FBI won’t disclose how it accessed locked iPhone

WASHINGTON — The FBI said Wednesday that it will not publicly disclose the method that allowed it to access a locked iPhone used by one of the San Bernardino attackers, saying it lacks enough “technical information” about the software vulnerability that was exploited.

The decision resolves one of the thorniest questions that has confronted the federal government since it revealed last month, with minimal details, that an unidentified third party had come forward with a successful method for opening the phone. The FBI did not say how it had obtained access, leaving manufacturer Apple Inc. in the dark about how it was done.

The new announcement means that details of how the outside entity and the FBI managed to bypass the digital locks on the phone without help from Apple will remain secret, frustrating public efforts to understand the vulnerability that was detected and potentially complicating efforts to fix it.

In a statement Wednesday, FBI official Amy Hess said that although the FBI had purchased the method to access the phone — FBI Director James Comey suggested last week it had paid more than $1 million — the agency did not “purchase the rights to technical details about how the method functions,.”

The FBI’s explanation raises the possibility that it applied a purchased exploit against what it described as a potentially key piece of evidence in a sensational terrorism investigation without knowing the full technical details of what it was doing to that iPhone.

The government has for years recommended that security researchers work cooperatively and confidentially with software manufacturers before revealing that a product might be susceptible to hackers. The Obama administration has said that while disclosing a software vulnerability can weaken an opportunity to gather intelligence, leaving unprotected Internet users vulnerable to intrusions is not ideal either.

An interagency federal government effort known as the vulnerabilities equities process is responsible for reviewing such defects and weighing the pros and cons of disclosing them, taking into account whether the vulnerability can be fixed, whether it poses a significant risk if left unpatched and how much harm it could cause if discovered by an adversary.

Hess, the executive assistant director of the FBI’s science and technology branch, said Wednesday the FBI did not have enough technical details about the vulnerability to submit it to that process.

“By necessity, that process requires significant technical insight into a vulnerability. The VEP cannot perform its function without sufficient detail about the nature and extent of a vulnerability,” she said.

An Apple lawyer told reporters earlier this month that the company still believes the iPhone to be one of the most secure products on the market and expressed confidence that the vulnerability that was discovered would have a “short shelf life.”

The revelation last month that the FBI had managed to access the work phone of Syed Farook — who along with his wife killed 14 people in the December attacks in San Bernardino — halted an extraordinary court fight that flared a month earlier when a federal magistrate in California directed Apple to help the FBI hack into the device. Since then, the government has not disclosed the entity or said anything about how the work was done.

At an appearance earlier this month at Kenyon College in Ohio, Comey said the FBI had not yet decided whether to disclose details to Apple but suggested that the agency had reservations about doing so.

“If we tell Apple, they’re going to fix it and we’re back where we started,” Comey said. “As silly as it may sound, we may end up there. We just haven’t decided yet.”

The FBI director was correct, but that’s exactly the way the process should work, said Joseph Lorenzo Hall, senior technologist at the Center for Democracy and Technology.

“If you’re going to use flaws in the technology to gain access, then you better be prepared to report it,” he said.

Given the imperfections inherent in software writing, and their ability to be exploited for access, “Those bugs need to be fixed as fast as we can because we have no clue about whether there are tons and tons of bugs — or just a few,” he said.

Though one can imagine a scenario in which the FBI would hold onto its secret for “a little while,” vulnerabilities generally should be reported to the company so they have an opportunity to patch them, said Susan Landau, a cybersecurity policy professor at Worcester Polytechnic Institute.

“To me, and I think the government would clearly agree, the default should be report,” she said.

More in News

(Juneau Empire file photo)
Aurora forecast for the week of April 8

These forecasts are courtesy of the University of Alaska Fairbanks’ Geophysical Institute… Continue reading

(Michael Penn / Juneau Empire file photo)
Police calls for Friday, April 12, 2024

This report contains public information from law enforcement and public safety agencies.

(Michael Penn / Juneau Empire file photo)
Police calls for Thursday, April 11, 2024

This report contains public information from law enforcement and public safety agencies.

The sky and mountains are reflected in the water on April 5, 2012, at the Kootznoowoo Wilderness in the Tongass National Forest’s Admiralty Island National Monument. Conservation organizations bought some private land and transferred it to the U.S. Forest Service, resulting in an incremental expansion of the Kootznoowoo Wilderness and protection of habitat important to salmon and wildlife. (Photo by Don MacDougall/U.S. Forest Service)
Conservation groups’ purchase preserves additional land in Alaska’s Tongass National Forest

A designated wilderness area in Southeast Alaska’s Tongass National Forest, the largest… Continue reading

A welcome sign is shown Sept. 22, 2021, in Tok. President Joe Biden won Alaska’s nominating contest on Saturday. (AP Photo/Rick Bowmer, File)
Biden wins more delegates in Alaska and Wyoming as he heads toward Democratic nomination

President Joe Biden nudged further ahead in the Democratic nomination for reelection… Continue reading

Juneau Assembly members and other visitors examine a meeting room formerly used by the nine-member Alaska State Board of Education and Early Development on Monday, April 8, which is about 25% larger than the Assembly Chambers at City Hall. (Mark Sabbatini / Juneau Empire)
Of three possible new City Hall buildings, one stands out — but plenty of proposed uses for other two

Michael J. Burns Building eyed as city HQ; childcare, animal shelter among options at school sites.

Senate President Gary Stevens, R-Kodiak, speaks to members of the Senate majority caucus’ leadership group on Friday. (James Brooks/Alaska Beacon)
Schools, university and projects across Alaska are set to receive money from new budget bill

Alaska Senate sends draft capital budget to House as work continues on a state spending plan

The Boney Courthouse in downtown Anchorage, across the street from the larger Nesbett Courthouse, holds the Alaska Supreme Court chambers. (Yereth Rosen/Alaska Beacon)
Alaska judge strikes down state’s cash payments to families using correspondence school programs

Decision will become a ‘hot-button legislative item’ in final weeks of session, lawmakers say.

A statue of William Henry Seward stands outside the Dimond Courthouse in downtown Juneau. (Clarise Larson / Juneau Empire file photo)
Juneau man convicted of sexual abuse of 15-year-old girl more than four years after incidents occur

JPD: Randy James Willard, 39, sent explicit videos to and engaged in sexual contact with victim.

Most Read