https://www.washingtonpost.com/world/national-security/fbi-wont-reveal-method-for-cracking-san-bernardino-iphone/2016/04/26/d6d66126-0bc3-11e6-bfa1-4efa856caf2a_story.html

FBI won't reveal method for cracking San Bernardino iPhone

By Ellen Nakashima

April 26, 2016

The FBI intends to tell the White House this week that its understanding of how a third party hacked the iPhone of a shooter in San Bernardino, Calif., is so limited that there's no point in undertaking a government review of whether the tool should be shared with Apple, officials said.

The decision, said officials familiar with the discussion who spoke on the condition of anonymity, ends several weeks of internal debate by bureau lawyers and technical experts about the FBI's obligation to disclose the method.

Last month, the FBI paid more than $1 million for a tool to crack an iPhone used by one of the shooters in California. But the contract did not include rights to the software flaws that went into the tool, officials said.

As a result, the bureau has a limited technical understanding of how the method worked, officials said.

On Tuesday, FBI Director James B. Comey acknowledged the internal debate.

"The threshold is: Are we aware of the vulnerability, or did we just buy a tool and don't have sufficient knowledge of the vulnerability that would implicate the process?" he said at a cyber conference at Georgetown University.

Comey was referring to a process, led by the White House, in which agencies such as the FBI, National Security Agency (NSA) and Homeland Security Department debate whether to disclose a computer software flaw discovered by the government to the software maker so the company can fix it.

Most flaws are disclosed, the White House has said. But some are kept secret so that the law enforcement or intelligence agency can use them in intelligence-gathering or criminal investigations.

The FBI's decision to not submit to a review of the method used in the San Bernardino case was first reported by the Wall Street Journal.

Some security experts said the bureau or the NSA could reverse-engineer the tool to gain information about the flaws. But the bureau was not likely to do so, several officials said.

"If what we have bought is a tool, and we've said that we won't reverse-engineer the tool such that you can figure out what vulnerability is used to make the tool work, then even if we wanted to disclose something, there's nothing we can disclose," one senior administration official said.

The FBI recovered the iPhone of Syed Rizwan Farook, one of the shooters in the December terrorist attack in San Bernardino, but could not access the data on it because it did not know Farook's passcode. In February, the Justice Department obtained a court order to force Apple to write software that would disable several phone security features so the FBI could try to crack the code.

Apple challenged the order, arguing that the court had no basis to issue it and that it would set a dangerous precedent. In late March, the FBI disclosed that a third party had come forward with a tool to help it gain access to the phone and so it no longer needed the court order to force Apple's assistance.

Security and privacy advocates then began to push the bureau to disclose to Apple the flaws on which the tool was based so the tech giant could repair them.

Last month, professional hackers or vulnerabilities researchers brought flaws they had found to a company whose name the FBI has not disclosed.

Apple has said it will not press for the vulnerabilities to be disclosed.

"We're confident that the vulnerability the government alleges to have found will have a short shelf life," a lawyer for Apple told reporters earlier this month. "In our normal process . . . we'll continue to improve the phones and at some point this fix will get implemented."