San Bernardino: Behind the Scenes

I wasn’t originally going to dig into some of the ugly details about San Bernardino, but with FBI Director Comey’s latest actions to publicly embarrass Hillary Clinton (who I don’t support), or to possibly tip the election towards Donald Trump (who I also don’t support), I am getting to learn more about James Comey and from what I’ve learned, a pattern of pushing a private agenda seems to be emerging. This is relevant because the San Bernardino iPhone matter saw numerous accusations of pushing a private agenda by Comey as well; that it was a power grab for the bureau and an attempt to get a court precedent to force private business to backdoor encryption, while lying to the public and possibly misleading the courts under the guise of terrorism.

Just to give you a little background, I started talking to the FBI on a regular basis around 2008, when I pushed my first suite of iPhone forensics tools for law enforcement. The FBI issued what they called a “major deviation” allowing their personnel to use my forensics tools on evidence. The tools were fast tracked through NIST/NIJ (National Institute of Justice is NIST’s law enforcement facing arm), and findings were validated and published in 2010. During this time, I assisted some of the FBI’s RCFLs (regional computer forensics labs), including the lab director for one of them, who had informed me my tools had been used to recover crucial data in terrorism and child exploitation cases. I’ve since developed what I thought was a healthy working relationship with the FBI, and have had a number of their examiners in my training classes, testified with some of them (as an expert) on criminal cases, and so on. The reason I’m giving this background is that one would have thought that when someone with this relationship with the FBI called up a few of the agents who have been working on the San Bernardino case (because they were already in my phone book), that they’d be interested in having my help to get into the phone.

False Due Diligence

Initially, they were. I spoke to one individual (whom I knew personally) and he had helped set up a conference call with a couple of the agents who were working on the case. This was maybe a week in advance, and very early on in the case. The meeting was scheduled, and the agenda was to discuss some details about the device and a couple potential techniques that I believed might get them into the device. One of the techniques was the NAND Mirroring approach, which I later demonstrated in a video and was later definitively proven as a viable method by another researcher from University of Cambridge. He took sort of the elegant way of doing it, but a quick and dirty dump-and-reball would have gotten the desired result too. Other techniques that we were going to discuss were possible screen lock bypass bugs that existed in the device’s operating system and collaborating possibly with a few other researchers who had submitted code execution bugs affecting that particular version of firmware. I already had a tested and validated forensic imaging process developed, so it was just a matter of finding the best way to bolt that onto our point of entry.

The day before the conference call was scheduled, it had gotten killed from powers on high. I was never given a detailed reason for it, and I don’t think my contacts knew either except that they were told they weren’t allowed to talk to anyone about the device – apparently including me, a forensics expert that had helped them to get into phones before. I don’t know if the call came down from lawyers, or if it went higher than that – it’s irrelevant, really. It was understood that nobody at FBI could talk to me about the case or even have a one-way conversation to give them a brain dump. Responsibility for that decision ultimately falls to Comey.

The reason I bring this up is that Comey’s public facing story was that “anyone with an idea” can come to the FBI and help them out, and it made the FBI sound reasonable to the general public. This clearly wasn’t true, and what was going on behind the scenes was quite the opposite. I’m not some crazy anon either approaching FBI with some crack pot solution; I had a working relationship with them, and had assisted them many times before, usually pro-bono (as I did with many other agencies). The people knew me and had a mutual professional level of trust you would expect in cases such as this.

Comey’s public story about exhausting all due diligence with the SB iPhone was entirely false, and when he told both the courts and Congress this, he made a false statement. The FBI pushed hard over the next month for a court precedent, in spite of turning away help. When it became evident that the FBI wasn’t going to win this case in court, suddenly a solution from out of nowhere manifested. We paid a million dollars of our tax money for an unlock that FBI could have done for about $100 with the right equipment.

There were, at the time, a number of other questionable statements made by Director Comey that have led me to believe he wasn’t completely forthcoming in his testimony before Congress.

Recklessness, or Abuse of AWA?

In a letter emailed from FBI Press Relations in the Los Angeles Field Office, the FBI admitted to performing a reckless and forensically unsound password change that they acknowledge interfered with Apple’s attempts to re-connect Farook’s iCloud backup service. The following statement was made in order to downplay the loss of potential forensic data:

 “Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains. Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act Order, since the iCloud backup does not contain everything on an iPhone.”

