FBI says San Bernardino iPhone hack won't be submitted to review group for possible disclosure
The FBI will not be submitting the exploit used to hack into the iPhone of San Bernardino shooter Syed Rizwan Farook to a review process that could clear it for sharing with outside parties, a report said on Wednesday.
When the FBI paid a third party to help unlock the phone, it didn't acquire the rights to the technical details involved in the process, said the FBI's executive assistant director for science and technology, Amy Hess, according to Reuters. As a result, Hess said the agency doesn't "have enough technical information about any vulnerability" that could be considered for release.
Just yesterday, FBI director James Comey said that the agency was still deciding whether it could submit the exploit. The review group, associated with the White House, exists to decide whether cybersecurity flaws uncovered by U.S. government agencies should be shared with entities like corporations or even other internal organizations.
Hess' statement may support one set of rumors pointing to the third party being a dedicated forensics firm, possibly Cellebrite. One report suggested it was a hacker group, in which case the FBI might simply have paid for knowledge of a zero-day exploit.
Apple has previously asked for details on the exploit, but today's decision likely means the information will remain secret, unless the company can devise a legal challenge.
Regardless, any threat to the public may be minimal. Farook owned an iPhone 5c, one of the last major iOS devices without Touch ID. Products with that technology are believed to be immune to the technique the FBI employed, thanks to their Secure Enclaves.
When the FBI paid a third party to help unlock the phone, it didn't acquire the rights to the technical details involved in the process, said the FBI's executive assistant director for science and technology, Amy Hess, according to Reuters. As a result, Hess said the agency doesn't "have enough technical information about any vulnerability" that could be considered for release.
Just yesterday, FBI director James Comey said that the agency was still deciding whether it could submit the exploit. The review group, associated with the White House, exists to decide whether cybersecurity flaws uncovered by U.S. government agencies should be shared with entities like corporations or even other internal organizations.
Hess' statement may support one set of rumors pointing to the third party being a dedicated forensics firm, possibly Cellebrite. One report suggested it was a hacker group, in which case the FBI might simply have paid for knowledge of a zero-day exploit.
Apple has previously asked for details on the exploit, but today's decision likely means the information will remain secret, unless the company can devise a legal challenge.
Regardless, any threat to the public may be minimal. Farook owned an iPhone 5c, one of the last major iOS devices without Touch ID. Products with that technology are believed to be immune to the technique the FBI employed, thanks to their Secure Enclaves.
Comments
"My Administration is committed to creating an unprecedented level of openness in Government. We will work together to ensure the public trust and establish a system of transparency, public participation, and collaboration. Openness will strengthen our democracy and promote efficiency and effectiveness in Government. ...Barack Obama"
You might not agree with things Obama has done but our government is supposed to be open. I know I used "supposed to" a whole lot but that's what's making me mad. The FBI is part of our government and they're hiding behind a technicality. I wonder is the FOI ACT allows someone to request a copy of the procurement order for the services the FBI paid way too money for.
As for the supposed terrorists in San Bernardino, the FBI stated (at least initially) that they were not part of a larger terrorist organization. In other words, they were simply a disgruntled employee who killed a lot of fellow employees. For the FBI to use the terrorist tag, which I believe Comey backtracked and ended up calling them terrorists so he could hide what he was doing, is simply a way to get around any demand by the President for openess.
"It does not appear the two perpetrators of Wednesday’s mass shooting in San Bernardino are part of an organized cell or part of a network, FBI director James Comey said at a news conference this afternoon.
“We are going through a very large volume of electronic evidence … these killers tried to destroy,” Comey said with Attorney General Loretta Lynch at his side. “There is a lot of evidence that doesn’t quite make sense,” he acknowledged. But “our investigation to date, so far we have no indication these killers are part of a larger organized group or part of a cell. There is no indication they are part of a network,” he maintained."
If you ever saw Amy Hess testify before congress, you might get the impression that she is a lying incompetent who compensates with a dour expression.
Absent the possibility that the FBI was looking for a way to get out of the pending unfavorable "non-precedential" ruling they were about to suffer in San Bernadino, and any related desperation they may have felt to do so, I don't think they would have spent that much money and not demanded all details. It just does not seem plausible.
So, you want to submit this as evidence, but you didn't collect it, you don't know how it was collected, and the third parties that unlocked it for you probably violated other laws in doing so.
We need a clear chain of custody for this evidence. This stuff is inadmissible without complete information as to how it was unlocked.