Blog :: General :: Security Operations

Does the FBI iPhone Hack Fall Under Ethical Hacking?

The Federal Bureau of Investigation recently cracked a locked iPhone in order to procure evidence against one of the San Bernardino shooters.  Now, the FBI is refusing to inform Apple how it accomplished this. In this post, I’d like to discuss the implications of the tension between the FBI and Apple, as well as whether the FBI iPhone hack falls under ethical hacking.

Some Context: Before the FBI iPhone Hack

On December 2, 2015, Syed Rizwan Farook and Tashfeen Malik committed a terrorist attack at the Inland Regional Center in San Bernardino, California. 14 people were killed and 22 more were injured.

In the ensuing investigation, the FBI recovered the shooters’ cell phones, but in February announced it couldn’t unlock Farook’s iPhone 5C. Apple was asked to create a new iOS to install on the phone and unlock its advanced security features.  Apple refused, however, claiming that this would set a dangerous precedent, that creating a backdoor would in turn create risks for its customers, and that it would violate its policy not to undermine any of its products’ security features.

In response, the FBI applied to a US magistrate judge to issue a court order, which Apple intended to oppose. In the meantime, other tech giants, including Alphabet, Facebook, and Microsoft, announced their support of Apple.

“Dangerous Precedent”

I agree with Apple that complying with the FBI’s request would have set a dangerous precedent; as privacy becomes a bigger concern, what will stop the government from hacking into any device they want? Or, when backdoors are introduced, what are the chances that they’ll become public knowledge?

But on the other hand, Apple has set a precedent in which corporations can defy government orders (given, perhaps, that they have enough wealth to endure the court battles). Could it be possible that eventually, companies will violate government regulations because they disagree with them?

The FBI iPhone Hack

The litigation dragged on for a month before the FBI withdrew the suit late in March, announcing that it had unlocked the iPhone. The FBI Director, James Comey, was vague about how they did it, saying only that they bought ‘a tool’ to hack the iPhone. According to a Washington Post article, however, the FBI worked with professional hackers who took advantage of a zero-day vulnerability in the iPhone to bypass its 10-attempt limit on entering the four-digit passcode. Without using the vulnerability, the iPhone would have erased all of its data after the tenth attempt to unlock it.

Of course, Apple has asked for information about the vulnerability so that the issue can be fixed, but the FBI has so far not divulged the information, as it could be useful in the future. Comey stated, “We tell Apple, then they’re going to fix it, then we’re back where we started from.”

Ethical Hacking?

Determining whether the FBI iPhone hack falls under ethical hacking depends on the perspective you use to view the situation. The FBI wanted to crack the iPhone in order to gain evidence against terrorists, which is certainly ethical. According to TechTarget, however, an ethical hacker is defined as the following:

“An ethical hacker is a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding security vulnerabilities that a malicious hacker could potentially exploit.”

The key words are “on behalf of [the system or network’s] owners.” The FBI did not hack the iPhone for Apple’s benefit, although they still had a good cause–but they’re also refusing to let Apple fix the vulnerability. Unless they inform Apple of the security flaw, they risk malicious hackers getting a hold of the information and exploiting it. This seems to fall outside the realm of ethical hacking.

What do you think? Was the FBI iPhone hack ethical or not?

Follow @Plixer on Twitter for more cybersecurity news.