FBI Paid Hackers To Crack iPhone Encryption, Report Claims - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity

FBI Paid Hackers To Crack iPhone Encryption, Report Claims

Gray hat hackers, not Israel-based Cellebrite, ultimately provided a way into Syed Farook's encrypted iPhone, according to the Washington Post.

iPhone Encryption: 5 Ways It's Changed Over Time
iPhone Encryption: 5 Ways It's Changed Over Time
(Click image for larger view and slideshow.)

The "outside party" that helped the FBI to access data on the encrypted iPhone of San Bernardino terrorist Syed Farook wasn't the Israeli company Cellebrite, as many expected, but rather a group of hackers, the Washington Post reported April 12.

The hackers brought to the bureau's attention a previously unknown security flaw in the iOS 9 operating system, which the bureau was able to use to crack the iPhone's four-digit personal identification number without triggering security features that would delete the data or expand the time required between guesses, according to the Post.

"They were paid a one-time flat fee for the solution," according to the story.

The report also noted that at least one of the hackers is a so-called "gray hat."

While white hats share vulnerabilities with the company responsible for a software so that it can be fixed, and black hats use discovered vulnerabilities to hack into networks and steal information, gray hats sell discovered vulnerabilities for a profit.

(Image: tzahiV/iStockphoto)

(Image: tzahiV/iStockphoto)

The found vulnerability, in this case, is only applicable to iPhone 5c models running iOS 9.

Cellebrite, which has worked with the FBI client before the San Bernardino case, did help with it, according to report from Bloomberg. But apparently it didn't solve the matter.

The FBI's desire to access the smartphone's data led to a Feb. 16 court order against Apple and kicked off global debates, after Apple pushed back and appealed to the public to consider the matter as one with lasting consequences requiring public discussion.

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

After numerous court filings from both parties, leading up to a March 22 court day, the FBI dropped the case March 21, stating that an outside party had provided a method that could enable it to unlock the iPhone without Apple's assistance.

"The government has now successfully accessed the data stored on Farook's iPhone," the FBI said in the March 21 status report.

A legal ruling has yet to be made regarding how and to what extent technology companies are required to assist law enforcement, as new encryption technologies create spaces that are locked off to all but their owners. The concept bucks the American legal principle that, with good reason and appropriate oversight, law enforcement is allowed into private spaces.

FBI Director James Comey, during an April 6 speech at Kenyon College, urged all parties to continue probing the issue, even though the case has been dropped.

"Litigation is a terrible place to have any kind of discussion about a complicated policy issue. Especially one that touches on our values … So it is a good thing that the litigation is over. But it would be a bad thing if the conversation ended," Comey said.

Added to that conversation now is the matter of whether the FBI should or will share the discovered vulnerability with Apple.

To the FBI, the risk is that it shares with Apple, which will then, appropriately, address the vulnerability. "And then we're back where we started from," Comey said during his Kenyon talk.

However, disclosure -- at some point -- is likely.

In the White House, there's a "strong bias towards disclosure," Michael Daniel, the White House cyber-security coordinator, said during an October 2014 interview discovered by the Post.

It's also the common practice in the white hat hacker community.

"It's something that we in the hacker community call 'responsible disclosure,'" Nico Sell, cofounder of secure communications company Wickr, said during a March 29 television interview on Bloomberg.

"It's something we do every day to protect all of us."

Still another unknown that the FBI has yet to disclose: Whether it actually found any information of use on the newly unlocked iPhone.

Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Michelle
50%
50%
Michelle,
User Rank: Ninja
4/13/2016 | 1:56:58 PM
...The End
This story's end is like a tech-thriller only in real life... I want to know what they found on that phone, if anything. This has been a very public fight for information.
tjgkg
0%
100%
tjgkg,
User Rank: Ninja
4/13/2016 | 1:57:02 PM
Mixed feelings
I have so many mixed feelings about this story. On one hand I am upset that Apple took such a strong stance against the FBI to the point you would think Apple was holding out against the Gestapo. I understand Apple's feeling of responsibility to its users in terms of privacy and security. But there are times when everyone has to come together for the benefit of the country and ALL its citizens, not just Apple users. Police enter homes with search warrants. The FBI I don't think had that option to enter a locked phone so it had to go through the courts. At the same time they were public about their effort to get into that phone, something an evil agency would not do. I am glad they got into it and hopefully they have uncovered a treasure trove of intelligence that will be used to protect our nation and its citizens. It will be interesting to see how Tim Cook handles the Chinese government should they request a similar service for something far less serious than terrorism.
tjgkg
0%
100%
tjgkg,
User Rank: Ninja
4/13/2016 | 1:58:44 PM
Re: ...The End
You haven't heard anything because the FBI is analyzing and (hopefully) acting on the intelligence they found on that phone. It makes no sense to publicize what they found and tip off the terrorists.
Michelle
50%
50%
Michelle,
User Rank: Ninja
4/13/2016 | 11:42:48 PM
Re: ...The End
@tjgkg I didn't phrase my comment very well. I really only want to know if they found something and hope they act on it. I don't want to know details of an ongoing operation like this. 
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
4/14/2016 | 8:19:06 AM
Re: ...The End
@Michelle: I don't think you will really hear anything about this for a while. Right now it is probably quiet because the FBI is either acting on the intelligence or still analysing it. You will hear something after a raid, arrest or take down of suspects. If they say something beforehand it will tip off the terrorists. Frankly I wish the FBI did not say anything at all about Apple and about breaking into the phone.
Banacek
0%
100%
Banacek,
User Rank: Ninja
4/14/2016 | 11:05:30 AM
Re: ...The End
You won't hear anything because there was no intelligence on that phone to begin with. These people weren't completely stupid and incompetent that they could only use one email address or something, you know. They destroyed two of their phones. Why not this one? Because it was his work phone, not his personal one. What do you think he's doing? "Hey, Osama, send me that critical planning information on my work phone, the one the my employers can track, watch, read, and has access to all the data, because it's too hard to have to grab my other phone to read those messages."

