FBI Paid Hackers To Crack iPhone Encryption, Report Claims - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity

FBI Paid Hackers To Crack iPhone Encryption, Report Claims

Gray hat hackers, not Israel-based Cellebrite, ultimately provided a way into Syed Farook's encrypted iPhone, according to the Washington Post.

iPhone Encryption: 5 Ways It's Changed Over Time
iPhone Encryption: 5 Ways It's Changed Over Time
(Click image for larger view and slideshow.)

The "outside party" that helped the FBI to access data on the encrypted iPhone of San Bernardino terrorist Syed Farook wasn't the Israeli company Cellebrite, as many expected, but rather a group of hackers, the Washington Post reported April 12.

The hackers brought to the bureau's attention a previously unknown security flaw in the iOS 9 operating system, which the bureau was able to use to crack the iPhone's four-digit personal identification number without triggering security features that would delete the data or expand the time required between guesses, according to the Post.

"They were paid a one-time flat fee for the solution," according to the story.

The report also noted that at least one of the hackers is a so-called "gray hat."

While white hats share vulnerabilities with the company responsible for a software so that it can be fixed, and black hats use discovered vulnerabilities to hack into networks and steal information, gray hats sell discovered vulnerabilities for a profit.

(Image: tzahiV/iStockphoto)

(Image: tzahiV/iStockphoto)

The found vulnerability, in this case, is only applicable to iPhone 5c models running iOS 9.

Cellebrite, which has worked with the FBI client before the San Bernardino case, did help with it, according to report from Bloomberg. But apparently it didn't solve the matter.

The FBI's desire to access the smartphone's data led to a Feb. 16 court order against Apple and kicked off global debates, after Apple pushed back and appealed to the public to consider the matter as one with lasting consequences requiring public discussion.

Are you prepared for a new world of enterprise mobility? Attend the Wireless & Mobility Track at Interop Las Vegas, May 2-6. Register now!

After numerous court filings from both parties, leading up to a March 22 court day, the FBI dropped the case March 21, stating that an outside party had provided a method that could enable it to unlock the iPhone without Apple's assistance.

"The government has now successfully accessed the data stored on Farook's iPhone," the FBI said in the March 21 status report.

A legal ruling has yet to be made regarding how and to what extent technology companies are required to assist law enforcement, as new encryption technologies create spaces that are locked off to all but their owners. The concept bucks the American legal principle that, with good reason and appropriate oversight, law enforcement is allowed into private spaces.

FBI Director James Comey, during an April 6 speech at Kenyon College, urged all parties to continue probing the issue, even though the case has been dropped.

"Litigation is a terrible place to have any kind of discussion about a complicated policy issue. Especially one that touches on our values … So it is a good thing that the litigation is over. But it would be a bad thing if the conversation ended," Comey said.

Added to that conversation now is the matter of whether the FBI should or will share the discovered vulnerability with Apple.

To the FBI, the risk is that it shares with Apple, which will then, appropriately, address the vulnerability. "And then we're back where we started from," Comey said during his Kenyon talk.

However, disclosure -- at some point -- is likely.

In the White House, there's a "strong bias towards disclosure," Michael Daniel, the White House cyber-security coordinator, said during an October 2014 interview discovered by the Post.

It's also the common practice in the white hat hacker community.

"It's something that we in the hacker community call 'responsible disclosure,'" Nico Sell, cofounder of secure communications company Wickr, said during a March 29 television interview on Bloomberg.

"It's something we do every day to protect all of us."

Still another unknown that the FBI has yet to disclose: Whether it actually found any information of use on the newly unlocked iPhone.

Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Michelle
50%
50%
Michelle,
User Rank: Ninja
4/13/2016 | 1:56:58 PM
...The End
This story's end is like a tech-thriller only in real life... I want to know what they found on that phone, if anything. This has been a very public fight for information.
tjgkg
0%
100%
tjgkg,
User Rank: Ninja
4/13/2016 | 1:58:44 PM
Re: ...The End
You haven't heard anything because the FBI is analyzing and (hopefully) acting on the intelligence they found on that phone. It makes no sense to publicize what they found and tip off the terrorists.
Michelle
50%
50%
Michelle,
User Rank: Ninja
4/13/2016 | 11:42:48 PM
Re: ...The End
@tjgkg I didn't phrase my comment very well. I really only want to know if they found something and hope they act on it. I don't want to know details of an ongoing operation like this. 
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
4/14/2016 | 8:19:06 AM
Re: ...The End
@Michelle: I don't think you will really hear anything about this for a while. Right now it is probably quiet because the FBI is either acting on the intelligence or still analysing it. You will hear something after a raid, arrest or take down of suspects. If they say something beforehand it will tip off the terrorists. Frankly I wish the FBI did not say anything at all about Apple and about breaking into the phone.
Banacek
0%
100%
Banacek,
User Rank: Ninja
4/14/2016 | 11:05:30 AM
Re: ...The End
You won't hear anything because there was no intelligence on that phone to begin with. These people weren't completely stupid and incompetent that they could only use one email address or something, you know. They destroyed two of their phones. Why not this one? Because it was his work phone, not his personal one. What do you think he's doing? "Hey, Osama, send me that critical planning information on my work phone, the one the my employers can track, watch, read, and has access to all the data, because it's too hard to have to grab my other phone to read those messages."

