FBI won’t disclose how it accessed locked iPhone

WASHINGTON — The FBI said Wednesday that it will not publicly disclose the method that allowed it to access a locked iPhone used by one of the San Bernardino attackers, saying it lacks enough “technical information” about the software vulnerability that was exploited.

The decision resolves one of the thorniest questions that has confronted the federal government since it revealed last month, with minimal details, that an unidentified third party had come forward with a successful method for opening the phone. The FBI did not say how it had obtained access, leaving manufacturer Apple Inc. in the dark about how it was done.

The new announcement means that details of how the outside entity and the FBI managed to bypass the digital locks on the phone without help from Apple will remain secret, frustrating public efforts to understand the vulnerability that was detected and potentially complicating efforts to fix it.

In a statement Wednesday, FBI official Amy Hess said that although the FBI had purchased the method to access the phone — FBI Director James Comey suggested last week it had paid more than $1 million — the agency did not “purchase the rights to technical details about how the method functions,.”

The FBI’s explanation raises the possibility that it applied a purchased exploit against what it described as a potentially key piece of evidence in a sensational terrorism investigation without knowing the full technical details of what it was doing to that iPhone.

The government has for years recommended that security researchers work cooperatively and confidentially with software manufacturers before revealing that a product might be susceptible to hackers. The Obama administration has said that while disclosing a software vulnerability can weaken an opportunity to gather intelligence, leaving unprotected Internet users vulnerable to intrusions is not ideal either.

An interagency federal government effort known as the vulnerabilities equities process is responsible for reviewing such defects and weighing the pros and cons of disclosing them, taking into account whether the vulnerability can be fixed, whether it poses a significant risk if left unpatched and how much harm it could cause if discovered by an adversary.

Hess, the executive assistant director of the FBI’s science and technology branch, said Wednesday the FBI did not have enough technical details about the vulnerability to submit it to that process.

“By necessity, that process requires significant technical insight into a vulnerability. The VEP cannot perform its function without sufficient detail about the nature and extent of a vulnerability,” she said.

An Apple lawyer told reporters earlier this month that the company still believes the iPhone to be one of the most secure products on the market and expressed confidence that the vulnerability that was discovered would have a “short shelf life.”

The revelation last month that the FBI had managed to access the work phone of Syed Farook — who along with his wife killed 14 people in the December attacks in San Bernardino — halted an extraordinary court fight that flared a month earlier when a federal magistrate in California directed Apple to help the FBI hack into the device. Since then, the government has not disclosed the entity or said anything about how the work was done.

At an appearance earlier this month at Kenyon College in Ohio, Comey said the FBI had not yet decided whether to disclose details to Apple but suggested that the agency had reservations about doing so.

“If we tell Apple, they’re going to fix it and we’re back where we started,” Comey said. “As silly as it may sound, we may end up there. We just haven’t decided yet.”

The FBI director was correct, but that’s exactly the way the process should work, said Joseph Lorenzo Hall, senior technologist at the Center for Democracy and Technology.

“If you’re going to use flaws in the technology to gain access, then you better be prepared to report it,” he said.

Given the imperfections inherent in software writing, and their ability to be exploited for access, “Those bugs need to be fixed as fast as we can because we have no clue about whether there are tons and tons of bugs — or just a few,” he said.

Though one can imagine a scenario in which the FBI would hold onto its secret for “a little while,” vulnerabilities generally should be reported to the company so they have an opportunity to patch them, said Susan Landau, a cybersecurity policy professor at Worcester Polytechnic Institute.

“To me, and I think the government would clearly agree, the default should be report,” she said.

More in News

(Juneau Empire file photo)
Aurora forecast through the week of Nov. 17

These forecasts are courtesy of the University of Alaska Fairbanks’ Geophysical Institute… Continue reading

Rep. Andi Story, a Juneau Democrat, listens to a presentation during a House Education Committee meeting May 3, 2024, at the Alaska State Capitol. Story has been named co-chair of the committee for the upcoming legislative session. (Mark Sabbatini / Juneau Empire)
State Rep. Andi Story to co-chair House Education Committee under new Democrat-led majority

Sara Hannan remains on Finance Committee as Juneau representatives look to play bigger roles

Larry Gamez and Rachel Ceja collect items for a Thanksgiving food basket to deliver to a house in the Mendenhall Valley on Saturday morning as part of St. Vincent de Paul’s annual distribution program. (Mark Sabbatini / Juneau Empire)
Matching those hungry to help with those hungry to feast carries on as pre-Thanksgiving ritual

Food baskets delivered to hundreds of homes, food bank hosts annual drive on Saturday before holiday.

(Michael Penn / Juneau Empire file photo)
Police calls for Wednesday, Nov. 20, 2024

This report contains public information from law enforcement and public safety agencies.

The U.S. Capitol Christmas Tree reaches Washington, D.C., on Wednesday, Nov. 20, to much celebration. (U.S. Capitol Christmas Tree photo)
Santa’s truck-driving helpers are east bound and down to Washington, DC

U.S. Capitol Christmas Tree completes multiweek cross-country journey from Wrangell.

The Palmer project would sit in the watershed of the Chilkat River, pictured here. (Scott McMurren/Flickr under Creative Commons license 2.0)
Japanese smelting giant pulls out of major Southeast Alaska mining project

Palmer development, above the salmon-bearing Chilkat River, has for years fueled political divisions.

Juneau Police Department cars are parked outside the downtown branch station on Thursday. (Mark Sabbatini / Juneau Empire)
JPD’s daily incident reports getting thinner and vaguer. Why and does it matter?

Average of 5.12 daily incidents in October down from 10.74 a decade ago; details also far fewer.

(Michael Penn / Juneau Empire file photo)
Police calls for Monday, Nov. 18, 2024

This report contains public information from law enforcement and public safety agencies.

Most Read