Condolences to Apple for its Big Win

The company no longer has to help the FBI hack an iPhone, but now it has to deal with questions about its security features.

Apple CEO Tim Cook speaks during an Apple event in San Francisco. (Beck Diefenbach / Reuters)

Apple’s officially off the hook: A federal court order that would have required the company to help the FBI hack into an iPhone—to build the “software equivalent of cancer,” in the words of Apple CEO Tim Cook—has been taken off the table. A case that threatened to travel all the way to the Supreme Court has been dropped.

Apple’s lawyers and engineers may have poured a celebratory beer or two last night, but they probably aren’t yet popping the champagne. That’s because the reprieve will likely prove only temporary—and the issues that the long court fight have dug up over the last month and a half could continue to haunt Apple for some time.

The FBI said Monday that it’s dropping its case against Apple because it found a way to hack into the iPhone 5C used by one of the San Bernardino shooters. Previously, the FBI had maintained that accessing the data on the iPhone would be impossible without Apple’s help. But for the first time last week,  the agency indicated otherwise, announcing had been approached by a third party outside of the government with an alternative means of getting into the phone. When that hacking method proved successful, the FBI couldn’t argue that Apple’s participation was necessary anymore.

That’s good for Apple, which wanted to avoid being enlisted to break the security of one of its own products. But it also means there’s now a hacking method floating around that can circumvent the security of an iPhone 5C running the iOS 9 operating system—and that could work on other phones as well.

We don’t really know anything about the vulnerability yet. It’s safe to bet that Apple’s security team has been combing through the code of its iOS operating system to try and find the problem. Perhaps they’ve already found it and plan to patch it, or maybe newer versions of the operating system have already fixed it. It’s also possible that newer hardware—an iPhone 6 or 6S, for example—is not vulnerable, but that’s hard to say for sure.

If the case had continued, Apple may have been able to learn the details of the exploit through formal evidence discovery. Without that mechanism, Apple has two options: find the vulnerability itself, or else rely on the FBI or its outside partner to come forward and share it.

Asked if the FBI plans to share the exploit with Apple, a law-enforcement official speaking on condition of anonymity said the government “cannot comment on the possibility of future disclosures.”

Another alternative scenario: The FBI may end up choosing not to share with Apple, but instead hand the keys to its local law-enforcement partners, who have been eager to gain access to a long backlog of locked Apple devices in their possession. The Manhattan District Attorney Cyrus Vance Jr., for one, has said that his department is sitting on a pile of 175 iPhones that he wants to crack.

If that happens, it could undo any public-relations boost that Apple received during its legal fight. For Apple, one upside of the FBI case was the spotlight it shone on the company’s security features. The company would probably want to avoid writing, “Not even the FBI can get in!” on its website, but through this high-profile case, millions of Americans became aware of that fact—until it wasn’t true anymore. Not only was the FBI able to get in (albeit with a little help), but it’s not clear that Apple even knows how it happened. That’s not a great look for a company that prides itself on privacy and security.

That the FBI finally found its way in wasn’t a big surprise to the technical community, said Zulfikar Ramzan, the CTO of RSA, a cybersecurity company. Once a device is in the hands of an attacker, “all bets are off,” Ramzan said. He says users that require high levels of security need to take it upon themselves to make attackers’ jobs harder by taking steps like choosing complex passwords.

But it may be that smartphone consumers will continue the storied tradition of not really caring about data security. A survey conducted last year by CTIA, a trade group that represents wireless-communication companies, found that nearly 40 percent of American smartphone users don’t have a PIN or passcode set up on their phones at all.

If the Apple-FBI case achieved one thing, though, it was to bring national attention to the long-simmering debate over digital security and law-enforcement access to encrypted data. Just yesterday, the tens of millions of people who receive push notifications from The New York Times learned within minutes that the FBI had dropped its case against Apple. Data security is not usually a breaking-news item, but for nearly seven weeks, it was.

If that means some consumers will ask about security features next time they’re browsing smartphones at Best Buy, that could be a boon for Apple, which is generally considered the industry leader in device security. But with a security vulnerability on the loose and little information available about it, the company’s got some housecleaning to do in order to maintain buyers’ trust.