Hess's explanation of why the FBI would not submit the iPhone vulnerability to VEP signaled that the seller retained rights to the bug, almost certainly so it could sell the flaw again elsewhere. If the FBI had put the vulnerability through VEP, and Apple eventually was told, the company would then have patched the bug, preventing the broker from reselling it to others, or at a minimum greatly reducing its value.
One security expert called the FBI's decision to use the tool "reckless" because the agency had no idea how it worked.
"This should be taken as an act of recklessness by the FBI with regards to the Syed Farook case," said Jonathan Zdziarski, a noted iPhone forensics and security expert, in a Tuesday post to his personal blog. "The FBI apparently allowed an undocumented tool to run on a piece of high profile, terrorism-related evidence without having adequate knowledge of the specific function or the forensic soundness of the tool."
Zdziarski, one of the many security professionals who criticized the FBI's attempt to coerce Apple into unlocking Farook's phone, said the agency's ignorance about the tool threatened any legal case that might stem from the tool's use.
"The FBI has offered this tool to other law enforcement agencies that need it, Zdziarski wrote. "So the FBI is endorsing the use of an untested tool that they have no idea how it works, for every kind of case that could go through our court system. A tool that was also only tested, if at all, for one very specific case now [is] being used on a very broad set of types of data and evidence, which it could easily damage, alter, or -- more likely -- see thrown out of cases as soon as it's challenged."
Sign up for Computerworld eNewsletters.