The FBI linked Saudi Air Force cadet 2LT Mohsammed Saeed Alshamrani to Al Qaeda. Alshamrani shot and killed three sailors, and injured eight on December 6, 2019 at the Pensacola Naval Air Station.
But the biggest story here isn’t that Alshamrani was a radical, who had been communicating with Al Qaeda “for years,” according to a Monday report in The New York Times; it’s that the FBI was able to establish this by hacking his iPhone, without any assistance from Apple.
The F.B.I. recently bypassed the security features on at least one of Mr. Alshamrani’s two iPhones to discover his Qaeda links. Christopher A. Wray, the director of the F.B.I., said the bureau had “effectively no help from Apple,” but he would not say how investigators obtained access to the phone.
The FBI once before was able to bypass iPhone security, back in 2015, when the agency sought Apple’s help (and was refused) to crack Syed Rizwan Farook’s phone. Farook was one of the terrorists who killed 14 and seriously injured 22 at a county health department Christmas party. That phone was an iPhone 5C running iOS 9.
The current iOS version is 13.4.1, and supposedly the exploits available five years ago are long patched away. But as the phones get more complex, exploits seem to become more abundant, especially for older phones. Alshamrani was using two phones: an iPhone 7 and an iPhone 5.
Indications have emerged that Apple’s security has grown more vulnerable. Last week, Zerodium, a company that acquires and sells weaknesses in smartphone encryption to American agencies to hack into the devices, announced that it had a surplus of such exploits for Apple’s iOS mobile operating system. (emphasis mine.)
Instead of renewing the legal battle with Apple, that the Department of Justice lost in 2015, and that Apple, under CEO Tim Cook, has publicly opposed, the FBI simply went around the company’s security and encryption.
There are two major strains of mobile smartphone operating systems: Apple iOS and Google’s Android. Android, because of its more open app architecture, is almost hopelessly trusting and therefore vulnerable. “Your phone’s manufacturer may be lying to you about the security of your Android device,” The Verge reported in 2018. “In fact, it appears that almost all of them do.”
Apple’s approach is much more of a walled garden, in that most non-Apple applications don’t have direct access to protected areas of the phone. It’s just harder to crack an iPhone that’s been locked and encrypted, and get to the payload–data the FBI and other law enforcement want–without compromising or deleting the data.
For the FBI, it’s not just a matter of getting the information. They also have to preserve the evidence chain should they want to use that information in a courtroom trial. Of course, there will be no trial for Alshamrani, since he was killed by police at the scene. And the U.S. reaction to the act of terror was proportional and appropriate: the DoD ordered all international military training at U.S. facilities to end.
It’s no surprise that a Saudi air force cadet, or frankly anyone from a Middle East country with a large radical Islamic presence, could be radicalized and in touch with groups like Al Qaeda. We must be as vigilant with our gulf “friends” and purported partners like the Afghan government, as we are with our publicly sworn enemies, because at the individual level, we just don’t know what’s in people’s heads and hearts.
But the FBI can fairly easily know what’s in their phones. Which means law enforcement, should they wish, can know what’s in yours and mine, too. Unless you have U.S. government-grade security, your “secure” device is an illusion. That’s the biggest story here.