https://www.theguardian.com/technology/2016/apr/27/fbi-apple-iphone-secret-hack-san-bernardino

FBI confirms it won't tell Apple how it hacked San Bernardino shooter's iPhone

Bureau will not tell Apple about the security flaw it exploited [1] to break into the iPhone 5C, in part because it didn't buy the rights to the technical details

Danny Yadron in San Francisco

28 April 2016

When the FBI bought a hacking tool [2] to break into an iPhone, it wasn't sure what exactly it got for its $1.3m.

On Wednesday, the FBI confirmed it wouldn't tell Apple about the security flaw it exploited to break inside the iPhone 5C of San Bernardino gunman Syed Farook [3] in part, because the bureau says it didn't buy the rights to the technical details of the hacking tool.

The unusual declaration likely will raise only more curiosity about the FBI's last-minute abandonment [4] of its high-stakes court battle with Apple, America's most valuable company. The day before the two were schedule to face off in court over whether the government could force Apple to unlock the phone, the government announced it had purchased a special hacking method and no longer needed Apple's help.

The FBI has since offered few details about the hacking tool. They disclosed that it came from outside the government. It cost more than FBI director James Comey will be paid during the rest of his tenure (about $1.3m). And it only works on an iPhone 5C.

America's three-letter agencies regularly purchase security flaws in consumer software from hackers, defense contractors and researchers. These flaws are kept secret, then used to hack into suspects' or intelligence targets' devices. The practice is controversial because it requires hiding the security flaws from the public, leaving consumers vulnerable to malicious hackers if someone else discovers the same flaw.

As a compromise, the White House in 2014 announced a review board that would look at the severity of such software flaws government investigators wanted to keep secret. The importance of the investigation, in theory, would be weighed against the public security interest in patching the flaw.

Computer security advocates had been pressuring the FBI to submit its iPhone hacking tool to this review board. On Wednesday, following a report in the Wall Street Journal, [5] the bureau confirmed it wouldn't do this because it couldn't.

"Currently we do not have enough technical information about any vulnerability that would permit any meaningful review," said Amy Hess, the FBI's executive assistant director for science and technology.

[1] https://www.theguardian.com/technology/2016/apr/13/fbi-reportedly-paid-professional-hackers-gain-access-san-bernardino-iphone

[2] https://www.theguardian.com/technology/2016/apr/21/fbi-apple-iphone-hack-san-bernardino-price-paid

[3] https://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple

[4] https://www.theguardian.com/technology/2016/mar/28/apple-fbi-case-dropped-san-bernardino-iphone

[5] http://www.wsj.com/articles/fbi-plans-to-keep-apple-iphone-hacking-method-secret-sources-say-1461694735