The FBI has all but concluded that there's nothing to tell Apple about a vulnerability that was exploited to unlock a phone left behind by San Bernardino terrorist Syed Farook, federal officials said Tuesday, because investigators don't know what it was.
Using an idea proposed by a so-far unidentified third party, the FBI was able to defeat the phone's security features earlier this month and extract data stored on the device.
Normally, when the federal government discovers vulnerabilities in devices or software, it notifies the companies involved.
But FBI Director James Comey said at a cybersecurity conference Tuesday that the government must determine whether investigators actually know what the weak point was in Farook's iPhone, or whether they simply used what was provided by the third party to open the phone.
"The threshold is, are we aware of a vulnerability or did we just buy a tool and don't have a sufficient knowledge of the vulnerability?
"We are really close to sorting that out," he said.
Comey disclosed last week that the FBI paid roughly $1.3 million to the outside provider who came forward with the solution for opening the phone.
"We paid a ton of dough for a tool because it mattered so much for that investigation," he said Tuesday.
An FBI official said under the contract with the provider of the tool, the FBI agreed not to try to reverse-engineer it to see how it worked or to discover the iPhone's weak spot.
Comey has said the solution works only on a phone just like Farook's, a model 5c running iOS 9. Most of the phones held by local police in criminal investigations are newer models, so the technique obtained by FBI will be of limited use.
Earlier this month, a lawyer for Apple said the company would not file a lawsuit in hopes of forcing the government to reveal how Farook's phone was opened.
"We're confident that the vulnerability the government alleges to have found will have a short shelf life. We will continue to improve the phones, and at some point this fix will get implemented," the lawyer said.