Apple unlikely to learn details of San Bernardino iPhone exploit

By Mikey Campbell

Apple, in an effort to protect customers against a heretofore unknown iPhone vulnerability, has sought information regarding a working encryption exploit used by the Justice Department in its investigation into the San Bernardino terror attacks. A new report, however, suggests the passcode bypass technique will likely remain secret.

Citing sources within the Obama administration, Reuters reports the foreign company that helped investigators break into an iPhone used by terror suspect Syed Rizwan Farook maintains sole legal ownership of the undisclosed exploit, meaning it is highly unlikely that Apple will learn of the method.

According to the report a White House procedure for assessing which digital security flaws should be aired in public, and which should remain secret, is not designed to handle vulnerabilities discovered and owned by private companies. Dubbed the Vulnerabilities Equities Process, the system was put in place to foster inter-agency discussion about discovered technology flaws. Specifically, the process weighs the benefits of publicly announcing a flaw that could otherwise be kept secret and subsequently used for surveillance operations or digital evidence gathering.

The iPhone exploit used to successfully access Farook's iPhone cannot be debated without consent from its owner, sources said. Further, former VEP manager Rob Knake and other government sources believe it unlikely that the FBI itself knows exactly how the method works.

A federal magistrate judge in February ordered Apple to assist the FBI in accessing Farook's device, but the company refused. The ensuing court battle sparked contentious debate over the intersection of national security and privacy, with critics saying the government's request was illegal and constituted overreach. Arguments for both sides were rendered moot after an outside party presented officials with an effective iPhone workaround last month.

Contrary to today's report, sources told The Washington Post that the FBI hack came courtesy of a shadowy group of hackers, who sold the vulnerability to investigators for a one-time fee. That information was then used to build custom hardware capable of extracting data off the target device. Whether the security researchers who made the discovery retain ownership in such a scenario is unknown.

For its part, Apple said it will not sue the FBI for information about its workaround, noting the flaw will soon be obsolete. Apple is continually working on stronger encryption methods with each successive iOS iteration and hardware refresh, while FBI Director James Comey recently went on record as saying his agency's exploit only works on iPhone 5c handsets and older.