FBI Follows Apple's Example, Says It Doesn't Have iPhone Hack Info

By Wayne Rash  |  Posted 2016-04-27 Print this article Print
FBI iPhone Hack

"We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process," Hess' statement sad.

Normally the FBI doesn't comment on such things, Hess noted, but since Comey had discussed the issue in public and because it had such high visibility, she felt that some explanation was needed.

However, perhaps in an attempt to show the FBI still believes in the VEP process, the agency did tell Apple on April 14 that it had discovered a security bug in earlier versions of iOS that had been patched with iOS 9. A similar bug existed in OS X, which also has been patched. Apple, it seems, had already known about the bug before the FBI said anything.

So, while the FBI did in fact, use the VEP to alert Apple about a vulnerability, it came far too late for Apple to actually use it. Unfortunately, this is likely to remain a problem for the federal government because of the competing demands for vulnerability information.

On one hand, it's important to the government to make sure that U.S. interests are as safe as possible from exploitation by criminals or foreign actors.

However, the intelligence community uses those same vulnerabilities as part of its toolkit for fighting crime and for gathering information from unfriendly foreign powers. If the government tells the tech community about a vulnerability too soon, that vulnerability can't be used if the owner of the code promptly patches it.

You can see the obvious conflict. For the most part, the intelligence community is going to take advantage of software flaws as long as possible, which means that disclosing it will take some time.

While the tech industry should welcome any information it gets through the VEP—if only as confirmation that everything was found—it should not depend on it as any sort of early warning. That needs to come the same way it always has: through research and through user reports.

Apple, meanwhile, will have to find the particular vulnerability the old-fashioned way: It will have to hire the same company to reveal it. But considering what that company is being paid right now, you can assume the results will be very expensive and not very timely.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel