Although tech companies are joining Apple’s camp en masse for the Apple/FBI court battle due to commence on March 22nd, there are many amicus briefs being posted in favour of the FBI’s argument. One of these was filed last Thursday night by the San Bernardino District Attorney, Michael Ramos. In the document, he claims that the shooter’s iPhone (which the FBI wants Apple to make a backdoor unlock for) could contain evidence that it is a digital weapon — containing a ‘cyber pathogen’ that would exploit San Bernardino infrastructure.
It’s the first time someone has implied what might actually be of interest on the phone. However, whilst the idea of a ‘cyber pathogen’ sounds scary, it really doesn’t make any sense. On his blog, iPhone forensics expert Jonathan Zdziarski explains these terms have no technical substance and even if you read between the lines to decipher the comment, it is very difficult to get any sensible meaning whatsoever.
Viruses aren’t biological, they don’t just live dormant inside a phone. They have to be used, activated or deployed. Zdziarski says he thinks the District Attorney is trying to claim that the shooter was trying to compromise the local San Bernardino IT network with a virus of some kind, but the language used in the filing is just factually incorrect and likely misleading to the court. There is also seemingly no other evidence that would lead investigator’s to believe such a claim.
If a serious computer virus did exist on the device with the phone acting as a host of some kind, then the device would have to be jailbroken anyway. This is clearly not the case as otherwise the Apple/FBI iPhone unlock court fiasco would not be necessary.
The iPhone does not allow for PF_INET and SOCK_RAW, or other kinds of low level packets, to be used from within the app sandbox. It’s unlikely that Fagan knows this, however, and so his dramatic statements are actually damaging the FBI’s case, because the device would likely have to be jailbroken. Apple’s sandbox will simply not allow an application to abuse the network stack in such a way that would make a “cyber pathogen” feasible. The kind of dramatic network attack that the DA is trying to sell to Judge Pym would have to be big. Popular ports such as metasploit require a jailbroken device to work for this (and other) reasons, and any tool to inject something this serious would need the same.
If this filing is meant as a scaremongering tactic to sway court feeling towards the FBI argument, then it’s not a great one: any inspection by an expert reveals the blatant weaknesses in the argument. It could also be the honest opinion of someone who is simply not educated in technology, in which case it will also likely get disregarded once Apple’s lawyers get a chance to comment in court.
The Apple/FBI court fight begins on March 22nd, a day after Apple’s rumored media event where the company will unveil a new 4-inch iPhone, a 9.7 inch iPad Pro and an Apple Watch refresh. Tech companies including Google, Facebook, Snapchat, Microsoft and Dropbox have all submitted amicus briefs defending Apple’s position. Apple is keeping a complete list of filings that support Apple’s argument on its website.