FBI unlikely to reveal its San Bernardino iPhone-hacking method to Apple

The FBI has reportedly spent $1.3bn to hack the San Bernardino terrorist's iPhone Timothy A. Clary/AFP/Getty Images

The FBI does not plan to reveal its method used to crack the San Bernardino terrorist's iPhone, The Wall Street Journal has reported, citing sources familiar with the matter. The agency plans to tell the White House that since it "knows so little" about the method, it seems unnecessary to submit it for an internal government review, the report said.

The FBI and Apple have been engaged in a legal stand-off for months now, after the federal agency slapped a court order on the Cupertino company, compelling it to create a backdoor tool to access the iPhone of San Bernardino shooter Syed Farook. Apple challenged the order, arguing it would set a dangerous precedent in the trade-off between privacy and national security. The FBI has since dropped the suit after spending $1.3mn (£900,000) on a mysterious third-party hack to access the iPhone 5.

"The people we bought this from, I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it, and their motivations align with ours," FBI director James Comey said during a speech at Kenyon College in Ohio earlier in April.

So far, the FBI has refused to share details about the backdoor tool with Apple, except that it does not work on the iPhone 5S or newer models.

The White House's internal review panel, the Vulnerabilities Equities Process, decides whether newly-discovered software and hardware vulnerabilities should be revealed to companies and the public so they can be patched.

The review panel that involves a number of government entities, including the FBI, National Security Agency (NSA) and Homeland Security Department, bases its decision on several factors, including the number of people likely to be affected by the vulnerability, the likelihood that the hole will be exploited by malicious hackers and the value to national security and law enforcement officials to keep the tool a secret.

Although White House officials said the process does lean towards disclosing these vulnerabilities so they can be fixed, some privacy groups argue that the system is actually weighted towards national security and law enforcement, allowing them to exploit these vulnerabilities in future investigations.

At a cybersecurity event at Georgetown University on Tuesday, Comey hinted that despite paying a steep price for the hacking tool, the bureau may not know enough technical details about how it works to begin the review process.

"We are in the midst of trying to sort that out, and that involves answering a key question which is, what we know about the vulnerability, and, given that, is the process implicated?" Comey said. "That's something we've been sorting out the past couple of weeks. We're close to a resolution that I'm not ready to make news with yet."

According to Christopher Soghoian, chief technologist at the American Civil Liberties Union, the FBI's decision to avoid sharing details of the hack highlights the fact that the government process to review software vulnerabilities "is riddled with loopholes".

"If the government can circumvent the process merely by buying vulnerabilities, then the process becomes a farce,'' Soghoian told the Journal. "The FBI is not interested in cybersecurity.''

The Journal also reports that the Justice Department recently notified Apple about another software vulnerability but the tech giant already made a fix — marking the first time the government has disclosed a glitch to Apple.

Earlier in April, an Apple attorney said the company would not sue the government to reveal details about the San Bernardino iPhone hack. The lawyer said the company is confident that the newly-discovered vulnerability will have a short shelf life as the company continues to improve the security of its products.