FBI won't have to reveal details of hacking tool used to crack San Bernardino iPhone

A judge has ruled that the FBI will not have to reveal any details about the hacking tool it bought to crack the iPhone at the center of the San Bernardino shooting case back in early 2016.

Following a Freedom of Information request by Vice News, USA Today and the Associated Press, federal judge Tanya Chutkan ruled in favor of the FBI, meaning that the agency will be able to keep this information secret.

A battle between the FBI and Apple ran for some months as the agency tried to force the iPhone-maker to provide access to the phone at the center of the terrorism case. Ultimately, the FBI managed to obtain a hacking tool from a third party which gave it access to the information it needed without Apple's help.

The ruling means that both the name of the vendor, and the price paid for the tool by the FBI, will not be revealed.

The court agreed with the FBI's argument that:

If the vendor's identity were made public, a review of the company's work could lead antagonists to "develop exploits for the vendor's unique product." Additionally, the FBI notes that because the vendor's networks are not as sophisticated as the FBI's cyber-security facilities, releasing the name of the vendor could subject the vendor to attacks by entities who wish to exploit the technology. Since the vendor is not as well equipped to guard against these types of attacks as is the FBI, revealing the vendor's identity "risks disclosure, exploitation, and circumvention of a classified intelligence source and method." Disclosure of the vendor's identity could thus "reasonably be expected to cause serious damage to national security, as it would allow hostile entities to discover the current intelligence gathering methods used, as well as the capabilities and limitations of those methods."

The ruling goes on to say:

Moreover, it is logical and plausible that the vendor may be less capable than the FBI of protecting its proprietary information in the face of a cyber-attack. The FBI's conclusion that releasing the name of the vendor to the general public could put the vendor's systems, and thereby crucial information about the technology, at risk of incursion is a reasonable one. Plaintiffs here assume that this is not a legitimate threat, and that if the tool were so critically important to national security, the FBI would not have left it in the hands of a "poorly guarded vendor." But the vendor may continue to possess the tool for any number of reasons related to national security interests, and even if the possibility of an attack on the vendor's systems is remote, the FBI has still demonstrated a logically reasonable risk of harm to national security in this respect.

While it is believed that the tool could only be used to access iPhone 5c handsets running iOS 9, the FBI expressed concern that should the tool fall into the wrong hands, someone may determine "a way to enhance the tool's capabilities" beyond this limit.

The ruling is final as there is no right to appeal the decision.