WASHINGTON — The FBI said Wednesday that it will not publicly disclose the method that allowed it to access a locked iPhone used by one of the San Bernardino attackers, saying it lacks enough “technical information” about the software vulnerability that was exploited.
The decision resolves one of the thorniest questions that has confronted the federal government since it revealed last month, with minimal details, that an unidentified third party had come forward with a successful method for opening the phone. The FBI did not say how it had obtained access, leaving manufacturer Apple Inc. in the dark about how it was done.
The new announcement means that details of how the outside entity and the FBI managed to bypass the digital locks on the phone without help from Apple will remain secret, frustrating public efforts to understand the vulnerability that was detected and potentially complicating efforts to fix it.
In a statement Wednesday, FBI official Amy Hess said that although the FBI had purchased the method to access the phone — FBI Director James Comey suggested last week it had paid more than $1 million — the agency did not “purchase the rights to technical details about how the method functions,.”
The FBI’s explanation raises the possibility that it applied a purchased exploit against what it described as a potentially key piece of evidence in a sensational terrorism investigation without knowing the full technical details of what it was doing to that iPhone.
The government has for years recommended that security researchers work cooperatively and confidentially with software manufacturers before revealing that a product might be susceptible to hackers. The Obama administration has said that while disclosing a software vulnerability can weaken an opportunity to gather intelligence, leaving unprotected Internet users vulnerable to intrusions is not ideal either.
An interagency federal government effort known as the vulnerabilities equities process is responsible for reviewing such defects and weighing the pros and cons of disclosing them, taking into account whether the vulnerability can be fixed, whether it poses a significant risk if left unpatched and how much harm it could cause if discovered by an adversary.
Hess, the executive assistant director of the FBI’s science and technology branch, said Wednesday the FBI did not have enough technical details about the vulnerability to submit it to that process.
“By necessity, that process requires significant technical insight into a vulnerability. The VEP cannot perform its function without sufficient detail about the nature and extent of a vulnerability,” she said.
An Apple lawyer told reporters earlier this month that the company still believes the iPhone to be one of the most secure products on the market and expressed confidence that the vulnerability that was discovered would have a “short shelf life.”
The revelation last month that the FBI had managed to access the work phone of Syed Farook — who along with his wife killed 14 people in the December attacks in San Bernardino — halted an extraordinary court fight that flared a month earlier when a federal magistrate in California directed Apple to help the FBI hack into the device. Since then, the government has not disclosed the entity or said anything about how the work was done.
At an appearance earlier this month at Kenyon College in Ohio, Comey said the FBI had not yet decided whether to disclose details to Apple but suggested that the agency had reservations about doing so.
“If we tell Apple, they’re going to fix it and we’re back where we started,” Comey said. “As silly as it may sound, we may end up there. We just haven’t decided yet.”
The FBI director was correct, but that’s exactly the way the process should work, said Joseph Lorenzo Hall, senior technologist at the Center for Democracy and Technology.
“If you’re going to use flaws in the technology to gain access, then you better be prepared to report it,” he said.
Given the imperfections inherent in software writing, and their ability to be exploited for access, “Those bugs need to be fixed as fast as we can because we have no clue about whether there are tons and tons of bugs — or just a few,” he said.
Though one can imagine a scenario in which the FBI would hold onto its secret for “a little while,” vulnerabilities generally should be reported to the company so they have an opportunity to patch them, said Susan Landau, a cybersecurity policy professor at Worcester Polytechnic Institute.
“To me, and I think the government would clearly agree, the default should be report,” she said.
