FBI Spent $1.3 Million To Not Even Learn The Details Of The iPhone Hack… So Now It Says It Can't Tell Apple (original) (raw)

from the wtf dept

Once the DOJ told the court in San Bernardino that it had succeeded in hacking into the iPhone of Syed Farook, the big question people asked is whether or not the FBI would then tell Apple about the vulnerability. After all, the administration set up the so-called “Vulnerabilities Equities Policy” (VEP) with the idea of sharing most vulnerabilities it discovers with companies. The White House directly stated:

One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest. This has been and continues to be the case.

This spring, we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities ? so that everyone can have confidence in the integrity of the process we use to make these decisions. We rely on the Internet and connected systems for much of our daily lives. Our economy would not function without them. Our ability to project power abroad would be crippled if we could not depend on them. For these reasons, disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than everyone else.

Of course, there’s a big “but” there — and it’s that there’s an “exception” for law enforcement. Last fall, after (yet another) big legal fight, the good folks over at the EFF finally got access to the VEP details and you can now read a (heavily redacted) version.

Still, one could make a strong case that this vulnerability should be disclosed… even if almost no one expected it to be. Amusingly, just a few days ago, Apple revealed that the FBI used the VEP to disclose a vulnerability for the very first time, on April 14th, just as everyone was arguing about this. Of course, the flaw it revealed was not about hacking into the iPhone, and was actually about a flaw that Apple had discovered and fixed… nine months ago. But, again, if this is the very first time the FBI has disclosed something to Apple, it certainly suggests that the VEP process generally means nothing gets disclosed. In fact, the timing of this really suggests that someone in the DOJ recently flipped out and realized that there’s now going to be scrutiny on the VEP, so they might as well disclose something. Thus, they found an old bug that had already been patched and “revealed” it.

Either way, things got stranger a couple of days later, when the FBI — which had already admitted to paying over $1 million to access Farook’s iPhone, said that, for all that money, the people it hired never explained the vulnerability. They just opened the phone. Really.

?The F.B.I. purchased the method from an outside party so that we could unlock the San Bernardino device,? Amy S. Hess, executive assistant director for science and technology, said in a statement.

?We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review? by the White House examiners, she said.

Now, some are arguing that this suggests absolutely terrible bargaining on the side of the DOJ/FBI. But, another interpretation is that it’s how the DOJ knew that it wouldn’t have to reveal the flaw to Apple. Of course, this might also explain why the DOJ at one point appeared to claim that the hack in question only worked for Farook’s phone. They later claimed that was a misstatement, and it really meant that it only applied to that iPhone configuration. But, if the FBI never actually got the details, then in some sense they’d be right that for the FBI the crack only worked for that one phone. And if they wanted to do it on another phone, they’d have to shell out another ~$1 million or so…

Filed Under: doj, encryption, fbi, going dark, vep, vulnerabilities, vulnerabilities equity policy
Companies: apple