The 'Hack in a Box' the Government Won’t Use in Its New York iPhone Case
Instead of using a $200 device, the Department of Justice dragged Apple to court in New York.
For anyone paying attention, the Department of Justice's approach to getting information out of encrypted iPhones is starting to look like a tangled mess.
In March, the Department of Justice's highly-publicized legal battle with Apple over an encrypted iPhone belonging to a mass shooter in San Bernardino, California ended with a deus ex machina. Thanks to the efforts of an "outside party," law enforcement were able to break into the phone using a secret hack that cost the FBI upwards of $1 million, according to FBI Director James Comey, who quipped that the hackers-for-hire made more than he will in his remaining seven years as FBI director.
If you ask Apple, which refused to break into the San Bernardino phone on behalf of the FBI, this is how things should work: Rather than compelling Apple to dedicate substantial time and resources into hacking into its own products, the government turned to the market to solve its problems.
The government apparently disagrees, however, because the DOJ is still going all in on the All Writs Act—the 1789 statute cited in the San Bernardino case—in a case in New York, over a meth dealer's iPhone 5s, running iOS 7.
"The IP-BOX has been used quite widely by many law enforcement agencies, including some federal level agencies"
It's really weird. iOS 7 predates the controversial enhanced security that Apple brought to the iPhone with iOS 8, which inflamed the "going dark" debate in 2014. Logically speaking, if the government could hack the San Bernardino phone, it can hack the New York phone. And in fact, there's a $200 hack it could use—but for some reason, won't.
Between the mysterious hack that ended the San Bernardino case, and the government's bizarre disavowal of a widely-available tool in the ongoing New York case, it looks less and less like the All Writs Cases are about the government's fear of "going dark," and more about what the government perceives as its right to keep hitting up Silicon Valley like its own personal IT department.
United States v. Shu Yong Yang, et al
United States v. Shu Yong Yang, et al, in which the government busted a meth dealing ring in New York, is an iPhone encryption-cracking case that's still actively being pursued by both the government and Apple.
The street-level dealer who owns the iPhone in question has already pleaded guilty and will be sentenced in May, yet the government is still arguing that a judge should use the All Writs Act of 1789 to compel Apple to unlock his phone.
The phone in question runs iOS 7, which is means it's less secure than the phone the FBI paid to break into in San Bernardino, which was an iPhone 5c running iOS 9. Breaking into the San Bernardino phone meant creating custom software that would take 10 to 12 engineers working full time for four to six weeks, according to Apple. But breaking into the phone in Shu Yong Yang, et al would be trivial.
In fact, until the magistrate judge in this case forced the issue, Apple was ready and willing to act as the government's Genius Bar, with a specialist telling the Department of Justice that once the prosecutors got the court order approved (with specific wording suggested in a very helpful manual Apple put out for law enforcement), it could expect a turnaround time of one to two weeks.
It's a piece of cake for Apple to bypass the lock screen on this phone, but this cuts both ways. If it's so easy for Apple, why does the government need the company's assistance in breaking into the phone? If DOJ managed to find a workaround hack in the much more technically challenging San Bernardino case, what's stopping it in the New York case?
Not much, it looks like.
While the case was still in front of Magistrate Judge Orenstein, Orenstein questioned the necessity of Apple's assistance given that the government had, in other cases in that very jurisdiction, used forensic tools to extract data from iPhones. The judge specifically cited United States v. Djibo—a criminal case against an alleged heroin smuggler.
United States v. Djibo
When Adamou Djibo was detained at New York's JFK airport in February 2015, Customs and Border Protection asked him to provide the passcode to his iPhone 5, running iOS 8.1.2. He complied. After CBP finished searching his belongings, he was arrested. Later, as the criminal case proceeded against him, his attorneys made a motion to suppress the iPhone as evidence, saying that Djibo should have had his Miranda rights read to him before he provided the passcode to his own phone.
