Cybersecurity

FBI unlikely to tell Apple how it hacked into shooter’s phone

The FBI could avoid having to share the tool it used to hack into a locked iPhone with Apple by arguing it lacks proper knowledge of the process.

FBI Director James Comey said Tuesday that the bureau may not understand the workings of the tool it used to crack the phone enough to justify a White House review into whether it should share the technique with Apple.

{mosads}“We are in the midst of trying to sort that out,” Comey said at a cybersecurity event at Georgetown University, according to multiple sources. “The threshold is, are we aware of the vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability to implicate the process?” 

But, he said, “We are close to a resolution.”

Comey appeared to send a clear signal on Tuesday that the FBI doesn’t intend to help Apple uncover how it was able to unlock the device.

The agency will send formal notice to the White House in the coming days saying that officials aren’t familiar with the underlying code that runs the tool it purchased, The Wall Street Journal reports, citing people familiar with the discussions.

In other words, the agency isn’t capable of participating in the review process because it doesn’t know how the hack works.

The agency has been under pressure from technologists and digital rights activists to tell Apple how it was able to access the iPhone 5c of San Bernardino shooter Syed Rizwan Farook.

The device had been the epicenter of a fierce legal fight between the FBI and Apple, with Apple refusing to help the agency hack into the locked phone on privacy and security grounds. The dispute was abruptly resolved when the FBI announced it had purchased a “tool” from a third party that allowed it to gain access to the device without Apple’s help. 

Security experts immediately warned that whatever vulnerability the agency was able to exploit to gain access to the device has been left wide open for online criminals to find — leaving everyday users of Apple products exposed to identity theft and other crime.  

Many argued that the maneuver should be put to a White House review panel created under a little-known cybersecurity rule adopted by the Obama administration in 2010.

When the government finds a previously undiscovered hack, the panel determines whether it should be disclosed to the manufacturer to be corrected.

Although the White House says that the process is weighted toward disclosing vulnerabilities, in this case the government may have a good reason to keep the knowledge to itself: Apple says it will reject orders to help hack phones in the future.

And the FBI has court orders seeking access to dozens of locked iPhones across the country, many of which Apple is opposing. 

Whether the government should disclose the flaw to Apple, Comey said earlier this month, is “an interesting conversation, because [if] we tell Apple, they’re going to fix it, and then we’re back where we started from.” 

Critics of the so-called Vulnerabilities Equities Process were already skeptical that the review process would result in disclosure of the flaw to Apple.

The rule leaves a carve-out for national security concerns that digital rights activists say is too broad, allowing the government to hoard hacking techniques at the expense of public cybersecurity.

Christopher Soghoian, chief technologist at the American Civil Liberties Union, calls the process “broken.” 

Soghoian told The Hill that the makeup of the review board — which isn’t public — is disproportionately weighted toward intelligence and defense officials without representing privacy or technology experts from agencies like the Federal Trade Commission or the National Institute of Standards and Technology.

Now, it appears that the FBI may be able to bypass the process entirely.

“If the government can circumvent the process merely by buying vulnerabilities, then the process becomes a farce,’’ Soghoian told The Journal. “The FBI is not interested in cybersecurity.’’

Meanwhile, speculation continues apace about what, exactly, the FBI purchased — and from whom. The agency has made clear that while it has tested the mystery tool on other devices, the method doesn’t work on the latest iPhone 6 or on the iPhone 5s.

“We have a tool that works in a narrow slice of phones,” Comey said during an appearance at Ohio’s Kenyon College earlier this month.

According to reporting by The Washington Post — citing “people familiar with the matter” — the FBI paid professional hackers “a one-time flat fee” to unearth the previously unknown software flaw and tip off the agency. 

The discovery allowed the FBI to create a piece of hardware that could figure out the iPhone’s four-digit personal identification number without triggering a fail-safe security feature that would erase the phone’s data after 10 incorrect password attempts, the Post reported. 

But the exact terms of the purchase agreement are now in question. Whatever it was, Comey hinted last week that it cost the agency more than $1.3 million. 

And in the meantime, Apple is likely racing to identify and patch whatever weaknesses the tool exploits.