The marathon battle between Apple and the FBI over a locked iPhone belonging to one of the San Bernardino shooters has taken some strange and convoluted turns, but this is definitely near the top of the list. It turns out that the FBI itself doesn’t know how its third party team of hackers broke into the phone, and neither it nor Apple is liable to find out any time soon. Instead, Obama administration sources told Reuters on Wednesday that the iPhone hacking method was the sole propriety of the outside party that devised it.
The legal action between the two parties abruptly ended last month when a mysterious third party approached the FBI and claimed to be able to break through Apple’s passcode security features on the locked iPhone 5C. After a few days of testing, the third party’s technique worked, and the FBI was in.
The FBI’s secret method of unlocking phones immediately raised concerns. FBI director James Comey said the method only worked on iPhone 5C models running iOS 9, but there were a lot of lingering questions about how the method worked and if it could unlock other phones, especially after FBI officers offered to unlock a separate iPhone for a local District Attorney in Kansas.
The government has a policy called the Vulnerabilities Equities Process, which is supposed to mandate that government agencies turn over flaws they find in digital security so companies can correct them, which many experts argued should be applied to the secretive method.
But the VEP doesn’t really apply to private companies, so the White House says that the secretive method is pretty much not its problem. That means Apple will probably never find out exactly how the team of hackers broke through its security, but also that the FBI doesn’t have the method either. Instead, the only ones who know the secret are a third party, non-U.S. company, possibly the Israeli firm Cellebrite — and it has no obligation to tell or not tell anyone how they did it. It’s also troubling because the FBI paid the third party team, which included at least one morally flexible grey-hat hacker, a one-time fee for their services.
In other words, the only people who know of a crucial security flaw in Apple’s security are an unnamed, foreign private corporation who have no obligation to tell anyone how they broke into one of the world’s most ubiquitous smartphones. It might be time to upgrade to an alphanumeric password.