Apple will never know the vulnerability that allowed professional hackers, paid by the FBI, to break into the San Bernardino, California, shooter’s iPhone.
Amy Hess, the bureau’s executive assistant director for science and technology, issued a statement confirming the widespread belief that the FBI will not disclose the method used to hack the San Bernardino shooter’s iPhone. Bugs discovered by federal agencies are typically reported to the Vulnerabilities Equities Process. A White House panel then decides if it should report any findings to the company or not.
So what’s the FBI’s reason for not reporting it to the VEP or to Apple? It doesn’t know the exact details of the vulnerability, as it purchased the method third-party.
“The FBI assesses that it cannot submit the method to the VEP,” Hess said. “The FBI purchased the method from an outside party so that we could unlock the San Bernardino device. We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”
The San Bernardino shooters killed 14 people in December, but one of them, Syed Farook, left behind a locked iPhone. Apple initially assisted the FBI, but the bureau then slapped a court order on the Cupertino, California, company, ordering it to create a special tool that would offer a backdoor into the iPhone.
Apple refused the order, fearing that such a tool could get into the wrong hands and jeopardize the privacy and safety of all its customers. The FBI dropped the case after it got access into the phone — and after it paid more than $1 million to professional “gray hat” hackers. No substantial information was found on the iPhone.
And since the FBI paid for the technique, it claims its agents aren’t “familiar” with the code and are unable to disclose the vulnerability.
“Currently, we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process,” Hess said.
The Wall Street Journal reported that the Justice Department recently notified the iPhone-maker about a software vulnerability, but Apple already made a fix. It is the first and only time the government has disclosed a bug to Apple. Internally, FBI officials said they shouldn’t disclose the technique, as Apple would patch it quickly, rendering the method useless.
Privacy advocates and tech experts have said the FBI should disclose the method to Apple so it can repair any bugs in its operating system. Apple has said it will not sue the government to find out the technique, but was hoping to find out through legal discovery in a similar, but unrelated New York iPhone case. That case was dropped as well, after an unnamed party provided the passcode to the Justice Department.
An Apple spokesperson told the Wall Street Journal that whatever vulnerability the FBI used, it would have a short life span, as the company is continuing to improve and upgrade the security on its devices.
Apple did not respond for comment.
Updated on 04/27/2016 by Julian Chokkattu: Added official confirmation that the FBI will not disclose the method to Apple.