This statement implied only one of two possible outcomes:

1. Either they were wrong about that, and were reckless…

It is true that an iCloud backup does not contain everything on an iPhone. There is a stateful cache containing third party application data that is not ever intended to come off of the phone. This is where most private content such as Wickr, Telegram, and Signal databases would live. However, this information also does not come off the phone in a direct backup either. All commercial forensics tools use the same backup facility as iTunes for iOS 9, meaning none of them can get the stateful cache either.

The backup conduit provides virtually the same data as an iCloud backup. In fact, an iCloud backup arguably provides more data than a direct logical extraction because they are incremental, and contain older backups. Desktop backups can sometimes even contain less content, as they exclude photos that have already been synced to iCloud. There are a few small exceptions to this, such as keychain data, which will only come off the phone in a direct backup if backup encryption is turned on. Ironically, if Farook’s phone has backup encryption turned on (which is likely), the FBI wouldn’t be able to get anything at all from a direct copy, because the contents would be encrypted. Even if they found the device to have backup encryption off (and turned it on), they’re still not going to get the data they actually need off of the device (e.g. the cached third party application data); getting passwords doesn’t mean much when you can just subpoena every content provider for the data anyway.

2. …or the government wanted to compel more assistance, and mislead the courts about it.

As I said, there is in fact more data available on the device than comes off in any backup. The only way to get to this data, however, would be for Apple to digitally decrypt and extract the contents of the file system, and provide them with a raw disk image. This is similar to what Apple had done in the past, except they would now also have to write a new decryption and extraction tool specifically for the new encryption scheme that was introduced in iOS 8, and carried into 9.

This second possibility is worse than simply being wrong about the quality of iCloud data. If the government actually did intend to get a hold of this “extra” data that only Apple can provide, then that means they would be following their original AWA order with a second AWA order, requiring Apple to build a tool to decrypt and extract this content from the device. Their original order required Apple to build a backdoor brute force tool. It did not require Apple to perform any kind of extraction of the raw disk for them. If a second order was in the works, this would have meant two important things:

  1. The attorneys for the FBI provided an incomplete, and misleading explanation of assistance to the courts, which intentionally hid the extra assistance that Apple would later be required to provide in order to finish this task – assistance which, when combined with the original list of work, may have been considered unreasonable by the court.
  2. Requiring Apple to break into and image the phone would completely obsolete the necessity of designing a backdoor tool from the first order, but would have gotten them their encryption precedent for future use.

The motives, then, for forcing the creation of this backdoor tool, would of course have been to create a tool that they can compel for use in the future, and had very little to do with the device they were trying to get into. This was, based on my best guess, the real agenda that the FBI was planning to push, not only backdoor level access into encryption, but a court precedent to force a manufacture to deliver all of the data on any device they desire to acquire in the future.

Mishandling of Evidence?

Additionally, a number of questions remain to be satisfactorily answered. For example, Apple’s engineers seemed confident that the device had remained in a powered on state since it was found, and may have later been turned off, however FBI engineer Stacey Perino gave testimony that it was found powered off. Was the evidence mishandled, and accidentally powered down when it was seized? Leaving it charged and powered on would have presented a number of additional methods for extracting data from the device, including simply using Siri to pull up contacts and other information (she leaked a lot more in iOS 9.0 than she does today). Comments by both Comey and Sewell (Apple) clearly state that a backup would have worked, according to Apple’s engineers. That’s only possible if the device was found powered on.

Conclusion

Whatever the real reasons were for the FBI’s actions during San Bernardino, one thing was for certain: FBI Director Comey’s publicly stated agenda did not match the events that were unfolding behind the scenes. The FBI clearly wasn’t interested in getting into this phone at first. They canceled meetings with at least one expert about it, there are no reports of them ever reaching out to security researchers who had submitted Apple security bugs, there is no record of them ever checking surveillance for Farook to input his PIN anywhere; there’s a significant lack of evidence to support the notion that FBI ever wanted into the phone. At the very least, it was about setting precedent. At the very worst, further abuse of the All Writs Act were in the works.

It seems as though the same type of private agenda is happening now with our presidential election. The effects of this have already become evident: Many are arguing that NC may have been swayed by Comey’s letter and the FBI’s recent public disclosures of what is portrayed in the released documents as a corruption investigation. The FBI has violated their own procedures by releasing all of this on the bleeding edge of an election. There is no question in my mind that the FBI’s publicly stated agenda doesn’t match their private one here either. As I said, there is a pattern emerging that FBI Director Comey seems to mislead the public about his real agenda, and at this point, I think there’s enough smoke that Congress should be looking into his entire history with the agency to see where else this pattern might have existed.