FBI confirms it won't tell Apple how it unlocked terrorist's iPhone

Doesn't know how the hack works, FBI says; security expert calls agency's ignorance 'reckless'

The Federal Bureau of Investigation (FBI) confirmed Wednesday that it will not tell Apple how the agency hacked an iPhone used by one of the San Bernardino terrorists.

In a statement, Amy Hess, assistant director for science and technology, said the FBI will not submit technical details to the Vulnerabilities Equities Process (VEP), a policy that permits government agencies to disclose acquired software vulnerabilities to vendors.

Hess said that the FBI does not have enough information about the vulnerability to put it through the VEP.

"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," Hess said. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process."

Last month, after weeks of wrangling with Apple -- which balked at a court order compelling it to assist the FBI in unlocking the iPhone 5C used by Syed Rizwan Farook -- the agency announced it had found a way to access the device without Apple's help. Farook, along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif., on Dec. 2, 2015. The two died in a shootout with police later that day. Authorities quickly called it a terrorist attack.

The FBI has said very little about the method, which it said came from outside the government. Although many security experts had argued that the agency could unlock the iPhone by using numerous copies of the iPhone's storage contents to input possible passcodes until the correct one was found, some subsequently said an undisclosed iOS vulnerability was what the FBI acquired.

Hess acknowledged that the FBI leans toward secrecy about what security vulnerabilities it acquires and how they work. "We generally do not comment on whether a particular vulnerability was brought before the interagency and the results of any such deliberation," Hess said. "We recognize, however, the extraordinary nature of this particular case, the intense public interest in it, and the fact that the FBI already has disclosed publicly the existence of the method."

Under VEP, federal agencies like the FBI and the National Security Agency (NDA) submit vulnerabilities to a review panel, which then decides whether the flaws should be passed along to the vendor for patching. While VEP's existence had been suspected for some time, it was only last November that the government released a redacted version of the written policy.

There is a thriving market for undocumented vulnerabilities, which are found or purchased by brokers, who then sell them to government agencies around the world, including U.S. authorities, for use against targeted individuals' computers and smartphones.

Hess's explanation of why the FBI would not submit the iPhone vulnerability to VEP signaled that the seller retained rights to the bug, almost certainly so it could sell the flaw again elsewhere. If the FBI had put the vulnerability through VEP, and Apple eventually was told, the company would then have patched the bug, preventing the broker from reselling it to others, or at a minimum greatly reducing its value.

One security expert called the FBI's decision to use the tool "reckless" because the agency had no idea how it worked.

"This should be taken as an act of recklessness by the FBI with regards to the Syed Farook case," said Jonathan Zdziarski, a noted iPhone forensics and security expert, in a Tuesday post to his personal blog. "The FBI apparently allowed an undocumented tool to run on a piece of high profile, terrorism-related evidence without having adequate knowledge of the specific function or the forensic soundness of the tool."

Zdziarski, one of the many security professionals who criticized the FBI's attempt to coerce Apple into unlocking Farook's phone, said the agency's ignorance about the tool threatened any legal case that might stem from the tool's use.

"The FBI has offered this tool to other law enforcement agencies that need it, Zdziarski wrote. "So the FBI is endorsing the use of an untested tool that they have no idea how it works, for every kind of case that could go through our court system. A tool that was also only tested, if at all, for one very specific case now [is] being used on a very broad set of types of data and evidence, which it could easily damage, alter, or -- more likely -- see thrown out of cases as soon as it's challenged."

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFBIFederal Bureau of InvestigationNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts