The FBI isn't going to share the hack it bought to get into Syed Farook's iPhone with Apple, which means the law enforcement agency is intentionally withholding a 0-day exploit that could potentially be discovered by other parties and used before a patch is released. The reasoning behind the decision is that the FBI doesn't know how the hack works, and therefore complying with the White House Vulnerabilities Equities Process (VEP) wouldn't reveal any useful information.
FBI executive assistant director for science and technology Amy Hess told Bloomberg,
The FBI assesses that it cannot submit the method to the VEP. We do not have enough technical information about any vulnerability that would permit any meaningful review.
The VEP dates back to 2010 and is a system for deciding when government-known security exploits must be divulged to software and hardware makers. The system assumes government agencies will actually submit the exploits for review, which the FBI seems to think it doesn't need to do in this case.
The hack was bought from an unidentified third party to get into the the iPhone 5c recovered from Mr. Farook after he was killed in a shootout with police last December. Mr. Farook and his wife Tashfeen Malik opened fire on their San Bernardino County co-workers earlier in the day, killing 14 and injuring 22 others.
FBI to Apple: No iPhone hack for you
Mr. Farook had been issued the phone by the county, although no one knew the passcode to unlock the device. The FBI and Department of Justice considered its encrypted contents so critical they obtained an unprecedented court order compelling Apple to create a version of iOS without the security features preventing passcode brute force attacks.
Apple had been helping the FBI before the court order was issued and handed over the most current iCloud backups, but investigators said they still needed to see the encrypted contents of the phone. Apple said it didn't have the ability to unlock the device or bypass the encryption, hence the FBI's court order.
Apple said the order fell outside the government's authority and posed a serious risk to privacy and encryption. The company also said complying would set a precedent where law enforcement could demand other companies do the same, and opened the door for government mandated surveillance tools embedded in mobile devices.
The FBI and Apple were set to appear in court and defend their positions, but only hours ahead of the scheduled time, FBI agents withdrew the order saying they had a way to hack into the iPhone.
Next up: The FBI's expensive black box