top of page
  • Mike McCormick

Apple vs FBI: The Phantom Menace

Updated: Apr 3, 2023

Many think the Apple versus FBI saga ended when a third party offered to crack Syed Farook’s iPhone and the FBI withdrew its formal request to Apple for assistance. But industry insiders are still waiting for one last episode to reveal a Phantom Menace.

The phantom menace in this case is an undisclosed iPhone vulnerability the mysterious third party used to crack Farook’s iPhone 5c. We don’t know what the vulnerability was or whether it’s still present in current iPhone models. More importantly, Apple doesn’t know either. Until they do, none of us should feel safe using our iPhones.

You know the story so far. After the San Bernardino shootings, the FBI recovered an iPhone 5c belonging to one of the suspected shooters, Syed Rizwan Farook. The phone was passcode protected and set to wipe its memory after ten wrong passcode entries. The FBI wanted to examine its memory for evidence / intel. Apple assisted at first, but when they learned authorities had reset Farook’s iCloud password (a big forensic blunder) they said there was nothing more they could do to help. The FBI believed Apple could do more.

It’s widely believed that “do more” in this case meant creating a special version of the iOS operating system software that would permit more than ten failed passcode entries without wiping the device. That would let the FBI try thousands of 4-digit passcodes by brute force (all 10,000 possibilities if necessary) until they got a match. They believed it would be relatively easy for Apple to create this special “fbiOS”; it amounts to removing a few lines of login code and recompiling. It’s so easy the FBI could probably do it themselves, but they lack one key ingredient: the code signing key. This cryptographic private key is a closely guarded Apple secret used to digitally sign iOS updates. Firmware in the device checks this signature and will not install an iOS update without it.

Apple refused to create “fbiOS” or divulge the private key, arguing it sets a bad privacy precedent, or might even escape the forensics lab and fall into the hands of hackers or foreign governments. The DOJ responded by suing Apple under the All Writs Act, perhaps to establish a legal precedent for similar situations with Apple and other tech companies. Apple refused to cooperate. But then, in a surprise move, the DOJ withdrew its suit, announcing an unnamed third party had come forward to unlock Farook’s phone.

Which brings us to the phantom menace. The FBI has not disclosed to Apple how the iPhone was unlocked by the mysterious third party. Some fear the US government doesn’t want Apple to fix the problem so they can continue exploiting it to unlock other iPhones (despite earlier claims they would use “fbiOS” only on Farook’s phone). Perhaps intelligence agencies encouraged this. Apple says they won’t sue for the information, but say they have a right to know what’s wrong with its product.

There’s been intense speculation regarding the identity of the third party and how they unlocked Farook’s iPhone. Some speculate they used a technique called NAND mirroring. This would be good news since that technique doesn’t work on newer iPhone models (5s was the last). However, FBI director Comey denies using NAND mirroring and I tend to believe him. This leaves us with the frightening specter of a serious zero-day flaw in iPhone hardware or software that may still be present in the latest models.

As for the identity of the phantom third party to whom the FBI reportedly paid over a million dollars, rumors it was Israeli mobile forensics firm Cellebrite should be taken with an extra large grain of salt. That dubious story now looks suspiciously like a disinformation plant. Draw your own conclusions.

The FBI asked for Apple’s help, but cooperation should be a two-way street. Now the FBI has an ethical obligation to share any information they can with Apple about the iPhone vulnerability. The Bureau claims they don’t understand the vulnerability well enough to disclose technical details to Apple. Even if true, they might be able to provide the third party tool for Apple to reverse engineer. Or at the very least, facilitate private discussions between Apple and the phantom third party.

Almost everyone agrees it’s good that Farook’s phone was unlocked. What we’re left with now is serious uncertainty about iPhone security. Does a phantom menace lurk in our iPhones? If the third party can crack iPhones for the FBI, they can do it for others too. Consumer privacy and security are at stake until the government talks to Apple.


Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.

bottom of page