comscore FBI says it won’t disclose how it accessed locked iPhone | Honolulu Star-Advertiser
Top News

FBI says it won’t disclose how it accessed locked iPhone


    An iPhone is seen in Washington on Feb. 17. The FBI said today that it will not publicly disclose the method that allowed it to break into a locked iPhone used by one of the San Bernardino attackers, saying it lacks enough technical information about the software vulnerability that was exploited.

WASHINGTON » The FBI said today that it will not publicly disclose the method that allowed it to access a locked iPhone used by one of the San Bernardino attackers, saying it lacks enough “technical information” about the software vulnerability that was exploited.

The decision resolves one of the thorniest questions that has confronted the federal government since it revealed last month, with minimal details, that an unidentified third party had come forward with a successful method for opening the phone. The FBI did not say how it had obtained access, leaving manufacturer Apple Inc. in the dark about how it was done.

The new announcement means that details of how the outside entity and the FBI managed to bypass the digital locks on the phone without help from Apple will remain secret, frustrating public efforts to understand the vulnerability that was detected and potentially complicating efforts to fix it.

In a statement today, FBI official Amy Hess said that although the FBI had purchased the method to access the phone — FBI Director James Comey suggested last week it had paid more than $1 million — the agency did not “purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”

The FBI’s explanation raises the possibility that it applied a purchased exploit against what it described as a potentially key piece of evidence in a sensational terrorism investigation without knowing the full technical details of what it was doing to that iPhone.

The government has for years recommended that security researchers work cooperatively and confidentially with software manufacturers before revealing that a product might be susceptible to hackers. The Obama administration has said that while disclosing a software vulnerability can weaken an opportunity to gather intelligence, leaving unprotected Internet users vulnerable to intrusions is not ideal either.

An interagency federal government effort known as the vulnerability equities process is responsible for reviewing such defects and weighing the pros and cons of disclosing them, taking into account whether the vulnerability can be fixed, whether it poses a significant risk if left unpatched and how much harm it could cause if discovered by an adversary.

Hess, the executive assistant director of the FBI’s science and technology branch, said today the FBI did not have enough technical details about the vulnerability to submit it to that process.

“By necessity, that process requires significant technical insight into a vulnerability. The VEP cannot perform its function without sufficient detail about the nature and extent of a vulnerability,” she said.

An Apple lawyer told reporters earlier this month that the company still believes the iPhone to be one of the most secure products on the market and expressed confidence that the vulnerability that was discovered would have a “short shelf life.”

The revelation last month that the FBI had managed to access the work phone of Syed Farook — who along with his wife killed 14 people in the December attacks in San Bernardino before dying in a police shootout — halted an extraordinary court fight that flared a month earlier when a federal magistrate in California directed Apple to help the FBI hack into the device. Since then, the government has not disclosed the entity or said anything about how the work was done.

At an appearance earlier this month at Kenyon College in Ohio, Comey said the FBI had not yet decided whether to disclose details to Apple but suggested that the agency had reservations about doing so.

“If we tell Apple, they’re going to fix it and we’re back where we started,” Comey said. “As silly as it may sound, we may end up there. We just haven’t decided yet.”

The FBI director was correct, but that’s exactly the way the process should work, said Joseph Lorenzo Hall, senior technologist at the Center for Democracy and Technology.

“If you’re going to use flaws in the technology to gain access, then you better be prepared to report it,” he said.

Given the imperfections inherent in software writing, and their ability to be exploited for access, “Those bugs need to be fixed as fast as we can because we have no clue about whether there are tons and tons of bugs — or just a few,” he said.

Though one can imagine a scenario in which the FBI would hold onto its secret for “a little while,” vulnerabilities generally should be reported to the company so they have an opportunity to patch them, said Susan Landau, a cybersecurity policy professor at Worcester Polytechnic Institute.

“To me, and I think the government would clearly agree, the default should be report,” she said.

Comments (5)

By participating in online discussions you acknowledge that you have agreed to the Terms of Service. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. If your comments are inappropriate, you may be banned from posting. Report comments if you believe they do not follow our guidelines.

Having trouble with comments? Learn more here.

Leave a Reply

Click here to see our full coverage of the coronavirus outbreak. Submit your coronavirus news tip.

Be the first to know
Get web push notifications from Star-Advertiser when the next breaking story happens — it's FREE! You just need a supported web browser.
Subscribe for this feature

Scroll Up