FBI Director James B. Comey said Wednesday that the bureau did not
purposely avoid a government process for determining whether it should
share with Apple the way it
cracked a terrorist's iPhone.
In March,
the FBI purchased a tool that exploited an Apple software flaw to hack
into the phone of a shooter from the attack last year in San Bernardino,
California.
Many observers expected the bureau to submit the
method to a relatively new government process for figuring out when to
share software flaws with tech firms so they can be fixed. But the
bureau told the White House last month that its understanding of how a
third party hacked the phone was so limited that there was no point in
undertaking a government review.
Comey said Wednesday that the
bureau purchased only the tool, not the rights to the software flaw. The
FBI, he said, was focused on getting into the phone.
"We did not in any form or fashion structure the transaction . . . with an eye toward avoiding" the government review, he said.
The
FBI spent what Comey said was "a lot of money" to buy the tool from a
company that specializes in such exploits. "We bought what was necessary
to get into that phone, and we tried not to spend more money than we
needed to spend," he said, suggesting that further information about the
exact flaws being exploited would have cost more.
(Also see: FBI Paid Under $1 Million to Unlock San Bernardino iPhone)
"It might cost
you a whole lot of money. And if your interest is in investigating a
particular terrorist attack and getting into a particular phone, I don't
know why you would spend that dough," Comey said. The bureau spent in
the high six-figures, according to a person familiar with the matter.
"In my view, it was well worth it," Comey said.
Comey's comments
come a week after senior National Security Agency officials, in a
meeting with privacy advocates and academics, described a different
approach for how they handle software flaws.
When the agency buys
hacking tools or exploits from third parties, "we try to avoid getting
into situations where we don't know the underlying vulnerability" or
security flaw, a senior NSA official said, according to several
participants at an unusual five-hour meeting last Thursday to discuss
security and privacy issues.
One NSA official said he "was not
aware that not submitting was an option," according to Kevin Bankston,
director of the New America's Open Technology Institute and one of about
a dozen civil-society leaders present. Under the meeting's ground
rules, participants were allowed to relay comments but not to identify
any speakers.
The NSA comments were welcomed by the advocates and
academics, who were concerned that software flaws left unfixed can put
users at risk of having their computers or phones hacked by criminals or
foreign governments.
"It's heartening to hear that the NSA
considers this vulnerability disclosure process to be a mandatory one in
contrast to the FBI, which seems to view it as optional," Bankston
said. "This seems to indicate a greater level of technical
sophistication at the NSA as compared to the FBI when it comes to
understanding the cyber-security risks of stockpiling the hacking tools
that they buy."
The review process existed on paper for at least
six years but didn't become a reality until spring 2014. In this
process, agencies including the FBI, the Justice Department and the NSA
weigh whether newly discovered software flaws should be disclosed to the
software-maker, balancing the need to gather intelligence against the
harm to users if the vulnerability is left unresolved.
In a
statement, the FBI said the bureau's handling of the iPhone used by one
of the San Bernardino terrorists "should not be interpreted as an
indication of general FBI policy" regarding the government's review
process, which the FBI says it supports.
Before the San Bernardino
phone, officials in the White House-led group had never encountered a
situation before in which an agency such as the FBI had purchased a tool
and not the rights to the technical vulnerability, said one senior
administration official. "That was really the first time we'd ever seen
that," said the official, who spoke on the condition of anonymity to
discuss a mostly hidden process. "I suspect it won't be very common."
The
official said there have been instances where a software flaw that's
purchased - rather than discovered - by an agency is submitted for
review.
For years, the NSA had its own process for deciding whether to disclose software flaws.
Richard
"Dickie" George, who ran the process for 15 years until he retired in
2011, said on average that three or four flaws were withheld a year,
usually because the software-maker had gone out of business. The agency
typically disclosed about 300 a year directly to vendors, said George,
who was technical director for information assurance. In general, he
said, it took several months for a company to patch the flaw during
which time the agency could exploit it. In some cases, the agency waited
as many as six months before disclosing to see whether the flaw would
be useful to operators, he said.
Participants at last week's NSA
gathering, sponsored by Carnegie Mellon University's Institute for
Strategic Analysis, said they appreciated the agency's effort to engage.
Peter
Margulies, another meeting participant and a law professor at Roger
Williams University in Bristol, Rhode Island, said the NSA officials'
remarks show the agency is "well aware" of how not reporting
vulnerabilities to tech companies can leave "the Internet as a whole . .
. more vulnerable."
But Faiza Patel, who co-directs the Brennan
Center's Liberty and National Security Program, said it's tough to
evaluate how well the process balances intelligence needs against
Internet security because it "remains mostly secret."
On
Wednesday, Comey also said that the bureau was working on a way to help
state and local law enforcement agencies who might have similar phones
they cannot unlock. The tool used in the San Bernardino case will work
only on the iPhone 5c running an iOS 9 operating system. The 5c is an
older model, meaning there are fewer such phones out there, so the
demand for the tool is likely to be low.
In fact, the bureau has
about 500 phones it cannot unlock in criminal investigations and none,
Comey said, are 5cs running iOS 9.
Last month, Apple for the first
time received information about a software flaw from the FBI through
the White House-led review process, as first reported by Reuters.
© 2016 The Washington Post
Apple's Foldable iPhone to Sport Display With Same Aspect Ratio as iPad Models, Tipster Claims28 March 2025
Search
![Gadgets 360 With Technical Guruji: News of the Week [March 29, 2025]](https://c.ndtvimg.com/2025-03/9cu1890s_news-of-the-week_160x120_29_March_25.jpg?downsize=180:*)
