It’s official: The FBI won’t hand over to Apple how it cracked the iPhone 5c used by San Bernardino attacker Syed Farook.
In a statement on Wednesday, the FBI’s Amy Hess, executive assistant director for science and technology, said that the agency considered whether to submit the crack to the Vulnerabilities Equities Process (VEP), an interagency process that determines whether a government agency should let a software or hardware vendor know about a vulnerability, but ultimately decided against it.
“The FBI assesses that it cannot submit the method to the VEP,” Hess said in a statement. “The FBI purchased the method from an outside party so that we could unlock the San Bernardino device. We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process.”
In essence, the FBI has determined that until it understands more about the technical function that allowed it to crack Farook’s iPhone, it can’t provide insight into the vulnerability to Apple.
“The VEP is a disciplined, rigorous and high-level interagency decision-making process for vulnerability disclosure that helps to ensure that all of the pros and cons of disclosing or not disclosing a vulnerability are properly considered and weighed,” Hess said. “By necessity, that process requires significant technical insight into a vulnerability. The VEP cannot perform its function without sufficient detail about the nature and extent of a vulnerability.”
The FBI’s decision comes a day after a report surfaced, saying that the FBI would not disclose how it cracked Farook’s iPhone. The Wall Street Journal reported yesterday, citing sources, that providing the tool to the VEP would be fruitless, since the FBI itself doesn’t really know how the hack works and why it was able it unlock the iPhone 5c without Apple’s help.
The move comes amid controversy over whether Apple should be notified about the hack. For a period of approximately two months between the tragic shooting in December and when the Justice Department filed a request with a U.S. magistrate judge requesting Apple help the FBI unlock Farook’s iPhone, no one in the U.S. government was able to find a way in. Apple was compelled by the judge to build software that would ultimately allow the FBI to access the device. Apple declined the request and vowed to go to the U.S. Supreme Court to support digital rights, if required.
However, in March, the FBI said that it had obtained a tool from an unidentified third party that allowed it access to the device. The Justice Department subsequently dropped its case against Apple, leaving everyone wondering how it cracked the device without Apple’s help.
Since then, reports have been flying fast and furious about the tool used to crack the device. FBI Director James Comey last week revealed that the agency paid “a lot” for the tool, adding that it paid more than $1.34 million.
However, according to Comey, the tool is limited in its ability and can only unlock an iPhone 5c, like the one used by Farook.
“This doesn’t work on [an iPhone] 6s, doesn’t work in a 5s, and so we have a tool that works on a narrow slice of phones,” Comey said during a question-and-answer session with students and professors at Ohio’s Kenyon College earlier this month.
Comey’s comments at the college also spawned debate over whether the FBI would (and should) provide information about the vulnerability to Apple. In his comments at the school, Comey signaled that while he was debating the issue, he might not be so willing to play ball.
“We tell Apple, then they’re going to fix it, then we’re back where we started from,” he said. “We may end up there, we just haven’t decided yet.”
The issue of whether the government should provide details on a vulnerability to a company is one that has been debated between law enforcement and digital rights activists for years. Digital rights activists, like the Electronic Frontier Foundation, have argued that the U.S. government must provide details on a vulnerability, since allowing an exploit to live in the wild could put users at undue risk. The government’s VEP, however, is used to determine whether disclosing vulnerabilities could ultimately hurt its law enforcement efforts.
And at least for now, VEP won’t get a chance to make a determination on Farook’s iPhone.
Apple did not immediately respond to a request for comment.