The FBI isn't going to share the hack it bought to get into Syed Farook's iPhone with Apple, which means the law enforcement agency is intentionally withholding a 0-day exploit that could potentially be discovered by other parties and used before a patch is released. The reasoning behind the decision is that the FBI doesn't know how the hack works, and therefore complying with the White House Vulnerabilities Equities Process (VEP) wouldn't reveal any useful information.
FBI executive assistant director for science and technology Amy Hess told Bloomberg,
The FBI assesses that it cannot submit the method to the VEP. We do not have enough technical information about any vulnerability that would permit any meaningful review.
The VEP dates back to 2010 and is a system for deciding when government-known security exploits must be divulged to software and hardware makers. The system assumes government agencies will actually submit the exploits for review, which the FBI seems to think it doesn't need to do in this case.
The hack was bought from an unidentified third party to get into the the iPhone 5c recovered from Mr. Farook after he was killed in a shootout with police last December. Mr. Farook and his wife Tashfeen Malik opened fire on their San Bernardino County co-workers earlier in the day, killing 14 and injuring 22 others.
FBI to Apple: No iPhone hack for you
Mr. Farook had been issued the phone by the county, although no one knew the passcode to unlock the device. The FBI and Department of Justice considered its encrypted contents so critical they obtained an unprecedented court order compelling Apple to create a version of iOS without the security features preventing passcode brute force attacks.
Apple had been helping the FBI before the court order was issued and handed over the most current iCloud backups, but investigators said they still needed to see the encrypted contents of the phone. Apple said it didn't have the ability to unlock the device or bypass the encryption, hence the FBI's court order.
Apple said the order fell outside the government's authority and posed a serious risk to privacy and encryption. The company also said complying would set a precedent where law enforcement could demand other companies do the same, and opened the door for government mandated surveillance tools embedded in mobile devices.
The FBI and Apple were set to appear in court and defend their positions, but only hours ahead of the scheduled time, FBI agents withdrew the order saying they had a way to hack into the iPhone.
Next up: The FBI's expensive black box
The FBI's expensive black box
Director James Comey implied the hack cost the FBI more than US$1 million, and the agency eventually confirmed there wasn't any information useful to the investigation tucked away in Mr. Farook's iPhone. The salt in the wound was San Bernardino police chief saying no one was expecting to get any leads from the device.
It seemed Director Comey wasn't interested in sharing the hack with Apple despite the fact that it's clearly an effective exploit on at least some iPhone models. He hinted earlier in April the FBI would rather hold on to the hack saying, "We tell Apple [how the hack works], then they're going to fix it, then we're back where we started from."
It turns out the FBI could—if they wanted—tell Apple what they did, but not how, since that big wad of tax payer money bought them a hack without the under-the-hood knowledge they'd need to explain what it's doing.
To be clear: They don't even know how it works.
The FBI spent over a million dollars on an iPhone hack for an incredibly high profile terrorist mass shooting, then exposed the phone—and any potential evidence it may have contained—they claimed was critical to the investigation, to potential damage or data loss without even knowing how it worked. At best that's incompetence, but more likely cavalier negligence and an intentional disregard for preserving evidence.
FBI's million dollar hack may not be useful in court
Had the contents of Mr. Farook's iPhone led to any arrests, the defense would've asked the court to exclude it, along with any evidence obtained as a result of what the FBI learned from the phone, and very likely the charges against the suspect. Without knowing how the hack works, the FBI can't demonstrate the evidence collected is accurate and unaltered, or even real.
In other words, using this tool destroys the FBI's credibility in court should it ever lead to an arrest and trial in the San Bernardino case, or any other investigation. Considering the number of criminal investigations and court room trials the FBI is involved in each year, it's safe to assume the agency understands the process for validating evidence collected through forensic instruments, which in this case, includes the million dollar iPhone hack.
A forensic instrument, whether it's a tool for hacking into an iPhone or a device for determining how much alcohol is in your blood stream, is subject to industry and peer analysis to verify its accuracy, and that it doesn't alter or destroy evidence. That's a critical component when entering evidence in court for a criminal prosecution.
Let's say the FBI discovered evidence on Mr. Farook's iPhone leading to other suspects and ultimately an arrest. The defense would demand access to the instruments the FBI used to gather the data stored on Mr. Farook's iPhone to independently test the validity of the information it revealed, and they would expect to be shown exactly how it worked—something the FBI can't do because the hack is, for practical purposes, a black box.
Without any way to validate the process or results, the defense would rightly demand the evidence from the iPhone be thrown out, along with any evidence later collected as a direct result of the phone's data. Since the FBI can't conclusively show the hack doesn't overwrite or alter memory contents on the iPhone, any evidence collected and used in a criminal investigation is questionable and will be contested.
Setting up a demonstration where the hack is used to extract data from several test iPhones wouldn't be enough to satisfy a shrewd defense team. The tests would show the FBI got the results they expected, not that they got unaltered and accurate data, nor would the demonstration show exactly how the hack and data extraction process works.
The FBI understands how the chain of evidence works, and even without knowledge of the hack's technical aspects, the agency is planning to use it on other iPhones in its custody and offering to unlock devices for other law enforcement agencies. That's potentially a long list of cases hinging on evidence collected through questionable means.
San Bernardino became a platform where the FBI hoped to set a precedent where companies could be forced to break through their own product security features. That didn't pan out, but that's not much of a consolation because instead we found the agency is willing to play fast and loose with electronic security and encryption, and at least in this case, with evidence, too.