Unnamed sources said the Federal Bureau of Investigation (FBI) paid “gray hat” hackers for a zero-day vulnerability — yet to be publicly disclosed — that enabled the agency to break into an Apple iPhone in its possession.
Details about the FBI’s strategy for unlocking the device were reported yesterday by the Washington Post. The iPhone 5c had been used by Syed Rizwan Farook, who with his wife, Tashfeen Malik, carried out a shooting in San Bernardino, Calif., on December 2 that left 14 people dead. The pair was shot dead by police later that day.
Invoking the 1789 All Writs Act, the FBI had previously obtained a court order compelling Apple to write new code — dubbed by many as “FBiOS” — to help it bypass the device’s built-in security. The agency abruptly withdrew that order late last month after revealing that an unnamed third party had helped investigators unlock the phone without Apple’s help.
Questions about Accountability
The professional hackers provided the FBI with a “previously unknown software flaw” that enabled the agency to repeatly guess at the iPhone’s four-digit PIN without setting off security protections that would have wiped the device’s stored data, according to anonymous sources cited by the Washington Post. Rather than recognized forensic experts or ethical hackers who report new bugs so companies can fix them, the FBI’s hired hackers were “gray hats” who sell vulnerabilities for profit, the paper reported.
Joseph Lorenzo Hall, chief technologist with the Center for Democracy and Technology, told us the Post’s disclosure ended speculation that a company like Cellebrite, an Israeli firm that creates data extraction technologies for mobile devices, had assisted the FBI. He added that the agency’s decision to buy exploits on the black or gray market was “troubling.” He said that approach raises questions about, “How do we maintain accountability for that?”
Because the FBI apparently gained access to the iPhone using a previously undisclosed vulnerability, it should release that information in a timely manner because that flaw potentially affects “hundreds of millions of devices,” Hall said. “The time needs to be measured in weeks rather than months.”
Aiming To ‘Set a Precedent’
While Apple is no longer under a court order in connection with the San Bernardino iPhone, the company faces a similar situation with another iPhone, this one related to a U.S. Department of Justice investigation of a drug-dealing case.
Speaking on background with the media Friday, Apple attorneys said they were disappointed that the Justice Department had decided to pursue that case in court in the Eastern District of New York. However, they added that Apple was not surprised and intended to defend its case. The attorneys also said that Apple had no plans to sue the government to find out more about the vulnerability the FBI used to break into Farook’s phone.
Hall told us that the case illustrated that the federal government’s recent actions against Apple were “very clearly designed to set a precedent.” He added that Apple might want to consider adopting a bug bounty program similar to those used by other companies to reward “white hat” hackers for disclosing vulnerabilities so they can be fixed.
Image Credit: Sample of iPhone 5c (pictured above) via Apple.
