專家怎麼看聯邦調查局破解蘋果手機

In the week since the Federal Bureau of Investigation surprised Apple by saying that it might have found its own way into the San Bernardino gunman’s smartphone, investigators have disclosed nothing about how they did it.

本週，美國聯邦調查局(FBI)稱可能已自行找到破解聖貝納迪諾槍擊案兇手智能手機的方法，令蘋果(Apple)感到驚訝。調查人員沒有透露他們是怎樣做到的。

But that has not stopped the security industry from guessing how the iPhone’s security was defeated and who helped the FBI to uncover it.

這令安全行業人士不禁產生種種猜測，iPhone的安全防線是如何被突破的？是誰幫助FBI解鎖的呢？

The speculation is driven by both high-minded concern for the digital security of the public and hackers’ constant desire for bragging rights about who has managed to outsmart the rest.

這些猜測是出於兩種高尚的擔憂，一個是對公衆數據安全的擔憂，另一個是圍繞黑客對吹噓資本——即誰能技高一籌——孜孜以求的擔憂。

Staff at Cellebrite, an Israeli mobile forensics company known to have worked for the FBI, have claimed credit in private forums for breaking into Syed Rizwan Farook’s phone, according to two people familiar with the matter. Shares in the company’s Japan-listed parent, Sun Corp, have leapt more than 60 per cent in the past week.

據兩名知情人士透露，有Cellebrite的員工在私人論壇上宣稱成功破解了賽義德•里茲萬•法魯克(Syed Rizwan Farook)的手機。Cellebrite是一家以色列手機取證企業，以前就爲FBI提供過服務。這家公司的母公司，日本上市企業Sun Corp過去一週裏股票暴漲逾60%。

Cellebrite, which has declined to comment on the matter, is one of several forensic security companies specialising in extracting data from mobile devices. Law enforcement agencies look to such businesses for help when extracting data, critical to solving a case. They often pay a high price — in some cases, hundreds of thousands of dollars — for tools that can simplify cracking a smartphone. “The cops basically want push-button forensics,” says Jonathan Zdziarski, an iPhone security expert.

Cellebrite是一家專門從移動設備提取數據的安全取證企業，該公司對此事不予置評。執法部門在提取數據時會求助這類公司，獲取這些數據對破案起到關鍵作用。而執法部門爲了獲得可以簡單破解智能手機的工具，往往要付出不菲的費用，有時可高達數十萬美元。iPhone安全專家喬納森•茲齊亞爾斯基(Jonathan Zdziarski)表示：“基本上警方只想簡單地取證。”

As well as researching vulnerabilities themselves, these groups often scour the “grey” hacker market to buy so-called “exploits” they can package up and sell to investigators or companies for security testing.

這些企業除了自己研究安全漏洞，還經常在“灰色”黑客市場物色，購買所謂的“exploit”（漏洞），然後打包賣給調查人員或企業進行安全測試。

Marc Goodman, who has worked on cyber security for Interpol and the US government, says law enforcement agencies had long been in an “arms race” with device and software manufacturers to break their security. “This is where law enforcement and criminals have something in common,” he adds.

曾爲國際刑警組織(Interpol)及美國政府從事網絡安全工作的馬克•古德曼(Marc Goodman)表示，執法機構早就與設備和軟件製造商展開了“軍備競賽”，以突破它們的安全防線。他說：“執法者和罪犯在這一點上有共同之處。”

Security experts agree that if the FBI can hack into Farook’s iPhone 5c model, which was running a version of the iOS 9 software released last September, it could gain access to any other device with the same specifications — and most previous models. Some fear the repercussions of the FBI’s disclosure that a previously unknown flaw exists.

安全專家認爲，如果FBI可以侵入法魯克的iPhone 5C（安裝了去年9月發佈的iOS 9系統），或許也可以訪問其他任何規格相同的設備，以及以前大多數型號。有些人擔心FBI披露蘋果手機存在一個前所未知的漏洞會引發不好的反響。

“The fact that there is a confirmed exploit there for a device is certainly going to get a lot of people to look for it,” Mr Zdziarski says. “Damage control is the real question here . . . The FBI’s biggest mistake has been assuming they can contain this.”

