On March 28th, the FBI bought a way to break into the iPhone at the center of the San Bernardino fight — and ever since, the tech world has been wondering what they'll do with the new bug. The White House maintains a process for disclosing any vulnerabilities that might post a threat to public safety, and you might think that a method for unlocking possibly stolen iPhones would qualify. But federal agencies are very good at circumventing that process (take this Firefox bug, for instance), and from the beginning the question wasn't whether the FBI would wriggle out of the process, but how.
Today, we got the explanation we've been waiting for: the bureau simply didn't pay for the right to do anything it might not want to do. "The FBI purchased the method from an outside party so that we could unlock the San Bernardino device," executive assistant director Amy Hess said in a statement obtained by The Daily Dot. "We did not, however, purchase the rights to technical details about how the method functions….As a result, currently we do not have enough technical detail about any vulnerability that would permit any meaningful review under the VEP [Vulnerabilities Equities Process]."
"We do not have enough technical detail about any vulnerability that would permit any meaningful review."
In some ways, this makes perfect sense. The exploit business is very much a business, and you'd be a lot more wary to sell something if you thought it was going to be your last possible sale. FBI Director Comey has already said the exploit cost well over $1 million. Who knows how much the deluxe edition would have cost.
But once you accept that logic, it's hard to see why any agency would ever report a purchased bug. The FBI and its vendors set the terms of the contract, and it's much easier for both if the bug never gets reported. The bureau can share it with local law enforcement and tell their friends in Congress, and use it on any future iPhones that might come up, without worrying Apple will deploy a patch to defend against the new attack. If someone else happens to figure out the bug along the way, it's bad news for iPhone users, but both parties seem to see that as an acceptable risk.
At the same time, with the FBI paying out over a million for an iPhone hack, you'll probably get a lot more people looking for iPhone hacks. In the long term, it puts law enforcement agencies on the side of breaking security systems and keeping them broken, which in turn leads to more catastrophic hacks for the FBI to investigate. Maybe they'll do it by breaking whatever security software the attackers used, and then the whole cycle can begin again.
It's hard to say how high the stakes are for this particular bug. The FBI has said the attack won't work on iPhones newer than the 5S, although not everyone will be inclined to take them at their word. But even if the attack is limited, the broader precedent is frightening. As the White House wrote in the wake of Heartbleed, "Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest." Unfortunately for everyone, we still don't have a working system to keep that from happening.