FBI Says Its Hands Are Tied on Revealing iPhone Crack Details


ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.

The FBI on Wednesday confirmed its decision not to inform Apple of how it hacked into the encrypted iPhone used in last December's San Bernardino terrorist attack.

The bureau was investigating the possibility that deceased shooters Syed Farook, who used the iPhone, and his wife may have had links to other terrorist plots. It also was searching for evidence tying the two to ISIS. After Apple refused to provide a backdoor entry into the encrypted smartphone, the FBI penetrated it with the help of an outside organization.

The bureau then considered whether to submit details on how it accessed the phone's data to the Vulnerabilities Equities Process, according to Amy S. Hess, executive assistant director for science and technology at the FBI.

"The VEP is a disciplined, rigorous and high level interagency decision making process for vulnerability disclosure that helps to ensure that all the pros and cons of disclosing or not disclosing a vulnerability are properly considered and weighed," Hesse said.

The "VEP cannot perform its function without significant detail about the nature and extent" of the vulnerability, she noted, and the FBI concluded that it could not submit the method to the VEP.

"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," Hesse explained. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate."

As a result, the FBI doesn't have enough technical information about any vulnerability "that would permit any meaningful review under the VEP process," she said.

The FBI does not normally comment on "whether any vulnerability was brought before the interagency and the results of any such deliberation," Hess added. However, due to the extraordinary level of interest in this case, plus the fact that the FBI publicly disclosed the existence of the method, the agency determined it was "appropriate to communicate with the interagency group, as well as the public about this important issue."

The FBI has advised the Equities Review Board, she said.

The ERB is a senior level group of department heads and agency representatives who decide whether to ratify lower-level decisions on whether to disclose vulnerabilities, according to the Electronic Frontier Foundation.

In testimony before a House Energy and Commerce Committee hearing last week, Hess said that the FBI should not have to rely on gray hats to help it access encrypted data.

The FBI is expected in the next few days to report to the White House the rationale behind not sharing the data with Apple.

Apple officials previously expressed an interest in finding out how the iPhone data was accessed. Although the company has cooperated in dozens of prior cases with the FBI and other law enforcement agencies, it refused the bureau's request to provide source code or other backdoor help that would enable it to break into the phone after the device accidentally was passcode-locked.

The VEP process arguably gives Apple the right to know exactly how the FBI accessed the iPhone's data.

"The VEP is by its own terms supposed to apply to any vulnerability that the federal government knows of, without regard to how it learned of the vulnerability," said Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation.

"The fact that this vulnerability won't be subjected to the VEP shows that the process is broken," he told the E-Commerce Times.

There doesn't appear to be a way for Apple to figure out on its own how the bureau was able to access the encrypted data.

"We're talking about vulnerability research, and it's very, very hard for researchers to independently find the same vulnerability without shared information," explained Christopher Budd, global threat communications manager at Trend Micro.

That said, it's likely that Apple and other tech firms will accelerate the development of new levels of encryption for their devices.

"I've said throughout that Apple would be making countermoves based on the information they've gotten out of this situation," Budd told the E-Commerce Times.

Apple did not respond to our request to comment for this story.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Amazon Starts Selling New $50 Echo Dot, White Echo Too

    This morning, Amazon unveiled a new Echo Dot that will cost you and I just $49.The company also announced a new white version of its speaker-equipped Amazon Echo that ships in a couple of weeks.
  • 5300c769af79e

    Time Warner Bets Heavily on Hulu

    With the new investment, Time Warner will join a joint venture that includes some of the nation's largest media companies, including The Walt Disney Co.The investment is part of Time Warner's strategy to make sure that its brands can reach viewers on a range of platforms and devices, and in bundles using traditional and new ecosystems, Time Warner CEO Jeffrey Bewkes said in a Wednesday conference call.
  • 5300c769af79e

    Report: Galaxy S8 to Come in Two Large Models, One With 6.2" Bezel-Less Display

    According to the latest report out of South Korea, the Galaxy S8 from Samsung will be made available in two display sizes; one with a 5.With the removal of the home button, it should be expected that we might see on-screen buttons, instead of Samsung’s long-standing capacitive keys.
  • 5300c769af79e

    Logitech POP Switch Starter Pack

    Logitech has taken that concept and turned it into an incredibly clever home automation device called the POP Home Switch.The POP Switch is a 2.