In a lengthy legal rebuttal to the U.S. government, Apple yesterday deployed an unusual defense -- that its devices are susceptible to attack -- to counter arguments that it should help the Federal Bureau of Investigation (FBI) crack a terrorist's iPhone.
Apple's brief, the last submitted to a federal magistrate before she holds a hearing next week, focused on the government's use of a 1789 law, the All Writs Act, to compel the company to assist law enforcement in breaking into a passcode-locked iPhone 5C.
But the brief also ranged elsewhere, including responses to assertions by the Department of Justice (DOJ) that Apple not only should be forced to aid the FBI, but that the task would be simple and the code could safely be entrusted to Apple, which would store it at its HQ.
The iPhone in question was an employer-issued device used by Syed Rizwan Farook, who along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif. on Dec. 2, 2015. The two died in a shootout with police later that day.
The government has labeled the attack an act of terrorism, and last month obtained a court order requiring Apple to write software that would let the FBI electronically blast the iPhone with passcode guesses in the hope of unlocking it, then extracting data from the device.
Apple has contested the order on multiple grounds, including its argument that creating such software would be an extraordinary burden.
Among the government's prior contentions: Apple could jumpstart its work on the purported one-of-a-kind iOS by using security vulnerabilities and third-party hacking tools, including one created by the FBI, to ease that burden.
Eric Neuenschwander, Apple's manager of privacy, dismissed those avenues as not only unrealistic, but also as proof that creating a special version of iOS for Farook's iPhone would open a veritable Pandora's Box.
"The historical security vulnerabilities and jailbreak incidents Mr. Perino identifies underscore the constant battle Apple is engaged in to identify and close off security vulnerabilities," Neuenschwander said in an affidavit, referring to an earlier declaration by Stacy Perino, an electronics engineer with the FBI. Last week, Perino suggested that Apple leverage vulnerabilities and embed third-party code to create a customized version of iOS destined for Farook's phone.
"I believe that Apple's iOS platform is the most-attacked software platform in existence," Neuenschwander said. "Each time Apple closes one vulnerability, attackers work to find another. This is a constant and never-ending battle. Mr. Perino's description of third-party efforts to circumvent Apple's security demonstrates this point."
Neuenschwander also argued that creating what he slyly dubbed "GovtOS" -- a nod to the naming conventions Apple uses for its iOS, watchOS and tvOS operating systems -- would not only be an unwarranted burden on the company and threaten all iPhone owners with criminal attack, but would also put Apple's engineers in personal jeopardy.
"Those employees, if identified, could themselves become targets of retaliation, coercion, or similar threats by bad actors seeking to obtain and use GovtOS for nefarious purposes," Neuenschwander said. "I understand that such risks are why intelligence agencies often classify the names and employment of individuals with access to highly sensitive data and information, like GovtOS. The government's dismissive view of the burdens on Apple and its employees seems to ignore these and other practical implications of creating GovtOS."
Apple's lawyers also cited the firm's security problems in its primary brief yesterday, in which it took issue with the All Writs Act.
"No All Writs Act authority permits courts to require an innocent private company to create and maintain code whose 'public danger is apparent' and whose disclosure would be 'catastrophic' to the security and privacy interests of hundreds of millions of users," Apple's attorneys wrote.
In a footnote to bolster that line of logic, the brief said, "Even Apple devices are not immune from cyberattack," and referenced a March 6 story by the Reuters news service that described a recent attempt to plant "ransomware" on Macs by using a stolen cryptographic digital certificate.
Elsewhere in Apple's brief, the firm took exception to last week's implied threat by the government that, if Apple refused to cooperate, the DOJ may demand that the company hand over its iOS source code and signing key so that FBI engineers could create the tools investigators demand.
"The government also implicitly threatens that if Apple does not acquiesce, the government will seek to compel Apple to turn over its source code and private electronic signature," Apple said. "The catastrophic security implications of that threat only highlight the government's fundamental misunderstanding or reckless disregard of the technology at issue and the security risks implicated by its suggestion."
This story, "Apple cites iPhone, Mac security problems in rebuttal to FBI demands" was originally published by Computerworld.