The current encryption battle that has pitted the FBI and the U.S. Department of Justice against Apple may be over. An unnamed third party has apparently offered to help decrypt the San Bernardino shooter's iPhone, and the FBI may no longer need Apple's help.
Late today (March 21), U.S. Magistrate Judge Sheri Pym abruptly canceled tomorrow's scheduled hearing in Riverside, California, at which Apple was expected to argue that it should not be compelled to help unlock the iPhone 5c used by Syed Rizwan Farook. Today, Pym stayed her Feb. 16 order telling Apple to do so.
"An outside party demonstrated to the FBI this past weekend a possible method for unlocking the phone," DoJ spokeswoman Melanie Newman said in a statement. "We must first test this method to ensure that it doesn't destroy the data on the phone, but we remain cautiously optimistic."
Pym held a conference-call meeting this afternoon with two assistant U.S. attorneys and Apple's lawyers after the DoJ filed an application for a continuance of the hearing, with no rescheduling date requested.
"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the DoJ application said. "Testing is required to determine whether it is a viable method that will not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc."
Apple did not object to canceling the hearing, which may still be rescheduled. The DoJ must file a status report by April 5, two weeks from tomorrow, as the success of its third-party unlocking method.
"This is the privacy nerd equivalent of canceling (or postponing) the Super Bowl," tweeted Ashkan Soltani, a privacy expert who was recently considered for a White House advisory position.
The FBI wants to search the iPhone, which was issued to Farook by his employer, for clues as to whether he and his wife, Tafsheen Malik, had outside assistance for their attack upon Farook's co-workers at a holiday party on Dec. 2. Fourteen people were killed, and Farook and Malik died in a shootout with police a short time later.
It's not clear who stepped forward to help. In a blog posting, iOS data-recovery expert Jonathan Zdziarski said he had some idea who it might be.
"The likelihood here is that a third-party contractor for FBI, such as a forensics or data-recovery firm, has devised a method and notified FBI of their findings," Zdziarski wrote. "Many firms have outright denied that they are the one. However, there are at least a few firms that are not denying it, or not talking at all."
"Only other thing I can figure," Zdziarski said in a tweet, "is someone finally pressured NSA enough to stop making fun of FBI's capabilities and quietly help."
The iPhone is running a version of iOS 9 and has a four-digit PIN to lock the screen, meaning that as many as 10,000 PIN guesses will be needed. But incorrect PIN entries will force the user to wait longer between each attempt, and the FBI fears Farook may also have set the phone to erase all personal data after 10 incorrect PIN entries.
The FBI had said only Apple could bypass the PIN-safeguarding features, and Pym ordered Apple to write new firmware for the phone that would do so. Apple refused, arguing that there was no specific law compelling it to write software that undermined its own devices' security.
But in testimony in a U.S. House hearing March 1, FBI Director James Comey admitted that the FBI had not sought the assistance of the National Security Agency. Many security experts believe the NSA could easily break into Farook's phone, and that the FBI and DoJ were using the case to establish a precedent that technology companies must assist law enforcement.
"Every credible expert knew there were alternative means," tweeted NSA-document-leaker Edward Snowden. "That [the] FBI went so far on so little demonstrated a disregard of facts."
The DoJ did not disclose what the newly found method of access might be, but its spokeswoman may have dropped a hint by admitting that there was a risk of data destruction.
It's possible to de-solder the phone's memory-storage chip, copy its contents to create a backup, then put the chip back in the phone and try to guess the PIN. (The chip has to physically be connected to the phone's motherboard to decrypt the storage.) If the phone auto-wipes the memory after 10 bad PIN entries, you restore it from backup and try again.
But de-soldering the flash chip, also known as non-volatile RAM, is a risky process, because a misplaced solder could fry a component. (Here's a video showing how to do it.) Removing and re-inserting the chip after every 10 tries would take a long time. The unnamed third party may have found a way to minimize the risk and speed up the process.
"I assume the FBI has found someone to clone and reflash the NVRAM of the San Bernardino iPhone," tweeted Matthew Green, a cryptography professor at Johns Hopkins University who earlier today revealed a flaw in Apple's iMessage encryption. "They should have done it a month ago."
Despite the technicalities, there was still the impression that the FBI and Department of Justice were backing down, perhaps after encountering unexpected resistance both among the public and among former intelligence and national-security officials.
"Seems they're abandoning this as a test case!," tweeted Nate Cardozo, an attorney with the Electronic Frontier Foundation, a digital-rights advocacy group.
Yet while this case may soon be quietly resolved, the controversy over widely available encryption that's impenetrable by law enforcement will not be.
Earlier this month, The New York Times reported that encrypted mobile-messaging service WhatsApp, owned by Facebook, was resisting its own pressure from authorities. Apple has reportedly moved to encrypt its own iCloud backup service so securely that even it can't get in, and may be making sure to do the same with the next version of iOS.
"FBI dropping the iPhone case is a Bad Thing," tweeted Space Rogue, a longtime hacker who testified to Congress in the 1990s. "They still want their precedent. Only now they will find an easier, less well financed target."
"Whatever the outcome here, someone will eventually make a handset that neither vendor nor FBI can crack," tweeted Matt Blaze, a well-known cryptography expert. "FBI then asks Congress for a law."