FBI opts not to share iPhone-unlocking method with Apple
WASHINGTON — The FBI closed the door Wednesday to the possibility of giving Apple the technical solution that the government bought to unlock the iPhone used by one of the attackers in the mass shooting in San Bernardino, Calif.
The decision leaves Apple in the dark about the technical details of how the FBI — with help from an unknown outside group that was apparently paid at least $1.3 million — managed to bypass the company’s vaunted encryption.
After two months of tense sparring over the San Bernardino iPhone, the government’s decision was a clear rebuke to Apple. Its chief executive, Timothy Cook, has declared publicly that the company should not have to develop new software so the FBI can unlock its phones. The FBI on Wednesday appeared anxious to return the favor by refusing to divulge how it finally broke in.
The decision upset some tech industry executives, who said it appeared to run counter to the Obama administration’s promises to promote security and transparency in the nation’s cyberoperations.
Apple declined to comment Wednesday. Tool, not blueprint
FBI officials maintained that what they bought from the outside company amounted only to a tool for getting into the phone, and not a blueprint exposing the actual security flaws in the device.
As a result, FBI officials decided not to send the issue on to a special White House panel that reviews the question of whether software vulnerabilities discovered by U.S. intelligence officials should be shared with the software designer to enhance security.
That review panel could have determined that the technical fix bought by the FBI should be shared with Apple.
“The FBI purchased the method from an outside party so that we could unlock the San Bernardino device,” Amy Hess, executive assistant director for science and technology, said.
“We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review” by the White House examiners, she said.
Soon after the government said that a third party had successfully gotten data from the phone, after giving the FBI a demonstration of its method in February, many security professionals were hopeful that the method would be made public.
“It’s the position of Obama administration that security flaws should be disclosed to the parties that can fix them,” said Denelle Dixon-Thayer, chief legal and business officer at Mozilla. She added that the fact that the FBI did not take the necessary steps to understand how the outside group opened the phone shows that the review process overall needs to be more transparent.
The government’s decision simply to hire the locksmith and ignore how that lock was opened “creates a gap in the review process” that is “not transparent and has not been set in legislation,” she said.
The FBI’s carefully worded statement reveals that law enforcement has found a loophole in the vulnerability review process created by the administration— hire the hacker to extract the data, but be careful to not know how he got the job done.
“The FBI is intentionally exploiting a known vulnerability and enabling people to profit off of it,” said Alex Rice, chief technology officer at HackerOne, a security company in San Francisco that helps coordinate vulnerability disclosure for corporations. “The collateral damage done by this lack of transparency and the possible ongoing existence of the flaw is serious.” Little-known system
The government’s claim that it does not have enough details to provide any information to the review process is not unusual.
“Over the last 10 years as cellphones became more important to criminal investigations, law enforcement would hire digital forensics teams, would extract data for investigators without necessarily buying the capability to do it themselves,” said Ben Johnson, co-founder of security startup Carbon Black.
The FBI decided not to send the issue to the White House to review under a classified and little-known system known as the Vulnerabilities Equities Process.
There are often “legitimate pros and cons” in deciding whether a flaw should be disclosed to the designer, a senior official said in a 2014 White House blog post — one of the few times the review process has been publicly discussed.