The Federal Bureau of Investigation (FBI) confirmed Wednesday that it will not tell Apple how the agency hacked an iPhone used by one of the San Bernardino terrorists.
In a statement, Amy Hess, assistant director for science and technology, said the FBI will not submit technical details to the Vulnerabilities Equities Process (VEP), a policy that permits government agencies to disclose acquired software vulnerabilities to vendors.
Hess said that the FBI does not have enough information about the vulnerability to put it through the VEP.
"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," Hess said. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process."
Last month, after weeks of wrangling with Apple -- which balked at a court order compelling it to assist the FBI in unlocking the iPhone 5C used by Syed Rizwan Farook -- the agency announced it had found a way to access the device without Apple's help. Farook, along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif., on Dec. 2, 2015. The two died in a shootout with police later that day. Authorities quickly called it a terrorist attack.
The FBI has said very little about the method, which it said came from outside the government. Although many security experts had argued that the agency could unlock the iPhone by using numerous copies of the iPhone's storage contents to input possible passcodes until the correct one was found, some subsequently said an undisclosed iOS vulnerability was what the FBI acquired.
Hess acknowledged that the FBI leans toward secrecy about what security vulnerabilities it acquires and how they work. "We generally do not comment on whether a particular vulnerability was brought before the interagency and the results of any such deliberation," Hess said. "We recognize, however, the extraordinary nature of this particular case, the intense public interest in it, and the fact that the FBI already has disclosed publicly the existence of the method."
Under VEP, federal agencies like the FBI and the National Security Agency (NDA) submit vulnerabilities to a review panel, which then decides whether the flaws should be passed along to the vendor for patching. While VEP's existence had been suspected for some time, it was only last November that the government released a redacted version of the written policy.
There is a thriving market for undocumented vulnerabilities, which are found or purchased by brokers, who then sell them to government agencies around the world, including U.S. authorities, for use against targeted individuals' computers and smartphones.
Sign up for Computerworld eNewsletters.