San Bernardino DA says seized iPhone may hold “dormant cyber pathogen” [Update]

(UPDATE: A day later late Friday, DA now says there is no evidence of cyber doom.)

The San Bernardino District Attorney told a federal judge late Thursday that Apple must assist the authorities in unlocking the iPhone used by Syed Farook, one of the two San Bernardino shooters that killed 14 people in a killing rampage in December. The phone, which was a county work phone issued to Farook as part of his Health Department duties, may have been the trigger to unleash a "cyber pathogen," county prosecutors said in a brief court filing.

"The iPhone is a county owned telephone that may have connected to the San Bernardino County computer network. The seized iPhone may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino's infrastructure," according to a court filing (PDF) by Michael Ramos, the San Bernardino County district attorney.

The development represents the first time any law enforcement official connected to the investigation provided an indication, other than links to possible co-conspirators, of what the authorities might discover on the phone. The district attorney's position comes a week after Jarrod Burguan, the San Bernardino police chief, said there was a "reasonably good chance that there is nothing of any value on the phone." James Comey, the FBI director, said Feb, 21 that "Maybe the phone holds the clue to finding more terrorists. Maybe it doesn't."

The county declined to directly comment. A spokesman, David Wert, told Ars in an e-mail that "The county didn't have anything to do with this brief. It was filed by the district attorney." The DA's office, which did not immediately respond for comment, followed up with a statement to Ars, saying that there is a "compelling governmental interest in acquiring any evidence of criminal conduct, additional perpetrators, potential damage to the infrastructure of San Bernardino County, and in protecting the California Constitutionally guaranteed due process rights of the victims, deceased and living, arising from state crimes committed on December 2, 2015."

Jonathan Zdziarski, a prominent iPhone forensics expert, said in a telephone interview that the district attorney is suggesting that a "magical unicorn might exist on this phone."

"The world has never seen what he is describing coming from an iPhone," Zdziarski said. "I would expect, I would demand, in order to make that statement at all, he should make some kind of proof."

It sounds like he’s making up these terms as he goes. We've never used these terms in computer science. I think what he’s trying to suggest is that Farook was somehow working with someone to install a program on the iPhone that would infect the local network with some kind of virus or worm or something along those lines. Anything is possible, right? Do they have any evidence whatsoever to show there is any kind of cyber pathogen on the network or any logs or network captures to show that Farook's phone tried to introduce some unauthorized code into the system?

In a follow-up e-mail, Zdziarski added: "This reads as an amicus designed to mislead the courts into acting irrationally in an attempt to manipulate a decision in the FBI's favor. It offers no evidence whatsoever that the device has, or even might have, malware on it. It offers no evidence that their network was ever compromised. They are essentially saying that a magical unicorn might exist on this phone."

At issue is that the Federal Bureau of Investigation wants Apple to create software to help it bypass the passcode lock to enable the authorities to gain access to the iPhone. Apple is fighting a Southern California magistrate's order that it do that. Oral arguments are set for March 22 in federal court, in which Apple hopes to change the magistrate's mind.

The government claims that a 1789 law, known as the All Writs Act, allows judges to issue orders despite there being no law on the topic.

The district attorney's revelation was contained in his application to submit a friend-of-the-court brief. His so-called amicus brief has not been lodged with the court. San Bernardino County did not make it available when Ars requested it.