The government disagreed, citing a whole host of reasons (for one thing, civil liberties always get a little dicier at the border). But the important thing is that the government also argued that the contents of the iPhone would have been "inevitably" discovered—meaning that even if the iPhone was illegally seized, since investigators would have gotten into it legally eventually, it should not be suppressed at trial.
Even if Djibo hadn't volunteered the passcode, the government argued, it would have gotten into the phone with the help of Homeland Security Investigations, using a "forensic technique" in HSI's possession.
Sounds ominous, right? Except the "forensic technique" in question is a $200 hack-in-a-box called IP-BOX that has been blogged about all over the internet, including by Motherboard in early 2015.
"In Djibo, the result of that morass of conflicting statements was a finding that the government had failed to establish that it would inevitably have succeeded in bypassing the passcode security on Djibo's iPhone," wrote Judge Orenstein in his ruling denying DOJ an order to compel Apple to break into the New York meth dealer's iPhone.
"That result does not remotely establish the proposition the government supports here—namely, that it is impossible for it to bypass the security of an earlier operating system without Apple's help," he continued. "What it does establish is simply that the government has made so many conflicting statements in the two cases as to render any single one of them unreliable."
Once called out by Judge Orenstein, the government claimed IP-BOX was "not a forensic tool' but rather a 'hacking tool,'" that it was "very finicky," that using it would "run the risk of activating the auto-erase feature regardless of the risk of data destruction."
Forensic scientist and iOS security expert Jonathan Ździarski says it's true that the IP-BOX is better characterized as a hacking tool rather than a forensic tool, but that it's "gained wide acceptance in the law enforcement community."
Ździarski said that a forensic tool should be judged by "repeatable and predictable results, its attention to preservation of evidence, its quality assurance and testing, and the reputation of the company." Because IP-BOX isn't "properly documented," he said, its usefulness as a forensic tool, in his opinion, was suspect.
But despite his litany of complaints against the IP-BOX, he said that it had become popular with law enforcement, so much so that there was even a manual on how to use it written by a detective at the police department in Madison, Wisconsin.
"If third party individuals can develop these techniques to get into these encrypted devices, why can't we bring more capabilities in-house to the government to be able to do that?"
"The IP-BOX has been used quite widely by many law enforcement agencies, including some federal level agencies that I know of firsthand," said Ździarski. "I've spoken to numerous investigators who've used IP-BOX in cases, and also see frequent chatter in various online forums and mailing lists from LE who are using it."
Ździarski also seemed to disagree with the government's characterization of IP-BOX as unreliable, saying that it "is generally a very reliable technique," so long as you enter the correct configuration—which, given how widely-shared the configurations are among investigators, shouldn't be an obstacle.
So in one case, the government found a third party to hack into an encrypted iPhone. In another case, the government said evidence from an encrypted iPhone shouldn't be suppressed because it would have gained access to the phone anyway using IP-BOX. And in another case, the government is saying that the under the All Writs Act, which allows for a court order to compel a third party to assist with a warrant if it is "necessary," Apple must help law enforcement crack the company's own encryption.
So, does the government really need Apple's help?
In a legal filing on Friday in the still-pending New York meth dealer case, Apple cited the Djibo case, saying that the government "offered no evidence that it had consulted with any other agencies or third parties to determine that Apple's assistance was actually necessary," nor had it exhausted "traditional investigative tools that were suggested to the government by Apple."
That reasoning was echoed in a congressional hearing on Tuesday, when Rep. Diana Degette (D-CO) asked the FBI's Amy Hess, "If third party individuals can develop these techniques to get into these encrypted devices, why can't we bring more capabilities in-house to the government to be able to do that?"
Hess demurred, saying that such solutions "require a lot of highly-skilled, specialized resources that we may not have immediately available to us."
When Degette asked if those could be developed with the "right resources," Hess replied, "No, ma'am."
In February of this year, the FBI requested an additional $38 million in its budget to fight the "going dark" problem.
The New York iPhone case is currently on appeal, and the government is set to respond to Apple's filing by Friday this week.