What it means for Apple if feds have found a way to crack shooter's iPhone

In its monthlong fight with the Department of Justice over digital privacy, Apple has insisted it would under no circumstances force its engineers to undermine the company's security measures.

So when federal prosecutors announced Monday that an outside party had come forward with a technique that might unlock the iPhone used by San Bernardino terrorist Syed Rizwan Farook without Apple's cooperation, the tech giant could have reason to view it as a major victory — and a major risk.

What would be worse for a company that has insisted privacy is core to its identity — and whose marquee device is among the safest on the market? Caving to government pressure and writing its own decryption software, or conceding its phones are not as secure as some believed.

Apple, civil liberty groups and digital privacy advocates say the first option would be far more damaging.

Doing so would set a precedent for the government to compel any tech company to thwart its own security measures — a dangerous development, they say, in a world where people's lives are largely lived on digital devices.

"We built the iPhone for you, our customers," Apple Chief Executive Tim Cook said Monday as he unveiled the company's newest iPhone.

"We need to decide, as a nation, how much power the government should have over our data and our privacy," he added

But, if the government's new lead is successful, customers will need to decide whether they'll keep buying a product that, though advertised as virtually airtight, could be hackable. Apple's showdown with the FBI provides no bigger stage to put that consumer loyalty to a test.

"Whenever people tell me something is unhackable, I think about how the Titanic was unsinkable," said James Lewis, a cybersecurity expert and a senior fellow at the Center for Strategic and International Studies in Washington.

"Apple should have quietly complied since now it has the worst of both worlds," Lewis said.

Other experts say the FBI's claim that a third party can break into Farook's phone validates suspicions that the iPhone's ultra-secure reputation is overstated.

"This development proves what I've been saying all along," said David Cowan, a partner at Bessemer Venture Partners in charge of the firm's cybersecurity investments. "Apple is refusing to publicly acknowledge vulnerabilities in their phones. Despite the veneer of security, the data on our iPhones can be stolen by Apple and others. IPhones would be more secure if Apple cooperated with the FBI, and then remediate the vulnerabilities identified by the FBI. Build the back door, but board it up behind you on the way in."

Apple declined to comment. But attorneys for Apple, speaking on the condition that they not be named or directly quoted, said the company has never claimed its software is unbreakable.

They said combating hackers and criminals requires constant diligence and that the potential of a third-party hack underscores how difficult the company's job is.

If the hacker working with investigators manages to crack the iPhone, Apple should be able to weather the blowback, experts said. The company is already reportedly working on even tougher security tools for its products and software. Its newer line of phones (the 5s from 2013 and later) includes chips with so-called secure enclaves that prevent the device's flash drive from being copied and open to repeated attempts at passcode cracking. Farook was using an older model that could theoretically be open to the technique.

Despite the company's insistence throughout its fight with the FBI that security is of paramount importance, few phone buyers prioritize privacy. A Reuters/Ipsos poll released Monday found only 1 in 10 people said security — such as encryption and passcode — was the most important consideration when purchasing a new phone. The bigger deciding factors? Performance and price.

A hacker bypassing Apple's security may not have a huge effect on the company's bottom line, but if the company is forced to undermine its own security it could alter the very way tech companies do business, privacy advocates warned.

The risk is in handing a precedent-setting backdoor to law enforcement that could create opportunities to exploit anyone's phone, said Cindy Cohn, executive director of the Electronic Frontier Foundation.

"The concern is the FBI is trying to shift the ground by saying you can build a lock as strongly as you want so long as you also build us a pick to unlock it," Cohn said. "That's far more dangerous than the FBI figuring out a way in on its own."

Onlookers viewed the Justice Department's move to indefinitely postpone a Tuesday court appearance as a momentary victory for Apple — if for no other reason because it was one less day it had to fend off calls to hack into its own software.

"This round went to Apple by default," said Robert Cattanach, a former U.S. Department of Justice attorney who specializes in cybersecurity for the law firm Dorsey & Whitney. "They probably wanted a victory, but this is not a bad consolation."

If, however, its third-party hack fails, the government could still renew its push for Apple to decrypt its own software using the All Writs Act, an all-encompassing, centuries-old law aimed at providing judges the authority to issue orders when other options are exhausted.

Ultimately, the two sides may have to wait for Congress to decide through legislation where the line is drawn between law enforcement and technology.

"I don't think the postponement in court means the fight isn't going to eventually happen," said Esha Bhandari, a staff attorney for the American Civil Liberties Union. "The debate between the law enforcement and civil liberties and security communities will continue regardless of what the FBI does to get data off the San Bernardino shooter's phone."

The spat has already inspired technology companies to beef-up their security. That will likely prove especially true for Apple, which has had to address other recently discovered vulnerabilities beyond the FBI's purported workaround.

Apple users were hit with a case of ransomware earlier this month — a significant development because the company's software has not been the target of malicious attacks with the same frequency as PCs. And on Monday, researchers at Johns Hopkins University revealed a flaw in the company's iMessage platform that could potentially allow hackers to intercept files.

"This confrontation between Apple and the government is going to affect businesses the same way [NSA leaker] Edward Snowden affected businesses," said Daniel Castro, vice president of the Information Technology and Innovation Foundation. "It's going to force them to take a close look at their vulnerabilities. Apple will invest more in security, and other companies will too."

david.pierson@latimes.com

Twitter: @dhpierson

MORE ON APPLE VS. THE FBI

3 realistic solutions to prevent another FBI-Apple fight over encryption

Tim Cook jumps right into discussing Apple-FBI iPhone encryption fight

FBI should know within 2 weeks if terrorist Farook's iPhone can be unlocked without Apple's help

Copyright © 2016, Los Angeles Times
A version of this article appeared in print on March 23, 2016, in the Business section of the Los Angeles Times with the headline "A new test for apple in iPhone fight - As FBI pins its hopes on a phone hack, the tech giant reevaluates its reputation for software security." — Today's paperToday's paper | Subscribe
84°