And since terrorist cells work as cells, they're not going to know anything about anything else happening anyways. The best you're going to get is phone numbers. And those they would have already found on their other phones/records, if any.
Banacek
0%
100%
Banacek,
User Rank: Ninja
4/14/2016 | 11:15:26 AM
Re: Mixed feelings
" On one hand I am upset that Apple took such a strong stance against the FBI to the point you would think Apple was holding out against the Gestapo."

I'm sorry, but when your government has a history of acting like that, they lose all benefit of the doubt. The government has secret warrants, NSLs, gag orders. They've been found to spy on citizens, collect information in the hopes it will help them. We've got leaders telling us "If you've got nothing to hide, you shouldn't care", which I think would make an authoritarian country groan with a "I've heard that before". The FBI, for decades, kept files and tabs on all sorts of 'subversives' in our country, doing who knows what with the information. (Find out a candidate for president is having an affair, you can control them!). All in the name of 'keeping us safe'.

Here's a sad story. I was listening to an old-time-radio show, This is your FBI, from the early 50s. In this episode, at a break, the narrator went on to tell us about the horrors of communism by retelling a story of someone who escaped from a country under a communist regime. He talked about being imprisoned without trial, about being kept awake for days on end, being bombarded with music and noise, all in an attempt to break him (re-educate, you know). And as he was going on and on about these deplorable acts, I could tick off each and every one of them as being something the US has been caught doing lately under the PATRIOT Act. And you think of everything the government has been exposed doing, and all I can think back to is my days growing up hearing about government surveillance in East Germany and Russia and wondering "How did we let our government turn into the USSR?".

Oh, but they're "terrorists" and it's "war", that's OK then.
TerryB
50%
50%
TerryB,
User Rank: Ninja
4/14/2016 | 1:12:17 PM
Re: Mixed feelings
Amen @Banacek. The government loves it when these rare issues come along (terrorism, child porn, etc) that everyone objects to so they can grab more power. I know we are a democracy but that doesn't mean if 51% of people are sheep who are willing to give away their freedom under the pretense of gaining more "safety" that the rest of us have to live with it.

There was a reason the Constitution and Bill of Rights were created, so the stupid can't vote there way to a police state.

And you are totally right, there is nothing on that phone going to add any more insight into that event. That episode made as much sense as the Okla City bombing. Funny how people have forgotten that, thinking terrorism didn't exist until the radical Muslims came along. There will always be sick people out there and no government can ever stop those kind of lone wolf attacks, regardless how much freedom we toss away.

My favorite is still the TSA debacle. Instead of just installing locks on cockpit, which would have totally stopped the 911 attacks, now we have an ineffective, expensive bureaucracy in place just to make flying an overall miserable experience.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
4/14/2016 | 1:48:56 PM
Re: ...The End
Nobody knows for sure. In any case it is too big of a security issue just to assume all that. Law enforcement and intelligence services have to investigate every lead. These people might not be stupid, but they are not perfect and mistakes might have been made. If that were not the case, many crimes would never have been solved.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
4/14/2016 | 2:09:04 PM
Re: Mixed feelings
I'm sorry but you make it sound like the FBI was the Staasi or KGB. It was not. It operated within the law. And yes there were subversives in this country who tried to sell us out to the communists. You cannot operate a major country without an intelligence service and law enforcement service. And in times of national crises, the Constitution can take a beating. Not sure if you are familiar with what took place during the Civil War and WWII.

With regard to what list you checked off regarding our so called abuses under the Patriot Act, those actions took place against stateless enemy combatants operating out of uniform. When you have stateless enemies operating outside the rules of warfare and law, all bets are off. 
Page 1 / 2   >   >>
Slideshows
10 RPA Vendors to Watch
Jessica Davis, Senior Editor, Enterprise Apps,  8/20/2019
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll