Pixel Envy

Written by Nick Heer.

Archive for April 14th, 2021

Private Exploit Marketplaces May Have Broad Security Benefits

Hey, remember that iPhone 5C that the U.S. government barely tried to crack before demanding Apple give them a back door, only to find a way in just one day before a related court hearing was to begin? It turns out that the company that they paid to crack it was not one of the usual suspects like Cellebrite or Grayshift.

Ellen Nakashima and Reed Albergotti, Washington Post:

The iPhone used by a terrorist in the San Bernardino shooting was unlocked by a small Australian hacking firm in 2016, ending a momentous standoff between the U.S. government and the tech titan Apple.

Azimuth Security, a publicity-shy company that says it sells its cyber wares only to democratic governments, secretly crafted the solution the FBI used to gain access to the device, according to several people familiar with the matter. The iPhone was used by one of two shooters whose December 2015 attack left more than a dozen people dead.

[…]

Apple has a tense relationship with security research firms. Wilder said the company believes researchers should disclose all vulnerabilities to Apple so that the company can more quickly fix them. Doing so would help preserve its reputation as having secure devices.

What a bizarre turn of phrase. It would help it “preserve its reputation as having secure devices” because it really would help improve the security of its devices for all users, in much the same way that telling a fire department that there is a fire nearby would help a building’s reputation as a fire-free zone.

Thanks to this report, we now know some of the backstory of how the 5C came to be cracked without Apple’s intervention, and Nakashima and Albergotti confirm why the FBI was so eager to take Apple to court for this specific case:

Months of effort to find a way to unlock the phone were unsuccessful. But Justice Department and FBI leaders, including Director James B. Comey, believed Apple could help and should be legally compelled to try. And Justice Department officials felt this case — in which a dead terrorist’s phone might have clues to prevent another attack — provided the most compelling grounds to date to win a favorable court precedent.

It was not “months of effort”; according to a Department of Justice report, the FBI spent a few hours actively trying to figure out how to crack the device. But if it was not perfectly clear before, it is now: this was the model case for getting a law enforcement back door in encryption because it involved a terrorist. The next time the FBI brought this up, it was because of another terrorist attack. In both cases, the iPhones were able to be cracked without Apple’s intervention.

Most of all, this report adds one more data point to the debate over the ethics of the zero-day market. If Azimuth had reported the vulnerabilities it exploited in cracking this iPhone — including a critical one reportedly found well before this terrorist attack occurred — Apple could have patched it and improved the security of its devices. However, if third parties were unable to find an adequate exploit, a court may have compelled Apple to write a version of iOS that would give law enforcement an easier time breaking into this iPhone. Once that precedent is set, it cannot be un-set.

Katie Moussouris of Luta Security on Twitter:

Selling exploits to law enforcement removes their plausible cause to petition courts to order Apple & others to self-sabotage security of all customers.

Azimuth’s exploit sale saved us all from a mandated back door then, & the court precedent that would force backdoors elsewhere.

I’m midway through Kim Zetter’s excellent “Countdown to Zero Day”. One of the chapters is dedicated to exactly this question in the context of Stuxnet: how much responsibility do security researchers have to report critical security problems to vendors? An auxiliary question some specific vendors, like Microsoft, may face is what their obligation is for patching vulnerabilities that may be currently exploited by friendly governments in their intelligence efforts. That is something Google’s Project Zero wrestled with recently.

In the case of this iPhone, it seems like the private exploit marketplace helped avoid a difficult trial that may have, in effect, resulted in weakened encryption. But it is a marketplace that creates clear risks: platform vendors cannot patch software they do not know is vulnerable; there is little control over the ultimate recipient of a purchased exploit, despite what companies like Azimuth say about their due diligence; and these marketplaces operate with little oversight.

It does seem likely that this market perhaps provides some security benefit to us all. So long as bug bounty programs continue to pay well and there are true white hat researchers, vulnerabilities will continue to be found, responsibly disclosed, and patched. If it manages to avert mandatory back doors or other weakening that at least seven countries’ governments are demanding, it may be to our benefit.

I do not like that idea, but I like the apparent alternatives — anything requiring deliberate flaws in encryption — a whole lot less. In a better world, I would rather these exploits be reported immediately to platform vendors. But the lid for this particular Pandora’s Box has long been lost.

End Trends

Charlie Warzel, in the first edition of his new newsletter Galaxy Brain:

The entire phenomenon of “Twitter’s Main Character” functions as a master class in context collapse. Many Very Online Users approach this daily ritual as something between high school cafeteria gossip time and one of those Rage Rooms where you pay money to break things with a hammer. But what’s really happening is thousands of strong individual online identities colliding against each other. In Hunt’s case, it was horror and sci-fi fans and film buffs who felt it was important to weigh in as a way to maintain their particular identities.

[…]

Twitter’s Trending Topics only seem only to exacerbate the site’s worst tendencies, often by highlighting the day’s (frequently trollish or bigoted) main character and increasing the opportunities for context collapse. And of course, none of this is new. For years, Twitter let Trending Topics devolve into a cesspool of misinformation. Conspiracy theorists and trolls have hijacked hashtags and manipulated trending topics to sow confusion and inject dangerous ideas into mainstream discourse.

You cannot escape the cloud of radioactive waste emanating from Twitter’s trending list even if you try. For one, the structure of Twitter’s website makes it difficult to hide the list of trends.1 It is far easier, not to mention much nicer, to use a Twitter client like Tweetbot or Twitterrific, where the list of trending topics is buried in some part of the app you never have to touch.

But everybody else is seeing those trends and piling on. Most people use Twitter through its website or official apps, all of which push trending topics to the foreground, so they all get a full menu of today’s main characters from which they can choose which outrage to weigh in on. You know those rules of thumb about breaking news stories? Trending topics on Twitter are like the pure concentrated version of what happens when those rules are ignored.


  1. I had some luck by adding div[data-testid="sidebarColumn"] section[aria-labelledby^="accessible-list"] div[role="link"] { display: none !important; } to my Safari.css file, but it seems fragile and likely to break. Nothing in Twitter’s website is named semantically. The markup looks like it was written by people who do not care. I bet they do, though, and have no say in how this thing is built. ↩︎