A judge has granted a sudden and unexpected request from the Justice Department to postpone a Tuesday hearing on whether Apple should have to help the FBI hack the phone of one of the San Bernardino shooters, citing a new method to potentially crack the phone’s security.
Thom Mrozek, a spokesman for the U.S. Attorney’s Office, said Monday evening that Magistrate Judge Sheri Pym of the Central California Federal District Court had granted the government’s request and ordered that Justice file a status report by April 5.
In its motion Monday afternoon to postpone the hearing, Justice Department attorneys stated that an “outside party” on Sunday had demonstrated a possible method to unlock the password-protected iPhone 5c used by now-deceased San Bernardino shooter Syed Rizwan Farook.
“Testing is required to determine whether it is a viable method that will not compromise data on Farook’s iPhone,” attorneys wrote in Monday’s court filing.
The filing came on the same day that researchers at Johns Hopkins University announced that they had compromised the encryption used to secure media sent between millions of iPhones the world over.
Earlier on Monday, Apple acknowledged flaws in iPhone security, while CEO Tim Cook doubled down at on the firm’s high-stakes legal fight against the court order to help the FBI hack Farook’s phone.
“Apple works hard to make our software more secure with every release,” Apple acknowledged in a statement addressing a Washington Post report on the security flaw spotted by Johns Hopkins cryptologists. “We appreciate the team of researchers that identified this bug and brought it to our attention so we could patch the vulnerability.”
By exploiting a weakness that affects iMessage, the company’s proprietary communication protocol, the researchers conducted a brute-force attack that allowed them to make thousands of guesses before eventually cracking the 64-digit, 256-bit key needed to decrypt attachments hosted on Apple’s iCloud server, including images and videos.
While the researchers could only accomplish the hack on iPhones running older versions of Apple’s mobile operating system, Matthew Green, an assistant professor at the school’s Information Security Institute, told the Post that a nation-state with the right resources could likely use a modified version of the attack to access supposedly secure data from devices using the company’s most current, supposedly uncrackable operating system.
Ian Miers, a Ph.D candidate involved in the research, said on Twitter that that vulnerability affected more than just the iMessage protocol, tweeting: “Apple had to fix other apps, but won’t say what.”
With both Farook and his wife, Tashfeen Malik, killed in a shootout with authorities after they killed 14 people and injured 22 others in an attack on a community center where Farook worked, FBI officials believe data on the phone may be invaluable in their ongoing investigation into the attack.
Monday’s court filings don’t say whether the researchers’ discovery is at all related to the potentially illuminating new method in question. But DOJ attorneys wrote that if the method is determined to be viable, that “it should eliminate the need for the assistance from Apple Inc.”
Although Apple has suffered major security breaches in the past, the current legal fight in California largely concerns its ability to ensure that it isn’t forced to market products with a vulnerability that the FBI or other government agency, or any hacker, can readily exploit.
Regardless, Mr. Cook used a preplanned product launch Monday in Cupertino, California, to reiterate his company’s unwillingness to heed the FBI’s demands.
“We build the iPhone for you, our customers, and we know that it is a deeply personal device … an extension of ourselves,” Mr. Cook said at the event unveiling a new round of iPads and iPhones. “We believe strongly that we have a responsibility to help protect your data and your privacy. We owe it to our customers and we owe it to our country.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
• Andrea Noble can be reached at anoble@washingtontimes.com.
Please read our comment policy before commenting.