FBI may keep vulnerability it used to access iPhone under wraps
On Tuesday, the FBI chief told an audience at Georgetown University that the agency is close to deciding whether it will undergo an internal government review to determine whether to share the hacking method that was used to help the agency hack the iPhone 5C of Syed Farook, one of the perpetrators of the San Bernardino, California massacre that left 14 people dead.
“We are in the midst of trying to sort that out,” Comey said. “The threshold [for disclosure] is: are we aware of the vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability to implicate the process?”
The FBI originally tried to use the legal system to force Apple to help the agency create a “backdoor” into the killer’s phone. Tensions between the two parties flared, with the tech giant vowing to fight the order all the way to the Supreme Court and high-profile figures in Silicon Valley coming to their defense. The litigation came to an abrupt end when the FBI said that it had contracted a still-unidentified third party to access the smartphone.
Comey told the audience that investigations by FBI agents are becoming increasingly difficult because more and more suspects have been adopting security measures such as encryption. In some cases, hacking has allowed the agency to bypass such techniques.
However, the FBI chief said that relying on hacking won’t solve all of the agency’s investigatory problems.
“I don’t see us becoming a prolific hacker being the answer to our public safety problem,” Comey said, according to Foreign Policy.
“San Bernardino is a great example. We paid a ton of dough for the tool because it mattered so much for that investigation, but it works on a 5c running iOS 9 so it’s not scalable to other devices,” he said.
Comey, who had previously indicated that the hack cost the FBI at least $1 million, said that the agency does not want to find itself in an “arms race” with the security capabilities of every device that a suspect might use.
The White House has a set procedure for reviewing security flaws in information systems, which it calls a “vulnerabilities equities process,” to decide which ones should be made public, in order to help companies patch holes that could be exploited by malicious hackers.
Comey, however, suggested that the procedure may not apply in this situation, since the flaw was discovered by a private company, which could have intellectual property rights to the hacking method.