Apple wants the FBI to reveal how it hacked the San Bernardino killer’s iPhone – Los Angeles Times

Apple Inc. refused to give the FBI software the agency desperately wanted. Now Apple is the one that needs the FBI’s assistance.

The FBI announced Monday that it managed to unlock an iPhone 5c belonging to one of the San Bernardino shooters without the help of Apple. And the agency has shown no interest in telling Apple how it skirted the phone’s security features, leaving the tech giant guessing about a vulnerability that could compromise millions of devices.

“One way or another, Apple needs to figure out the details,” said Justin Olsson, product counsel at security software maker AVG Technologies. “The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices.”

But that’s not how it’s playing out so far. The situation illuminates a process that usually takes place in secret: Governments regularly develop or purchase hacking techniques for law enforcement and counterterrorism efforts, and put them to use without telling affected companies.

What’s different in this case is that the world has been watching from the start. After Syed Rizwan Farook and his wife killed 14 people in December, the government publicly sought a court order to compel Apple to unlock Farook’s work phone. Apple opposed that order, heightening long-standing tensions between Silicon Valley and law enforcement.

Now that the FBI has dropped its case against Apple, there’s a new ethical dilemma: Should tech companies be made aware of flaws in their products, or should law enforcement be able to deploy those bugs as crime-fighting tools?

It’s unclear whether the FBI’s hacking technique will work on other versions of the iPhone, though a law enforcement official who spoke on the condition of anonymity said its applications were limited.

Some news outlets citing anonymous sources have identified Israeli police technology maker Cellebrite as the undisclosed third party helping the government, but neither the company nor the FBI has confirmed those reports.

A source who is unauthorized to discuss the case told The Times the FBI was provided with the ability to incorrectly guess more than 10 passwords without permanently rendering the phone’s data inaccessible. That allowed the agency to use software to run through potential pass codes until it landed on the correct one. It is not clear what info, if any, was gleaned from the phone.

Attorneys for Apple are researching legal tactics to compel the government to turn over the specifics, but the company had no update on its progress Tuesday.

The FBI could argue that the most crucial information is part of a nondisclosure agreement, solely in the hands of the outside party that assisted the agency, or cannot be released until the investigation is complete.

Many experts agree that the government faces no obvious legal obligation to provide information to Apple. But authorities, like professional security researchers, have recognized that a world in which computers are crucial in commerce and communications shouldn’t be riddled with technical security flaws.

SIGN UP for the free California Inc. business newsletter >>

Even the White House’s cybersecurity coordinator has acknowledged there are times when more people could be harmed by an unfixed security issue than helped by the government covertly using the loophole as part of an investigation.

A secretive White House-led procedure governs whether companies get notified of potential flaws.

Officials involved in the multi-agency deliberations — called the Vulnerabilities Equities Process — consider the risks and rewards of keeping flaws secret, according to federal records. They weigh whether the government could get the information in some other way and how likely it is someone else will discover the same vulnerability.

Federal officials have maintained that they lean toward private disclosure of a newly discovered vulnerability in the majority of cases.


Write a Reply or Comment:

Your email address will not be published.*