The FBI has so far been ambivalent about whether or not it will reveal to Apple the method used to access the San Bernardino iPhone, but a Reuters report suggests that the agency may not even know – or have the legal right to disclose it if it does.
The Washington Post reported yesterday that it was freelance hackers, and not Cellebrite, who sold the FBI the tool used to access the phone. But the group may not have revealed the vulnerability on which it was based, and the government process that decides which vulnerabilities to share with companies does not apply in this case …
The company that helped the FBI unlock a San Bernardino shooter’s iPhone to get data has sole legal ownership of the method, making it highly unlikely the technique will be disclosed by the government to Apple or any other entity, Obama administration sources said this week.
The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public. But it is not set up to handle or reveal flaws that are discovered and owned by private companies, the sources said.
Normally when the government discovers a vulnerability in a piece of technology, it goes through what’s known as the Vulnerabilities Equities Process – essentially deciding whether the public interest is better served by disclosing the flaw so that it can be fixed, or keeping it secret so that the government can take advantage of it. But that process is not currently triggered when a vulnerability is discovered by someone other than the government.
Rob Knake, who managed the White House process before leaving last year, told Reuters that the FBI was probably told just enough information to confirm the validity of the technique. In a court case, defence lawyers would have the right to question the FBI about that method, but with both San Bernardino shooters dead, there will be no trial in this case.
The anonymous sources cited by Reuters don’t shed any light on whether it was freelance hackers or Cellebrite which provided the tool, stating only that it was ‘supplied by a non-U.S. company’ – which could easily have been formed by freelance hackers to sell their wares.
The whole exercise is, though, looking increasingly certain to have been for nothing. CBS reported yesterday that nothing of “real significance” had been found on the phone.