FBI Paid Hackers To Crack the San Bernadino Shooter’s iPhone

Unnamed sources said the Federal Bureau of Investigation (FBI) paid "gray hat" hackers for a zero-day vulnerability -- yet to be publicly disclosed -- that enabled the agency to break into an Apple iPhone in its possession.

Details about the FBI's strategy for unlocking the device were reported yesterday by the Washington Post. The iPhone 5c had been used by Syed Rizwan Farook, who with his wife, Tashfeen Malik, carried out a shooting in San Bernardino, Calif., on December 2 that left 14 people dead. The pair was shot dead by police later that day.

Invoking the 1789 All Writs Act, the FBI had previously obtained a court order compelling Apple to write new code -- dubbed by many as "FBiOS" -- to help it bypass the device's built-in security. The agency abruptly withdrew that order late last month after revealing that an unnamed third party had helped investigators unlock the phone without Apple's help.

Questions about Accountability

The professional hackers provided the FBI with a "previously unknown software flaw" that enabled the agency to repeatly guess at the iPhone's four-digit PIN without setting off security protections that would have wiped the device's stored data, according to anonymous sources cited by the Washington Post. Rather than recognized forensic experts or ethical hackers who report new bugs so companies can fix them, the FBI's hired hackers were "gray hats" who sell vulnerabilities for profit, the paper reported.

Joseph Lorenzo Hall, chief technologist with the Center for Democracy and Technology, told us the Post's disclosure ended speculation that a company like Cellebrite, an Israeli firm that creates data extraction technologies for mobile devices, had assisted the FBI. He added that the agency's decision to buy exploits on the black or gray market was "troubling." He said that approach raises questions about, "How do...

Comments are closed.