Bad Move: FBI won’t Share San Bernardino iPhone Hack with Apple

| Analysis

The FBI isn't going to share the hack it bought to get into Syed Farook's iPhone with Apple, which means the law enforcement agency is intentionally withholding a 0-day exploit that could potentially be discovered by other parties and used before a patch is released. The reasoning behind the decision is that the FBI doesn't know how the hack works, and therefore complying with the White House Vulnerabilities Equities Process (VEP) wouldn't reveal any useful information.

FBI executive assistant director for science and technology Amy Hess told Bloomberg,

The FBI assesses that it cannot submit the method to the VEP. We do not have enough technical information about any vulnerability that would permit any meaningful review.

The VEP dates back to 2010 and is a system for deciding when government-known security exploits must be divulged to software and hardware makers. The system assumes government agencies will actually submit the exploits for review, which the FBI seems to think it doesn't need to do in this case.

The hack was bought from an unidentified third party to get into the the iPhone 5c recovered from Mr. Farook after he was killed in a shootout with police last December. Mr. Farook and his wife Tashfeen Malik opened fire on their San Bernardino County co-workers earlier in the day, killing 14 and injuring 22 others.

FBI to Apple: No iPhone hack for youFBI to Apple: No iPhone hack for you

Mr. Farook had been issued the phone by the county, although no one knew the passcode to unlock the device. The FBI and Department of Justice considered its encrypted contents so critical they obtained an unprecedented court order compelling Apple to create a version of iOS without the security features preventing passcode brute force attacks.

Apple had been helping the FBI before the court order was issued and handed over the most current iCloud backups, but investigators said they still needed to see the encrypted contents of the phone. Apple said it didn't have the ability to unlock the device or bypass the encryption, hence the FBI's court order.

Apple said the order fell outside the government's authority and posed a serious risk to privacy and encryption. The company also said complying would set a precedent where law enforcement could demand other companies do the same, and opened the door for government mandated surveillance tools embedded in mobile devices.

The FBI and Apple were set to appear in court and defend their positions, but only hours ahead of the scheduled time, FBI agents withdrew the order saying they had a way to hack into the iPhone.

Next up: The FBI's expensive black box

Popular TMO Stories



”... That didn’t pan out, but that’s not much of a consolation because instead we found the agency is willing to play fast and loose with electronic security and encryption, and at least in this case, with evidence, too.”

& also “... willing to play fast and loose with…” not telling outright total lies.


And because they found no evidence, none will be used in a court of law where they would be REQUIRED to reveal their method of obtaining the evidence.

Ta Da!!!!!


Not sure how relevant the hack was.

I have heard so much junk flying around the web.

1. the hack only works on the 5C or earlier models
2. the FBI was able to get into the phone, but then spilled a glass of water on everything and lost all relevant data
3. Israeli’s are behind the hack

etc, etc, etc…

Who really knows what to believe or even if there in fact is any hack.

At this point the FBI looks more like a fish on the end of a line waggling back and forth and trying to get off of the hook they bit into. It is sad, but they look less like a professional crime fighting organization and more like an episode of Get Smart.

A bit rudderless in forethought if you will and high on the blundering fool quotient.

Paul Goodwin

“The FBI assesses that it cannot submit the method to the VEP. We do not have enough technical information about any vulnerability that would permit any meaningful review.”

This is just total BS. They know exactly what the vulnerability is. They’re just deflecting and don’t want to set a precedent of turning over vulnerabilities that they think only they would know about. That’s where they’re being dumb. For probably a lot less than $1 million, someone else could figure it out. Someone probably already has but doesn’t want the world to know about it. This is where the FBI is hurting US security; as the former CIA director stated the more secure the phones, the more secure the US is.

And the second part of that quote is just hogwash. They can’t have a review with Apple’s tech people because they don’t understand how the $1 million hack works? They know. The gov’t tracks and statuses the money spending down to fractions of a percent monthly, and at the lower levels where that’s done, the technical people provide the status data, and they know exactly what was done at very detailed levels of technical progress and dollars spent. The FBI is just leaving a security hole in millions of American’s phones. They mistakenly think they have something someone else doesn’t and can trace events back to suspects. The problem is that, (IMO) the probability is 100% that other governments either already have or will have it. Some of them allies, some not. That’s the flaw in the FBI’s stance on sitting with Apple and giving them what they need to plug the hole for all of us.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account