid more than $1.3 million to break into San Bernardino iPhone
http://www.reuters.com/article/us-apple-encryption-fbi-idUSKCN0XI2IB?feedType=RSS&feedName=technologyNews&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+reuters%2FtechnologyNews+%28Reuters+Technology+News%29

Federal Bureau of Investigation Director James Comey said on Thursday the agency paid more to get into the iPhone of one of the San Bernardino shooters than he will make in the remaining seven years and four months he has in his job.

According to figures from the FBI and the U.S. Office of Management and Budget, Comey’s annual salary as of January 2015 was $183,300. Without a raise or bonus, Comey will make $1.34 million over the remainder of his job.

That suggests the FBI paid the largest ever publicized fee for a hacking job, easily surpassing the $1 million paid by U.S. information security company Zerodium to break into phones.

The FBI cannot unlock 13% of the password-protected cellphones it has seized as evidence in the past six months, a top bureau official told a House panel Tuesday.

About 30% of the 3,000-plus phones that the FBI has seized since Oct. 1 require passwords to open

“Clearly, that presents us with a challenge,” Hess told members of the House Energy and Commerce Committee, which brought in law enforcement officials and tech experts to testify about the pros and cons of “end-to-end” encryption, which is designed so that only users can unlock it.

Congress is struggling to decide what legislation — if any — it should pass on encryption.

Law enforcement officials say that such a law is needed to keep terrorists and criminals from hiding plots and evidence from investigators armed with court orders. Silicon Valley has come out strongly against the bill, saying it will make Americans more vulnerable to cyber criminals and hackers.

Requests involving more than 500 encrypted devices flooded the FBI’s Computer Analysis Response Team and the agency’s Regional Computer Forensic Laboratory programs during a four-month period beginning last October, FBI officials have said.

In a development that’s resulted in more facepalming than surprise within the cryptography community, a source tells CBS News that the FBI has found “nothing significant” in the data of the now-cracked iPhone of San Bernardino shooter Syed Rizwan Farook. According to CBS, the FBI is still analyzing the phone, which was unlocked with the assistance of contract hackers after a six-week legal dispute with Apple over the company’s refusal to help bypass its own encryption. But iPhone forensics expert Jonathan Zdziarski is skeptical: “There’s no such thing as ‘an ongoing analysis’ this long, unless you’re playing Angry Birds on Farook’s phone,” he wrote on Twitter.

Source: http://www.wired.com/2016/04/security-week-tax-day-near-irs-hackable-ever/

FBI paid professional hackers one-time fee to crack San Bernardino iPhone
https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.

FBI paid professional hackers one-time fee to crack San Bernardino iPhone
https://www.washingtonpost.com/world/national-security/fbi-paid-professional-hackers-one-time-fee-to-crack-san-bernardino-iphone/2016/04/12/5397814a-00de-11e6-9d36-33d198ea26c5_story.html

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

Cracking the four-digit PIN, which the FBI had estimated would take 26 minutes, was not the hard part for the bureau. The challenge from the beginning was disabling a feature on the phone that wipes data stored on the device after 10 incorrect tries at guessing the code. A second feature also steadily increases the time allowed between attempts.

The U.S. government now has to weigh whether to disclose the flaws to Apple, a decision that probably will be made by a White House-led group.

Apple said last week that it would not sue the government to gain access to the solution.

Still, many security and privacy experts have been calling on the government to disclose the vulnerability data to Apple so that the firm can patch it.

The White House has established a process in which federal officials weigh whether to disclose any security vulnerabilities they find.

“When we discover these vulnerabilities, there’s a very strong bias towards disclosure,” White House cybersecurity coordinator Michael Daniel said in an October 2014 interview, speaking generally and not about the Apple case. “That’s for a good reason. If you had to pick the economy and the government that is most dependent on a digital infrastructure, that would be the United States.”

Once the two sides had a chance to move everything to their opposite corners of the ring, people I know (me included) began to line up behind one side or another in the fight between Apple and the FBI. Writing this blog may unleash the passions of many the same way in-depth discussions of religion or politics do. But, I just have to ask: Where do you weigh in on Apple’s refusal to unlock the phone?

It’s fait accompli – the data has been taken off the phone. But still the questions linger, and the debate should not be forgotten—and won’t be. I’ll try to summarize the competing positions.

While Apple has no sympathy for terrorists, once the FBI made the mistake of changing the Apple ID password on the phone, there was no path to obtaining the data without the creation of a backdoor.

While it would seem that Apple should, according to the FBI, be able to unlock the iPhone used in the San Bernardino terrorist attacks, and then not use it again, the reality is law enforcement nationally was lining up with iPhones in the hundreds that they wanted unlocked.

FBI director: We bought ‘a tool’ to hack terrorist’s iPhone
http://money.cnn.com/2016/04/07/technology/fbi-iphone-hack-san-bernardino/

FBI Director James Comey said Wednesday that the government had purchased “a tool” from a private party in order to unlock the iPhone used by one of the San Bernardino shooters.

“Litigation between the government and Apple over the San Bernardino phone has ended, because the government has purchased, from a private party, a way to get into that phone, 5C, running iOS 9,” Comey said.

The FBI director also said the purchased tool worked only on a “narrow slice of phones” that does not include the newest Apple models, or the 5S.

“We tell Apple, then they’re going to fix it, then we’re back where we started from,” he said. “We may end up there, we just haven’t decided yet.”