Carnegie Mellon May Have Helped the U.S. Government Access a Terror-Linked iPhone
It’s not clear if this relates to the San Bernardino case
by JOSEPH COX
Cops are going to hack. As encryption and anonymity technologies continue to proliferate, the FBI and other law enforcement agencies increasingly use hacking tools to aid their investigations or identify criminals.
With that in mind, researchers at Carnegie Mellon University’s Software Engineering Institute discovered an iPhone vulnerability that a government agency used in a high-profile terrorism case, a source claimed.
It’s not clear which terrorism case this referred to, nor how useful the iPhone vulnerability proved in the case.
SEI is a federally funded research and development center, a public-private partnership that conducts work for the U.S. government and is sponsored by the Department of Defense.
According to SEI’s website, tools, technologies and practices developed by the research organization can help the Pentagon and other government agencies meet mission goals.
In 2014, researchers from SEI carried out work on the Tor network that obtained users’ real I.P. addresses, as well as those of hidden services such as Silk Road 2. As Motherboard confirmed last year, the FBI subpoenaed SEI for the collected I.P. addresses and then used this information to prosecute a number of dark-web criminals.
Spokespeople for SEI, Apple and the Department of Defense acknowledged requests for comment but did not provide a response. The FBI declined to comment.
The so-called Going Dark phenomenon, in which law enforcement agencies say they are losing access to key intelligence because of the spread of encryption, has pushed the idea of legal hacking into the mainstream.
“I think that we really need the cooperation of industry, we need the cooperation of academia, we need the cooperation of the private sector in order to come up with solutions,” Amy Hess, then head of the FBI’s Operational Technology Division, said of hacking tools during a congressional hearing in April 2016.
In early 2016, the FBI tried to force Apple to develop a custom operating system that would allow the agency to unlock an encrypted iPhone 5C used by one of the San Bernardino terrorists. Apple declined, fighting back against a court order to access the phone, saying it would undermine the security of iOS devices more generally.
After an intense legal battle, the FBI said an outside party had unlocked the device instead. Despite earlier indications that the third party had been Israeli phone cracking company Cellebrite, The Washington Post reported that the FBI paid a one-off fee to other researchers who had discovered a previously unknown software vulnerability.
It is unclear if the iPhone vulnerability found by CMU researchers is connected to the San Bernardino case, but it’s possible.
In a Freedom of Information lawsuit brought by the Associated Press, VICE Media, and the parent company of USA Today, the FBI released nearly 100 pages of records related to the San Bernardino exploit sale. Many of the sections were redacted, however.
Apple iPhones continue to be an illustrious target for both government hackers and the groups or companies that hunt out vulnerabilities affecting the devices. When agencies need to turn to leading researchers to compromise consumer phones, that’s a testament to how secure everyday products have become.