With Finality, F.B.I. Opts Not to Share iPhone-Unlocking Method

Chairs reserved for a Congressional hearing on encryption in March. It remains unknown how an outside group demonstrated to the F.B.I. how to unlock an iPhone.

WASHINGTON — The F.B.I. closed the door Wednesday to the possibility of giving Apple the technical solution that the government bought to unlock the iPhone used by one of the attackers in the mass shooting in San Bernardino, Calif.

The decision leaves Apple in the dark about the technical details of how the F.B.I. — with help from an unknown outside group that was apparently paid at least $1.3 million — managed to bypass the company’s vaunted encryption.

After two months of tense sparring over the San Bernardino iPhone, the government’s decision was a clear rebuke to Apple. Its chief executive, Timothy D. Cook, has declared publicly that the company should not have to develop new software so the F.B.I. can unlock its phones. The F.B.I. on Wednesday appeared eager to return the favor by refusing to divulge how it finally broke in.

The decision upset some technology industry executives, who said it appeared to run counter to the Obama administration’s promises to promote security and transparency in the nation’s technology operations.

Apple declined to comment on Wednesday.

F.B.I. officials maintained that what they bought from the outside company amounted only to a tool for getting into the phone, and not a blueprint exposing the actual security flaws in the device.

As a result, F.B.I. officials decided not to send the issue on to a special White House panel that reviews the question of whether software vulnerabilities discovered by American intelligence officials should be shared with the software designer to enhance security.

That review panel could have determined that the technical fix bought by the F.B.I. should be shared with Apple.

“The F.B.I. purchased the method from an outside party so that we could unlock the San Bernardino device,” said Amy S. Hess, executive assistant director for science and technology.

“We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review” by the White House examiners, she said.

Soon after the government said that a third party had successfully gotten data from the phone, after giving the F.B.I. a demonstration of its method in February, many security professionals were hopeful that the method would be made public.

“It’s the position of Obama administration that security flaws should be disclosed to the parties that can fix them,” said Denelle Dixon-Thayer, chief legal and business officer at Mozilla. She added that the fact that the F.B.I. did not take the necessary steps to understand how the outside group opened the phone shows that the review process over all needs to be more transparent.

The government’s decision simply to hire the locksmith and ignore how that lock was opened “creates a gap in the review process” that is “not transparent and has not been set in legislation,” she said.

The F.B.I.’s carefully worded statement reveals that law enforcement authorities have found a loophole in the vulnerability review process created by the administration— hire the hacker to extract the data, but be careful to not know how he got the job done.

“The F.B.I. is intentionally exploiting a known vulnerability and enabling people to profit off of it,” said Alex Rice, the chief technology officer at HackerOne, a security company in San Francisco that helps coordinate vulnerability disclosure for corporations. “The collateral damage done by this lack of transparency and the possible ongoing existence of the flaw is serious.”

The government’s claim that it does not have enough details to provide any information to the review process is not unusual. “Over the last 10 years as cellphones became more important to criminal investigations, law enforcement would hire digital forensics teams, would extract data for investigators without necessarily buying the capability to do it themselves,” said Ben Johnson, the co-founder of the security start-up Carbon Black.

The F.B.I. decided not to send the issue to the White House to review under a classified and little-known system known as the Vulnerabilities Equities Process.

There are often “legitimate pros and cons” in deciding whether a flaw should be disclosed to the designer, a senior official said in a 2014 White House blog post — one of the few times the review process has been publicly discussed.

Because the government relies on Internet security, wrote Michael Daniel, special assistant to the president on cybersecurity, “disclosing vulnerabilities usually makes sense. We need these systems to be secure as much as, if not more so, than anyone else.”

But Mr. Daniel acknowledged that the United States government could sometimes exploit the security flaws itself if it does not disclose them.

“Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” he said.

In Other News

© 2020 US News. All Rights Reserved.