iPhone Hacking Tool: Court Rules FBI Can Keep Details Secret

A United States federal court ruled this weekend that the FBI does not have to disclose the name of the vendor that provided the agency with a tool to hack into the iPhone, nor does it have to provide information about how much it paid for the tool.

The decision, handed down by a U.S. district court in Washington, D.C., determined the FBI could continue to protect information about its hacking tool after determining disclosing such information could present a risk to national security.

The district court ruling will allow the FBI to continue to keep secret many of the details about the hacking tool that it used to unlock an iPhone 5C that belonged to the shooters who carried out the deadly attack at a San Bernardino County facility that killed 14 and seriously injured more than 20 others.

The FBI came across the tool after a public standoff with Apple. The federal government and law enforcement agencies attempted to push the Cupertino-based company into breaking its own encryption to provide access to the FBI—an effort that Apple and CEO Tim Cook publicly pushed back against.

Despite a court order telling Apple to provide the FBI with software to unlock the iPhone—an order which Apple fought against—the battle between Apple and the FBI came to a sudden halt when the agency obtained the ability to unlock the iPhone in question from an outside party.

Members of the press and public have attempted to gain more information about the vendor that provided the FBI with the hacking tool—including the name of the company and the amount the FBI paid for the service—through Freedom of Information Act (FOIA) requests but the agency has refused.

The ruling from U.S. District Judge Tanya S. Chutkan of the District of Columbia provides the FBI with legal cover to continue to withhold the information, as the judge determined the information is exempt from FOIA requests because of its sensitive nature.

"The courts have often deferred to agencies on national security issues involving freedom of information,” Peter Swire, a professor of law at Georgia Institute of Technology and an expert on privacy and cybersecurity, told International Business Times. “The court deferred to the FBI here once again."

In this case, the court agreed with the FBI’s argument that revealing the vendor and the price could threaten national security.

"The FBI's conclusion that releasing the name of the vendor to the general public could put the vendor's systems, and thereby crucial information about the technology, at risk of incursion is a reasonable one," Judge Chutkan ruled.

She also wrote that revealing the price paid for the tool “would designate a finite value for the technology and help adversaries determine whether the FBI can broadly utilize the technology to access their encrypted devices."

Cellebrite, a data extraction firm based in Israel that specializes in mobile device, has been floated as the possible vendor that worked with the FBI in order to unlock the device belonging to the San Bernardino shooters. Former FBI Director James Comey suggested the agency may have paid more than $1.3 million to an unnamed company in order to break into the iPhone.

For the time being, those bits information appear to be all that will be known about the FBI’s efforts to hack into locked Apple devices, though Swire suggested there are other ways that may produce additional information about the hacking tool.

"There is a different way information about the vendor might eventually become public. If the FBI ever uses the tool again, the criminal defendant has a chance to do a cross-examination," Swire said, noting it may reveal additional details about the vendor. "We might see a criminal defendant pushing hard to learn more about these kinds of tools in the future."

Swire also pointed out that while the court order may prevent further information from being reveals via Freedom of Information Act, the decision also provided no clarity on whether the FBI disclosed to Apple the vulnerability that allowed it to hack into the devices.

"The court order says nothing about whether the FBI could keep the vulnerability secret from Apple,” he said. “Apple says it wants to fix the flaw. The FBI seems to be holding onto the vulnerability to get into iPhones in the future. A major worry is that the vulnerability could be used by other governments or other hackers if Apple doesn't have the chance to fix it."

Swire said such a decision about disclosure would be made by through the Vulnerability Equities Process (VEP)—a system in which the government evaluates a vulnerability and determines if it is best to disclose it to a developer to be fixed or withhold it to use for law enforcement, intelligence gathering, and other purposes.

Earlier this year, a Microsoft Windows security exploit held by the National Security Agency was stolen by a group of hackers and made public. That exploit resulted in the spread of the WannaCry ransomware attack. Microsoft criticized the government for failing to disclose the exploit before it was stolen, allowing the spread to occur.