FBI shares Apple vulnerability through controversial review

The FBI told Apple about a security vulnerability in its Mac and iPhone software earlier this month, the first time the agency has disclosed such a flaw under a controversial White House review process, according to Reuters.

The April 14 disclosure — which involved a flaw in older devices that had already been patched by the company — came one day after a report that the agency did not believe it would be able to participate in a White House review of the hacking technique used to access the iPhone belonging to one of the San Bernardino, Calif., shooters.

{mosads}The move may have been intended to demonstrate that the agency can and does use the review process to disclose software flaws it finds, Reuters reports.

The so-called Vulnerabilities Equities Process, created by an Obama administration cybersecurity rule in 2010, is used to determine whether a government-discovered hacking method should be disclosed to the manufacturer to be patched.

Although the White House says that the process is weighted toward disclosing vulnerabilities, critics argue that an exception for national security concerns allows the government to hoard hacking techniques at the expense of public cybersecurity.

“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack,” White House cybersecurity coordinator Michael Daniel said in a 2014 blog post outlining the decision-making process.

The review panel has been in the spotlight since the FBI announced that it had purchased a “tool” to gain access to the iPhone 5c of San Bernardino shooter Syed Rizwan Farook. The device had been the epicenter of a fierce legal fight between the FBI and Apple, with Apple refusing to help the agency hack into the locked phone on privacy and security grounds.

Security experts immediately argued that whatever vulnerability the agency was able to exploit to gain access to the device should go through the Vulnerabilities Equities Process. The flaw, they insisted, had been left wide open for online criminals to find — leaving everyday users of Apple products exposed to identity theft and other crime.

But the FBI has sent clear signals that it is unlikely to submit the exploit to the review process. On Tuesday, Director James Comey said that the bureau may not understand the workings of the tool well enough to justify the review.

He has previously suggested that the exploit may not be eligible for review because the FBI may not own the technical information underpinning the tool.

Digital rights activists say that the process itself is “broken.”

Christopher Soghoian, chief technologist at the American Civil Liberties Union, told The Hill earlier this month that the makeup of the review board — which isn’t public — is disproportionately weighted toward intelligence and defense officials without representing privacy or technology experts from agencies like the Federal Trade Commission or the National Institute of Standards and Technology.

Compounding that tension, Apple has said repeatedly that it will reject orders to help hack phones in the future — giving the government a compelling reason to keep information about security holes to itself.

The result, onlookers say, is that the government is alienating tech companies by not disclosing vulnerabilities it finds — a common practice in the cybersecurity industry.  

“There are not a lot of people who are hopeful about the Vulnerability Equities Process” resulting in a disclosure of the San Bernardino flaw, Soghoian told The Hill recently.

Apple, meanwhile, was unimpressed by the FBI’s apparent good-faith gesture. A company executive told Reuters that the disclosure did nothing to change its perception that the Vulnerabilities Equities Process isn’t as effective as the White House claims.