Law Enforcement

FBI will not share iPhone vulnerability in San Bernardino case

Shutterstock image: mobile device security, continuous monitoring concept.

The FBI has opted not to submit the method used to unlock the Apple iPhone of one of the San Bernardino, Calif., shooters to an interagency review process for disclosing software vulnerabilities.

Bureau officials said they did not know enough about the technical details of the vulnerability exploited by an unidentified third party to submit the flaw for a meaningful review.

The decision casts new light on a review process that government officials say is rigorous and weighted toward disclosure but critics contend is subject to manipulation based on agencies' self-interests.

The Vulnerabilities Equities Process, led by White House Cybersecurity Coordinator Michael Daniel, reviews the zero-day, or previously unknown, software flaws that agencies discover to determine whether it is in U.S. interests to disclose them -- so that companies can issue patches -- or hold onto them for intelligence gathering.

"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," said Amy Hess, the FBI's executive assistant director for science and technology, in a statement. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process."

FBI Director James Comey strongly hinted last week that the bureau paid more than $1 million to a contractor to unlock an iPhone 5c used by Syed Rizwan Farook. In December, Farook and his wife murdered 14 people in San Bernardino and were later killed by police.

As of mid-April, law enforcement officials had found nothing of significance on the phone after unlocking it, CBS News reported.

"Whatever vulnerability the FBI was able to exploit to access the San Bernardino shooter's phone can theoretically be used by criminals, hackers and any organization -- foreign or domestic -- to access other similar iPhones,” Rep. Ted Lieu (D-Calif.) said in a statement to FCW. "We are better off when encryption is stronger. That is why I believe the FBI should share the vulnerability with Apple so that it can be patched before any serious damage is done," he said.

Jason Healey, who was director for cyber infrastructure protection at the White House from 2003 to 2005, did not mince words when FCW asked for a reaction to the FBI's decision.

"It certainly seems possible, if not, likely, [that the] FBI arranged for this contract wording specifically to bypass" the disclosure process, said Healey, who is now a senior research scholar at Columbia University. "As such, they probably have tied the hands of the White House, specifically to subvert [President Barack Obama's] intent."

Obama has preferred that the administration generally disclose the software vulnerabilities it discovers, with a broad exception for those with a "clear national security or law enforcement need," the New York Times reported in April 2014.

Historically, the National Security Agency has revealed more than 91 percent of the vulnerabilities it has discovered, the agency said in a statement last year.

"It's a thoughtful discussion, trying to understand offensive capability but also understand the risk to the government in not disclosing that vulnerability," said Curt Dukes, head of NSA's Information Assurance Directorate, in a January interview with FCW.

NSA's Information Assurance and Signals Intelligence directorates try to agree on which vulnerabilities to disclose, but if they can't, NSA Director Adm. Michael Rogers makes the final decision, Dukes added.

The Apple/FBI standoff is the most high-profile case yet involving VEP, and security experts and privacy advocates are watching closely.

The FBI's decision not to submit the iPhone vulnerability to VEP "calls into serious question the White House's claim [that the process is] heavily weighted toward disclosure," said Kevin Bankston, director of New America's Open Technology Institute.

Hess said the FBI does not usually comment on whether a vulnerability is submitted to the interagency review process. However, bureau officials decided to break with convention due to "the extraordinary nature of this particular case" and the fact that the FBI had revealed publicly that it had exploited the vulnerability, she added.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.