Security experts last Thursday said that there is a "serious risk" that the special iPhone-cracking software sought by the FBI would fall into the wrong hands if Apple is forced to assist the government in accessing the data on an iPhone used by one of the San Bernardino shooters.
"Keeping the Custom Code secret is essential to ensuring that this forensic software not pose a broader security threat to iOS users," seven security experts said Thursday in a "friends-of-the-court" brief filed with a California federal court. "But the high demand [for this software] poses a serious risk that the Custom Code will leak outside of Apple's facilities."
The amicus brief -- submitted on Thursday on behalf of the experts by the Center for Internet and Society (CIS) at Stanford Law School -- was aimed at the federal magistrate hearing a case involving Apple and the FBI. The agency wants Apple's assistance in getting into the passcode-locked iPhone 5C used by Syed Rizwan Farook, who along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif. on Dec. 2, 2015. After the pair died in a shootout with police, authorities labeled the attack an act of terrorism.
Last month, the magistrate ordered Apple to assist the FBI by creating a heavily modified version of iOS that would disable several security safeguards, then put the software on the device so authorities can bombard it with passcode guesses. The FBI has said it believes there is unique information on Farook's iPhone that will help its investigation.
Apple is fighting the order.
The experts, who include prominent iOS security and forensics researchers, as well as several academics whose focus is cryptography and digital security, were skeptical of the government's claim that Apple's custom software would remain in safe hands.
According to the order issued last month, Apple would retain possession of the special version of iOS. The iPhone would be delivered to Apple, which would also create code so that the FBI could access the device remotely as it tried to brute-force the passcode. And the government, whose representatives have waffled over whether this would be a one-time deal, has suggested that Apple then destroy the software.
Not only is the latter very unlikely, the experts asserted, but even with the most stringent security, there would be a good chance that the code would leak into the wild.
A rogue's list would be very interested in that code, the experts contended. And they would move heaven and earth to get the goods.
"Once created, this software is going to be very valuable to law enforcement, intelligence agencies, corporate spies, identity thieves, hackers, and other attackers who will want to steal or buy the Custom Code," the brief stated.
Sign up for CIO Asia eNewsletters.