In a statement, Amy Hess, assistant director for science and technology, said the FBI will not submit technical details to the Vulnerabilities Equities Process (VEP), a policy that permits government agencies to disclose acquired software vulnerabilities to vendors.
Hess said that the FBI does not have enough information about the vulnerability to put it through the VEP.
"The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," Hess said. "We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process."
Last month, after weeks of wrangling with Apple -- which balked at a court order compelling it to assist the FBI in unlocking the iPhone 5C used by Syed Rizwan Farook -- the agency announced it had found a way to access the device without Apple's help. Farook, along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif., on Dec. 2, 2015. The two died in a shootout with police later that day. Authorities quickly called it a terrorist attack.
The FBI has said very little about the method, which it said came from outside the government. Although many security experts had argued that the agency could unlock the iPhone by using numerous copies of the iPhone's storage contents to input possible passcodes until the correct one was found, some subsequently said an undisclosed iOS vulnerability was what the FBI acquired.
Hess acknowledged that the FBI leans toward secrecy about what security vulnerabilities it acquires and how they work. "We generally do not comment on whether a particular vulnerability was brought before the interagency and the results of any such deliberation," Hess said. "We recognize, however, the extraordinary nature of this particular case, the intense public interest in it, and the fact that the FBI already has disclosed publicly the existence of the method."
Under VEP, federal agencies like the FBI and the National Security Agency (NDA) submit vulnerabilities to a review panel, which then decides whether the flaws should be passed along to the vendor for patching. While VEP's existence had been suspected for some time, it was only last November that the government released a redacted version of the written policy.
There is a thriving market for undocumented vulnerabilities, which are found or purchased by brokers, who then sell them to government agencies around the world, including U.S. authorities, for use against targeted individuals' computers and smartphones.
Hess's explanation of why the FBI would not submit the iPhone vulnerability to VEP signaled that the seller retained rights to the bug, almost certainly so it could sell the flaw again elsewhere. If the FBI had put the vulnerability through VEP, and Apple eventually was told, the company would then have patched the bug, preventing the broker from reselling it to others, or at a minimum greatly reducing its value.
One security expert called the FBI's decision to use the tool "reckless" because the agency had no idea how it worked.
"This should be taken as an act of recklessness by the FBI with regards to the Syed Farook case," said Jonathan Zdziarski, a noted iPhone forensics and security expert, in a Tuesday post to his personal blog. "The FBI apparently allowed an undocumented tool to run on a piece of high profile, terrorism-related evidence without having adequate knowledge of the specific function or the forensic soundness of the tool."
Zdziarski, one of the many security professionals who criticized the FBI's attempt to coerce Apple into unlocking Farook's phone, said the agency's ignorance about the tool threatened any legal case that might stem from the tool's use.
"The FBI has offered this tool to other law enforcement agencies that need it, Zdziarski wrote. "So the FBI is endorsing the use of an untested tool that they have no idea how it works, for every kind of case that could go through our court system. A tool that was also only tested, if at all, for one very specific case now [is] being used on a very broad set of types of data and evidence, which it could easily damage, alter, or -- more likely -- see thrown out of cases as soon as it's challenged."