FBI Turned to Exploit Dealers to Crack San Bernadino iPhone

Written by

The FBI cracked the San Bernardino terrorist’s iPhone with super-awesome internal cyber-spy sources, right? Well—actually no. Sources say the Feds paid professional hackers a one-time fee to do the dirty work—the same hackers-for-hire that law enforcement often characterize as unethical.

Sources told the Washington Post that the hackers discovered a zero-day and brought it to the bureau to sell it.

They addressed a critical problem for FBI internal resources, which could crack the 4-digit PIN without issue. It was the other protections that were giving them heartburn. Notably, the FBI needed to disable a feature on the phone that wipes all data stored on the device after 10 incorrect code attempts.

“The new information was…used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data,” according to the report. The hackers were paid a one-time flat fee for the solution.

Researchers who hunt zero-days and exploits with the purpose of selling them to world governments are often seen as arms-dealers of sorts—they’re not uncommon, and they’re highly controversial.

Exploit broker Zerodium for instance launched in July 2015 as a new entrant to the ethically grey-scaled world of cyber-arms. That start-up is backed by Vupen, the French vulnerability dealer that has often drawn controversy for brokering exploits to the highest bidder. Though it says it won’t deal with “oppressive governments,” Vupen has been criticized for eschewing the concept of community-minded white-hat research in favor of fueling a kind of cyber-arms race. Also, critics note that delivering advanced capabilities into the hands of governments and others can result in their ending up in the wrong hands—i.e., the Stuxnet effect.

No word on which so-called “grey hat” group brought the solution to the Feds (sources said that the Israeli firm Cellebrite was not involved, as some earlier reports had suggested).

The sources said that the government will now decide whether to release the flaws to Apple in a responsible disclosure move. Apple said last week that it would not sue the government to gain access to the solution, which only applies to the iPhone 5C running the iOS 9 operating system.

“Freelance hackers and security researchers who specialize in identifying unknown vulnerabilities often find themselves at the center of a critical conversation surrounding the notion of responsible disclosure,” noted Nathan Wenzler, executive director of Thycotic. “What is, perhaps, more troublesome in this particular case is the uncertainty surrounding whether the federal government will follow this responsible disclosure process to share what the vulnerability is with Apple. This debate about whether the FBI should keep the vulnerability secret in order to further its intelligence goals, or to share the information so as to allow Apple to fix the vulnerability and thus, secure and protect millions of users worldwide is contrary to the usual rhetoric the government provides to other hackers and security researchers to always share this information.”

He added, “While the White House does have a group that regularly discusses and reviews these matters, there needs to be a stronger adherence to consistent, responsible disclosure of vulnerabilities like this.”

Photo © PhuShutter/Shutterstock.com

What’s hot on Infosecurity Magazine?