That’s good for Apple, which wanted to avoid being enlisted to break the security of one of its own products. But it also means there’s now a hacking method floating around that can circumvent the security of an iPhone 5C running the iOS 9 operating system—and that could work on other phones as well.
We don’t really know anything about the vulnerability yet. It’s safe to bet that Apple’s security team has been combing through the code of its iOS operating system to try and find the problem. Perhaps they’ve already found it and plan to patch it, or maybe newer versions of the operating system have already fixed it. It’s also possible that newer hardware—an iPhone 6 or 6S, for example—is not vulnerable, but that’s hard to say for sure.
If the case had continued, Apple may have been able to learn the details of the exploit through formal evidence discovery. Without that mechanism, Apple has two options: find the vulnerability itself, or else rely on the FBI or its outside partner to come forward and share it.
Asked if the FBI plans to share the exploit with Apple, a law-enforcement official speaking on condition of anonymity said the government “cannot comment on the possibility of future disclosures.”
Another alternative scenario: The FBI may end up choosing not to share with Apple, but instead hand the keys to its local law-enforcement partners, who have been eager to gain access to a long backlog of locked Apple devices in their possession. The Manhattan District Attorney Cyrus Vance Jr., for one, has said that his department is sitting on a pile of 175 iPhones that he wants to crack.
If that happens, it could undo any public-relations boost that Apple received during its legal fight. For Apple, one upside of the FBI case was the spotlight it shone on the company’s security features. The company would probably want to avoid writing, “Not even the FBI can get in!” on its website, but through this high-profile case, millions of Americans became aware of that fact—until it wasn’t true anymore. Not only was the FBI able to get in (albeit with a little help), but it’s not clear that Apple even knows how it happened. That’s not a great look for a company that prides itself on privacy and security.
That the FBI finally found its way in wasn’t a big surprise to the technical community, said Zulfikar Ramzan, the CTO of RSA, a cybersecurity company. Once a device is in the hands of an attacker, “all bets are off,” Ramzan said. He says users that require high levels of security need to take it upon themselves to make attackers’ jobs harder by taking steps like choosing complex passwords.
But it may be that smartphone consumers will continue the storied tradition of not really caring about data security. A survey conducted last year by CTIA, a trade group that represents wireless-communication companies, found that nearly 40 percent of American smartphone users don’t have a PIN or passcode set up on their phones at all.