FBI Plays It Coy Regarding Their iPhone Exploit

Every since the FBI announced that it had found its own way into Syed Farook's iPhone, people have been wondering exactly how it managed to do so, and how many people the exploit puts at risk. Unsurprisingly, the agency declined to share any details with Apple and tried to downplay the possibility that they'd be breaking into phones left and right - despite pretty quickly entertaining the idea of doing exactly that. Now, following a discussion with Director James Comey last night, we have some more... well... I don't think you can exactly call them "details", but:

"We're having discussions within the government about, okay, so should we tell Apple what the flaw is that was found?" Comey said. "That's an interesting conversation because you tell Apple and they're going to fix it and then we're back where we started from."

Comey said that it is possible that authorities will tell Apple, but "we just haven't decided yet."

That's an interesting way of putting it. It seems Comey has forgotten "where we started from", because not that long ago he was still insisting that this had nothing do with setting a precedent or getting into other phones in the future and was all about pursuing every lead in this one case. Well, that lead has now been pursued and the phone in question cracked, so Comey's "back where we started" comment only makes sense if (shocker) this really was about a lot more than one phone.

Comey went on to downplay the applicability of whatever exploit they are using:

While Comey did not disclose the outside group's method in his remarks Wednesday, he said it would only be useful on a select type of devices - specifically, the iPhone 5C, an older model released more than two years ago.

"The world has moved on to [iPhone] 6's," Comey said. "This doesn't work in 6S, this doesn't work in a 5S. So we have a tool that works on a narrow slice of phones. " I can never be completely confident, but I'm pretty confident about that."

Of course, the 5C still accounts for around 5% of iPhones, which may be a "narrow slice", but that's likely of little comfort to the many people using them who now know their device contains a potential security exploit which the FBI is refusing to protect them from. Because that's the point: if the 5C is hackable, that means a bunch of people are at risk and not just from law enforcement overreach. The right thing to do when you've discovered such a vulnerability is report it so it can be fixed - that's pretty much the dividing line between white hat and black hat hacking. By keeping mum on the details, the FBI is leaving a known security vulnerability in the wild. Oh, but Comey's not worried about that:

Comey did not seem concerned that the method for accessing Farook's iPhone would be revealed by the outside group that helped them.

"The FBI is very good at keeping secrets, and the people we bought this from, I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting them," he said.

He only identified this group as "someone outside the government" and said "their motivations align with ours."

Firstly, this presupposes that the exploit will never be found by anyone else (and hasn't been already). Secondly, isn't his allusion to the FBI's mysterious assistants a bit unnerving? Yes, there are security researchers who focus on selling what they find to governments and law enforcement agencies when they need to hack something, instead of revealing the vulnerabilities they discover and helping to close them - which many would already see as a problem. But I guess we are supposed to be comforted that the FBI knows a "fair amount" about these non-governmental hackers, and that their "motivations" align (and don't include doing everything possible to help the public secure their devices and keep their data safe). To protect and serve indeed.