The FBI on Wednesday confirmed its decision not to inform Apple of how it hacked into the encrypted iPhone used in last December’s San Bernardino terrorist attack.
The bureau was investigating the possibility that deceased shooters Syed Farook, who used the iPhone, and his wife may have had links to other terrorist plots. It also was searching for evidence tying the two to ISIS. After Apple refused to provide a backdoor entry into the encrypted smartphone, the FBI penetrated it with the help of an outside organization.
The bureau then considered whether to submit details on how it accessed the phone’s data to the Vulnerabilities Equities Process, according to Amy S. Hess, executive assistant director for science and technology at the FBI.
“The VEP is a disciplined, rigorous and high level interagency decision making process for vulnerability disclosure that helps to ensure that all the pros and cons of disclosing or not disclosing a vulnerability are properly considered and weighed,” Hesse said.
The “VEP cannot perform its function without significant detail about the nature and extent” of the vulnerability, she noted, and the FBI concluded that it could not submit the method to the VEP.
“The FBI purchased the method from an outside party so that we could unlock the San Bernardino device,” Hesse explained. “We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”
As a result, the FBI doesn’t have enough technical information about any vulnerability “that would permit any meaningful review under the VEP process,” she said.
The FBI does not normally comment on “whether any vulnerability was brought before the interagency and the results of any such deliberation,” Hess added. However, due to the extraordinary level of interest in this case, plus the fact that the FBI publicly disclosed the existence of the method, the agency determined it was “appropriate to communicate with the interagency group, as well as the public about this important issue.”
The FBI has advised the Equities Review Board, she said.
The ERB is a senior level group of department heads and agency representatives who decide whether to ratify lower-level decisions on whether to disclose vulnerabilities, according to the Electronic Frontier Foundation.
In testimony before a House Energy and Commerce Committee hearing last week, Hess said that the FBI should not have to rely on gray hats to help it access encrypted data.
The FBI is expected in the next few days to report to the White House the rationale behind not sharing the data with Apple.
Apple officials previously expressed an interest in finding out how the iPhone data was accessed. Although the company has cooperated in dozens of prior cases with the FBI and other law enforcement agencies, it refused the bureau’s request to provide source code or other backdoor help that would enable it to break into the phone after the device accidentally was passcode-locked.
VEP Still Applies?
The VEP process arguably gives Apple the right to know exactly how the FBI accessed the iPhone’s data.
“The VEP is by its own terms supposed to apply to any vulnerability that the federal government knows of, without regard to how it learned of the vulnerability,” said Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation.
“The fact that this vulnerability won’t be subjected to the VEP shows that the process is broken,”he told the E-Commerce Times.
There doesn’t appear to be a way for Apple to figure out on its own how the bureau was able to access the encrypted data.
“We’re talking about vulnerability research, and it’s very, very hard for researchers to independently find the same vulnerability without shared information,” explained Christopher Budd, global threat communications manager at Trend Micro.
That said, it’s likely that Apple and other tech firms will accelerate the development of new levels of encryption for their devices.
“I’ve said throughout that Apple would be making countermoves based on the information they’ve gotten out of this situation,” Budd told the E-Commerce Times.
Apple did not respond to our request to comment for this story.