FBI Won’t Reveal Vulnerability that Unlocked iPhone

Although the White House has a policy to disclose some cyber vulnerabilities discovered by government agencies, the Federal Bureau of Investigation has indicated it will not reveal details about the security flaw that enabled it to unlock an iPhone connected to its investigation of a mass shooting in San Bernardino, Calif., in December.

According to "people familiar with the matter," the FBI will not provide Apple with details about the method it used, "leaving the company in the dark on a security vulnerability on some iPhone models," the Wall Street Journal reported yesterday. The paper also reported that the agency plans to inform the White House shortly that "it knows so little about the hacking tool . . . that it doesn't make sense to launch an internal government review" into whether Apple should be informed.

Many cybersecurity and privacy experts have since responded to that report with strong criticisms about the FBI's stance. "How does the FBI get to decide whether or not their iPhone [zero]-day should be submitted to the multi-agency review?" Christopher Soghoian, principal technologist and a senior policy analyst with the ACLU Speech, Privacy and Technology Project, asked on Twitter.

Apple did not respond to our requests for comment today. However, through an FBI spokesperson, FBI executive assistant director for science and technology Amy Hess told us today by e-mail that the Vulnerabilities Equities Process (VEP) is a disciplined, rigorous and high-level interagency decision-making process for vulnerability disclosure.

"The FBI assesses that it cannot submit the method to the VEP. The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," Hess said through the spokesperson. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon...

Comments are closed.