The Federal Bureau of Investigation doesn’t plan to tell Apple Inc. how it cracked a San Bernardino, Calif., terrorist’s phone, said people familiar with the matter, leaving the company in the dark on a security vulnerability on some iPhone models.
The FBI knows how to use the phone-hacking tool it bought to open the iPhone 5c but doesn’t specifically knows how it works, allowing the tool to avoid a White House review, the people said, The FBI plans to notify the White House of this conclusion in the coming days, they added.
Any decision to not share details of the vulnerability with Apple is likely to anger privacy advocates who contend the FBI’s approach to encryption weakens data security for many smartphone and computer owners in order to preserve options for federal investigators to open locked devices.
Asked for comment Wednesday, an Apple spokesman referred to previous comments made by a lawyer for the company who said Apple was confident the vulnerability the FBI apparently found would have a short shelf life, and that the company would continue to make security improvements to its phones.
At issue is a hacking tool FBI Director James Comey has indicated cost the government more than $1 million and was used to open the locked iPhone of Syed Rizwan Farook. Mr. Farook and his wife killed 14 people and injured 22 others in a shooting rampage in San Bernardino, Calif., in December before they were killed by police
On Tuesday, Mr. Comey hinted at the FBI’s plans regarding the iPhone vulnerability at an appearance at Georgetown University. He suggested that despite paying a high price for the hacking tool, his agents may not know enough about how it works to begin the broader White House review that would determine if the security gap should be disclosed to Apple. Mr. Comey said the government was “close” to deciding whether to start that review process.
The key question, the director said, is whether the FBI is “aware of a vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability’’ to launch the White House Vulnerability Equities Process, the policy it uses to decide whether to disclose details of security flaws.
That process involves a number of government entities, including intelligence agencies, who review security vulnerabilities in software and then decide whether to alert the manufacturer or the public about the weakness. The panel’s decisions are based on such factors as the number of people who may be vulnerable; the likelihood of the vulnerability being exploited by malicious hackers; and the value to national security and law enforcement of keeping the security hole secret.
Obama administration officials have said the process leans toward disclosing vulnerabilities so they can be patched, but some privacy groups dispute that, saying the system is in fact weighted in favor of national security and law-enforcement officials who want to continue exploiting any software vulnerabilities for their investigations.
Christopher Soghoian, chief technologist at the American Civil Liberties Union, said the planned move by the FBI to avoid notifying Apple shows that the government process for reviewing software vulnerabilities “is riddled with loopholes.’’
“If the government can circumvent the process merely by buying vulnerabilities, then the process becomes a farce,’’ Mr. Soghoian said. “The FBI is not interested in cybersecurity.’’
Two weeks ago, the Justice Department notified Apple of a different, unrelated software vulnerability in iPhones and Mac computers, said people familiar with the discussions, but the company was already aware of the weakness and had deployed a fix last year. That marked the first, and so far only, instance in which the government has notified Apple of a security vulnerability, these people said.
In his appearance on Tuesday, Mr. Comey said the FBI is working to become “more predictive but less reactive’’ to hacking incidents—developing better relationships with victims and potential victims so that companies can beef up their security measures and be ready to respond quickly in the event of a hacking attack.