茲齊亞爾斯基表示：“一款設備被證明存在漏洞，肯定會讓很多人想找到這個漏洞。現在最重要的問題是損害控制……FBI最大的錯誤就是以爲他們可以控制局面。”

It is imperative for Apple to find out what the vulnerability is. Experts are divided on whether the FBI’s technique would have worked on newer iPhones released since 2013, when Apple introduced hardware protection known as a “secure enclave”.

蘋果的當務之急是找出這個漏洞。目前專家們的分歧在於，FBI所採用的破解技術是否可用於從2013年起發佈的iPhone？蘋果在2013年引入了被稱爲“安全飛地”(secure enclave)的硬件保護。

Mr Goodman says the FBI’s method could probably not be replicated on a mass scale by cyber criminals, because it is likely to require possession of the device. Much simpler methods of tricking people into giving away the contents of their smartphones are widely available, such as persuading them to click on links containing so-called malware.

古德曼表示FBI的方法大概無法被網絡犯罪分子大規模複製，因爲該方法很可能需要持有具體設備。而市面上有着大量誘使人們泄露自己手機內容的更簡單的方法，比如說服人們點擊含有惡意軟件的鏈接。

Until technology is developed to enable the hacking to be done remotely, the tactic would probably be used only by state-sponsored entities, such as the US or Chinese governments, searching for “super high-value targets” such as terrorists, he says. “It could be used if you are an American travelling in China and the Chinese want access to your phone.”

古德曼表示，只要遠程入侵技術還沒開發出來，FBI的這一手段很可能只能被有政府背景的實體——比如美國或中國政府——用於尋找恐怖分子這類具有“超高價值的目標”。他說：“比如你是個美國人，正在中國旅遊，中國人想要獲取你的手機數據，就可能使用上這種手段。”

Mike Janke, chairman of Silent Circle, which makes an encrypted smartphone called the Blackphone, says he is not surprised the FBI has been able to access the phone with its “tens of millions of dollars of experts”.

加密手機Blackphone的製造商、Silent Circle的董事長麥克•揚克(Mike Janke)表示，FBI花費了“數千萬美元僱傭專家”，他一點不意外他們能破解手機。

He believes they copied the phone’s memory to automatically try different passcodes on the fake version without triggering the 10-passcode limit, in what is called a brute force attack. This method — sometimes known as “Nand mirroring” after the type of memory used in smartphones — might work on newer iPhones, some experts believe.

揚克認爲，FBI的專家複製了手機內存，然後在仿版上自動試驗不同密碼，而不會觸發10次密碼限制，也就是所謂的暴力破解法。這種方法有時被稱爲“Nand鏡像法”，源於智能手機的Nand存儲器，有些專家認爲該方法或許也能用於新版iPhone。

“It is not as hard as people think,” says Mr Janke. “There isn’t a phone in the world that cannot have its hard drive opened like this, all are susceptible.”

揚克說：“這沒有人們想象的那麼困難。世上沒有一部手機不能像這部那樣被破解，全都是可以的。”

But Adam Ghetti, chief technology officer at Ionic Security, says the FBI is likely to have used a simpler method to get into the iPhone 5c, one that could not be used on newer models. In this scenario, a hacker would have to locate the part of the chip responsible for setting the 10-passcode limit and physically solder on a new connection to a program that could reset it after nine attempts.

但Ionic Security的首席技術官亞當•蓋蒂(Adam Ghetti)表示，FBI很可能採用了更簡單的方法破解iPhone 5C，這種方法無法在較新機型上使用。該方法要求黑客必須找到芯片上負責設置10次密碼限制的部分，然後手動焊接一條新線路連到一個程序上，該程序可在9次密碼嘗試後重啓手機。

Apple is already laying the groundwork to discover the FBI’s method in other court cases involving locked iPhones. On Friday, it wrote to the judge in a New York drugs case asking to delay proceedings in light of the Department of Justice’s sudden discovery.

爲找到FBI的破解方法，蘋果已開始在其他涉及解鎖iPhone的訴訟案件上做鋪墊。上週五，蘋果給負責一起紐約毒販案的法官寫信要求推遲審理，理由就是美國司法部的突然發現。