Opinion: Why the FBI will eventually reveal its iPhone hack to Apple
Because of a two-year-old policy known as the Vulnerability Equities Process, the government may be compelled to disclose the flaw it is attempting to use for unlocking the San Bernardino shooter's iPhone.
The new iPhone SE displayed at an Apple launch event at the company's Cupertino, Calif., headquarters. REUTERS/Stephen Lam
Stephen Lam/Reuters
The FBI hasÌýhit the pause button in its battle royale with AppleÌýover the iPhone used by San Bernardino, Calif., gunmanÌýSyedÌýRizwanÌýFarook. In a twist to the intense legal drama,Ìýan unknown "third party" may have a way to hack the phone.Ìý
If it turns out the bureau can successfully crack the iPhone after all, will it reveal the software vulnerability to Apple?
It may seem unlikely. After all, why would the FBI buy such a capability only then to give it up? There are no laws forcing its hand, and theÌýFBI has no more commitment to Apple than other government organizations, like theÌýNational Security Agency, that collect arsenals ofÌýsoftware vulnerabilities.Ìý
But based on a two-year old policy, theÌýFBI andÌýDepartment of Justice are subject to what's known as aÌýWhite HouseÌýÌýor VEP, which kicks inÌýwhenever an agency comes across "newly discovered" vulnerabilities, called zero-days.
The VEP is meant to be a "disciplined, rigorous, and high-level decisionmaking process" so that the National Security Council can balance the benefits to law enforcement or intelligenceÌýof using the bug versusÌýthe broader securityÌývalue of protectingÌýindustry and consumers.
According toÌýÌýmade available through a Freedom of Information Act request, the VEP "applies to all components, civilian and military personnel, and contractors of the United States government." The FBIÌýcan’t find much of a loophole there.
Nor is there a loophole that the iPhone bug is somehow not "newly discovered."ÌýEven if the third-party hackers helping the FBI have known about it, it'sÌýnew to the US government.Ìý
With everything we know about the Apple v. FBI iPhone battle,Ìýthe White House will let the FBI off the hook very easily. That would set a dangerous precedent – giving the National Security Agency, CIA, and others more reasons toÌýdelay or obfuscate.
The VEP Equities Review Board headed up by White House cybersecurity czarÌýMichael Daniel should make the call on whether – or when – to disclose the bug to Apple. Ìý, the VEP Equities Review Board seeks to answer to the following questions:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
The answer to several of these questions – chiefly when it comes to the broader harm that could come from a flaw in the iPhone – seems to indicate the government would beÌýdrivenÌýto disclose the security hole to Apple.ÌýUnpatched iPhonesÌýpose a serious risk – allowingÌýother nations or criminal groups to cause significant harm to consumers. Moreover, the bug won’t stay for secret for long, certainly not with the media attention on this single phone.Ìý
The FBI could try out the vulnerability to see if it unlocks the phone used by Mr. Farook, and potentiallyÌýÌýthe FBI has saidÌýit wants to unlock, before revealing the flaw to Apple.
That's probably the fairest way to handle this particular vulnerability. The FBI probably won't like it. And Apple will discover a bug courtesy of the federal government – all the better sinceÌýthe companyÌýÌýwho uncoverÌýits software flaws.
But even though the FBI may have to reveal the apparent gift from its "third party" helper, it doesn't mean the agency should stop seeking out zero-days for when it may need them again. Discovering new vulnerabilities for temporary use is how everyone, from hackers and security researchers to intelligence agencies, play the game.ÌýÌýIf the FBI wants to join the field, they can’t claim special privilege any more than NSA.Ìý
In short, if the FBI uses a zero day to access the terrorist’s iPhone, neither they nor the US government as a wholeÌýmustÌýtell Apple about how they did it. But if they follow the White House’s own policy, it appears they should.
Jason Healey is senior research scholar at Columbia University’s School of International and Public Affairs and senior fellow at the Atlantic Council. He began his career as a US Air Force signals intelligence officer in Alaska, NSA, and the Pentagon. Follow him on TwitterÌý.
Ìý