FBI's first vulnerability tip to Apple came on April 14 for already-patched flaw
Apple on Tuesday said the FBI divulged its first vulnerability tip under a White House process for sharing digital security flaws with private corporations on April 14, but the information was useless as Apple had already patched the issue nine months earlier.
According to Apple, which relayed the development to Reuters, FBI officials said the Vulnerabilities Equities Process was to thank for the disclosure of a flaw affecting older iOS and OS X operating systems.
A procedure designed to foster high-level inter-agency discussion, the Vulnerabilities Equities Process covers the decision making process behind airing digital security flaws to manufacturers. In particular, the system attempts to balance public safety and government surveillance assets; security holes revealed to manufacturers are likely to be patched, while those kept secret can be used in ongoing surveillance operations.
Earlier this month, sources within the Obama administration told Reuters that Apple was unlikely to learn of a successful exploit used to access an iPhone tied to San Bernardino terror suspect Syed Rizwan Farook. As it pertains to San Bernardino, the FBI's exploit cannot be debated under the White House process without consent from its owner, which depending on the source varies from an overseas security firm to a shadowy group of gray-hat hackers.
Despite the FBI's gesture, Apple believes VEP is less effective than government claims, according to an unnamed Apple executive. Elaborating on the matter, the person said Apple was aware of the provided vulnerability more than nine months ago and released a fix in iOS 9 and Mac OS X El Capitan, making the "tip" virtually useless to the company.
According to Apple, which relayed the development to Reuters, FBI officials said the Vulnerabilities Equities Process was to thank for the disclosure of a flaw affecting older iOS and OS X operating systems.
A procedure designed to foster high-level inter-agency discussion, the Vulnerabilities Equities Process covers the decision making process behind airing digital security flaws to manufacturers. In particular, the system attempts to balance public safety and government surveillance assets; security holes revealed to manufacturers are likely to be patched, while those kept secret can be used in ongoing surveillance operations.
Earlier this month, sources within the Obama administration told Reuters that Apple was unlikely to learn of a successful exploit used to access an iPhone tied to San Bernardino terror suspect Syed Rizwan Farook. As it pertains to San Bernardino, the FBI's exploit cannot be debated under the White House process without consent from its owner, which depending on the source varies from an overseas security firm to a shadowy group of gray-hat hackers.
Despite the FBI's gesture, Apple believes VEP is less effective than government claims, according to an unnamed Apple executive. Elaborating on the matter, the person said Apple was aware of the provided vulnerability more than nine months ago and released a fix in iOS 9 and Mac OS X El Capitan, making the "tip" virtually useless to the company.
Comments
In case some unpatched exploit exists on any Iphone, keep your password at least 6 letter alpha,
then it won't really matter anyway.
Black hats use the tools and techniques they develop to break into things for illegal purposes, typically fraud, and theft. They get paid either to attack, or profit off what they steal. They may sell tools and techniques to the highest bidder regardless off what they might use it for.
White Hats use them to help people and companies secure their systems or fix vulnerabilities. They get paid to help people defend. I don't think anyone makes a living off bug bounties. Charlie Miller or Dino Dal Zovi would be a good example of a white hat in the iOS space.
Grey hats, funnily enough , sit somewhere in the middle, either playing both sides , or selling exploits to third parties who may or may not then on-sell them to bad actors. Amoral may be the best descriptor.
The labels don't really matter that much, as someone could be one hat one, day, and a different hat the next.
I suspect, seeing as how bureaucratic government is, there are probably numerous reviews through various branches of government that a flaw like this has to go through before it could be released. And in all likelihood, beyond Comey's control.