It seems like ages ago, but it was only last year that Apple and the FBI were embroiled in a bitter legal dispute regarding an iPhone 5c which belonged to one of the San Bernardino terrorists. If you recall, the FBI at the time asked Apple to create a modified version of iOS which would have allowed them to endlessly guess the device’s passcode without initiating a system wipe. Apple, of course, vehemently refused to comply due to privacy and security concerns, with Tim Cook going so far as to claim that the FBI wanted Apple to create the “software equivalent of cancer.”
As the story played out, the FBI ultimately purchased forensic software on the open market which enabled them to access the contents of the iPhone 5c without any assistance from Apple. While there are speculative reports regarding how much the FBI paid for the specialized iPhone hack, not to mention speculation regarding which company provided the workaround, firm answers have never been provided.
And as it turns out, it seems like we may never find out. In a court ruling originally unearthed by ZDNet, Judge Tanya Chutkan ruled that the FBI does not have to reveal how much it paid for the iPhone hack or who provided it in the first place. The ruling came in response to a handful of Freedom of Information lawsuits levied by the likes of the Associated Press, the USA Today and others.
In a 27-page ruling, Chutkan explained that if the identity of the software vendor used by the FBI is made public, it may put a target on the vendor’s back and ultimately result in the software tool being released in the wild.
The ruling reads in part:
Thus, if the vendor’s identity were made public, a review of the company’s work could lead antagonists to “develop exploits for the vendor’s unique product.” Additionally, the FBI notes that because the vendor’s networks are not as sophisticated as the FBI’s cyber-security facilities, releasing the name of the vendor could subject the vendor to attacks by entities who wish to exploit the technology. Since the vendor is not as well equipped to guard against these types of attacks as is the FBI, revealing the vendor’s identity “risks disclosure, exploitation, and circumvention of a classified intelligence source and method.” Disclosure of the vendor’s identity could thus “reasonably be expected to cause serious damage to national security, as it would allow hostile entities to discover the current intelligence gathering methods used, as well as the capabilities and limitations of those methods.”
This line of reasoning logically and plausibly demonstrates how the FBI could reasonably expect the release of the vendor’s identity to cause identifiable harm to national security. If an adversary were determined to learn more information about the iPhone hacking tool the FBI acquired, it is certainly logical that the release of the name of the company that created the tool could provide insight into the tool’s technological design. Adversaries could use this information to enhance their own encryption technologies to better guard against this tool or tools the vendor develops for the FBI in the future.
Additionally, the court ruling explains that the FBI, in the future, may opt to enhance the hacking tool’s capabilities and redeploy it in other scenarios. Disclosing who provided the tool, the ruling goes on to state, has the potential to hinder the FBI’s efforts in this regard.
In the months since the FBI gained access to the iPhone 5c in question, reports surrounding how much the FBI paid for the hacking tool have varied wildly, ranging from $15,000 on the low-end to $1 million on the high-end. As for who provided it, early rumors claimed that it came from an Israeli company called Cellebrite, though subsequent reports refuted those claims.