LOS ANGELES -- Apple Inc. refused to give the FBI software the agency desperately wanted. Now Apple is the one that needs the FBI's assistance.
The FBI announced Monday that it managed to unlock an iPhone belonging to one of the San Bernardino, Calif., shooters without Apple's help. And the agency has shown no interest in telling Apple how it skirted the phone's security features, leaving the tech giant guessing about a vulnerability that could compromise millions of devices.
"One way or another, Apple needs to figure out the details," said Justin Olsson, product counsel at security software maker AVG Technologies.
"The responsible thing for the government to do is privately disclose the vulnerability to Apple so they can continue hardening security on their devices."
Some news outlets citing anonymous sources have identified Israeli police technology maker Cellebrite as the undisclosed third party helping the government, but neither the company nor the FBI has confirmed those reports.
The company's relationship with the FBI on this case was first reported last week by Yedioth Ahronoth, an Israeli daily.
A source who is not authorized to discuss the case said the FBI was provided with the ability to incorrectly guess more than 10 passwords without permanently rendering the phone's data inaccessible. That allowed the agency to use software to run through potential pass codes until it landed on the correct one. It is not clear what information, if any, was gleaned from the phone.
The FBI was already a Cellebrite client before this project, according to people familiar with the matter, who asked not to be identified as the matter is private. Cellebrite, founded in 1999, is a unit of Japan's Sun Corp. Sun's shares are up almost 40 percent since March 21, when U.S. authorities said a third party had demonstrated a way to get into the iPhone.
The situation illuminates a process that usually takes place in secret: Governments regularly develop or purchase hacking techniques for law enforcement and counterterrorism efforts, and put them to use without telling affected companies.
What's different in this case is that the world has been watching from the start. After Syed Farook and his wife killed 14 people in December, the government publicly sought a court order to compel Apple to unlock Farook's work-issued phone. Apple opposed that order, heightening long-standing tensions between Silicon Valley and law enforcement officials.
Now that the FBI has dropped its case against Apple, there's a new question: Should tech companies be made aware of flaws in their products, or should law enforcement be able to deploy those bugs as crime-fighting tools?
It's unclear whether the FBI's hacking technique will work on other versions of the iPhone, though a law enforcement official who spoke on the condition of anonymity said its applications were limited.
Attorneys for Apple are researching legal tactics to compel the government to turn over the specifics.
Apple's anxiety is understandable. No tech company wants a major security gap in its products, and most are given months of warning to fix issues before they are made public by the researchers who discover them.
That's why Apple sees the government as having a moral obligation to disclose details of its hacking technique.
"Apple's best chance is to make a compelling case that the disclosure of this exploit is in the interest of national security as in, if it remains undisclosed and undiscovered, it potentially puts innocent users at risk of data breach," Olsson said.
Apple said in court filings that part of the reason its executives feared developing software to circumvent iPhone security features was that once created, it could end up in the wrong hands.
That same argument could come into play with the disclosure issue if Apple makes a public plea that the government and the outside group can't properly safeguard the technique.
Last year, an Italian company that bought and sold bugs saw its entire database leaked onto the Internet. The security issue could explain why the FBI and the outside party are being so secretive about the process.
There's also the concern that now that an iPhone has been hacked, others will try. The iPhone has been seen as "a tiny little Fort Knox that from the outside has shown very hard to get into," said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
The San Bernardino situation changes the dynamics, providing a reason for "cybercriminals and amateur hackers to come out of the woodwork," said Peter Tran, a general manager at RSA's advanced cyberdefense group.
Information for this article was contributed by Paresh Dave, James Queally and Richard Winton of the Los Angeles Times and by Yaacov Benmeleh of Bloomberg News.
A Section on 03/31/2016
Print Headline: Apple seeks way to fix phone security flaw