FBI still deciding whether to allow review of San Bernardino iPhone exploit

By Roger Fingas

The FBI has yet to decide whether an exploit used to crack the iPhone of San Bernardino shooter Syed Rizwan Farook will even be reviewed for possible disclosure, agency director James Comey said on Tuesday.

The agency is "in the midst of trying to sort that out," Comey told the audience at an event hosted by Georgetown University, Reuters reported. There is a White House group that reviews flaws discovered by the U.S. government and decides whether they should be shared with the public, but Comey suggested that the exploit used on Farook's phone might not qualify.

"The threshold is, are we aware of the vulnerability," Comey explained, "or did we just buy a tool and don't have sufficient knowledge of the vulnerability to implicate the process?"

The problem is that the FBI obtained help from a third party, paying over $1.34 million for it. That party has so far been kept secret, though reports have suggested it was either a hacker group or a dedicated forensics firm, Cellebrite.

In the latter case, Cellebrite may have simply provided its software and/or equipment, leaving the FBI ignorant of the actual vulnerability involved. If the agency paid for information, it would be aware of the exploit and possibly in a position to share details. Any use of proprietary private technology would likely force the FBI and/or the White House to keep things secret.

Apple has previously asked for the exploit's details, concerned about potential detours in its security. The technique is not believed to work on more recent iOS devices with Touch ID, however.