And since terrorist cells work as cells, they're not going to know anything about anything else happening anyways. The best you're going to get is phone numbers. And those they would have already found on their other phones/records, if any.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
4/14/2016 | 1:48:56 PM
Re: ...The End
Nobody knows for sure. In any case it is too big of a security issue just to assume all that. Law enforcement and intelligence services have to investigate every lead. These people might not be stupid, but they are not perfect and mistakes might have been made. If that were not the case, many crimes would never have been solved.
tjgkg
0%
100%
tjgkg,
User Rank: Ninja
4/13/2016 | 1:57:02 PM
Mixed feelings
I have so many mixed feelings about this story. On one hand I am upset that Apple took such a strong stance against the FBI to the point you would think Apple was holding out against the Gestapo. I understand Apple's feeling of responsibility to its users in terms of privacy and security. But there are times when everyone has to come together for the benefit of the country and ALL its citizens, not just Apple users. Police enter homes with search warrants. The FBI I don't think had that option to enter a locked phone so it had to go through the courts. At the same time they were public about their effort to get into that phone, something an evil agency would not do. I am glad they got into it and hopefully they have uncovered a treasure trove of intelligence that will be used to protect our nation and its citizens. It will be interesting to see how Tim Cook handles the Chinese government should they request a similar service for something far less serious than terrorism.
Banacek
0%
100%
Banacek,
User Rank: Ninja
4/14/2016 | 11:15:26 AM
Re: Mixed feelings
" On one hand I am upset that Apple took such a strong stance against the FBI to the point you would think Apple was holding out against the Gestapo."

I'm sorry, but when your government has a history of acting like that, they lose all benefit of the doubt. The government has secret warrants, NSLs, gag orders. They've been found to spy on citizens, collect information in the hopes it will help them. We've got leaders telling us "If you've got nothing to hide, you shouldn't care", which I think would make an authoritarian country groan with a "I've heard that before". The FBI, for decades, kept files and tabs on all sorts of 'subversives' in our country, doing who knows what with the information. (Find out a candidate for president is having an affair, you can control them!). All in the name of 'keeping us safe'.

Here's a sad story. I was listening to an old-time-radio show, This is your FBI, from the early 50s. In this episode, at a break, the narrator went on to tell us about the horrors of communism by retelling a story of someone who escaped from a country under a communist regime. He talked about being imprisoned without trial, about being kept awake for days on end, being bombarded with music and noise, all in an attempt to break him (re-educate, you know). And as he was going on and on about these deplorable acts, I could tick off each and every one of them as being something the US has been caught doing lately under the PATRIOT Act. And you think of everything the government has been exposed doing, and all I can think back to is my days growing up hearing about government surveillance in East Germany and Russia and wondering "How did we let our government turn into the USSR?".

Oh, but they're "terrorists" and it's "war", that's OK then.
TerryB
50%
50%
TerryB,
User Rank: Ninja
4/14/2016 | 1:12:17 PM
Re: Mixed feelings
Amen @Banacek. The government loves it when these rare issues come along (terrorism, child porn, etc) that everyone objects to so they can grab more power. I know we are a democracy but that doesn't mean if 51% of people are sheep who are willing to give away their freedom under the pretense of gaining more "safety" that the rest of us have to live with it.

There was a reason the Constitution and Bill of Rights were created, so the stupid can't vote there way to a police state.

And you are totally right, there is nothing on that phone going to add any more insight into that event. That episode made as much sense as the Okla City bombing. Funny how people have forgotten that, thinking terrorism didn't exist until the radical Muslims came along. There will always be sick people out there and no government can ever stop those kind of lone wolf attacks, regardless how much freedom we toss away.

My favorite is still the TSA debacle. Instead of just installing locks on cockpit, which would have totally stopped the 911 attacks, now we have an ineffective, expensive bureaucracy in place just to make flying an overall miserable experience.
tjgkg
100%
0%
tjgkg,
User Rank: Ninja
4/14/2016 | 2:29:59 PM
Re: Mixed feelings
Terrorism is a very real threat. As someone who lives in NYC and was at Ground Zero on 9-11 I can personally attest to that. If you don't think that law enforcement has to be vigilant 24/7/365 to prevent anything worse from happening again, you are totally naive.

In a way we were safer during the Cold Ware because all we had to worry about was one country which we could at least watch and assure their total destruction should they do something to us. Today, nukes are all over the place and proliferating further. Along with that you have stateless and lawless terrorists who cause great destruction, loss of life and misery wherever they go. There is no way to put a full army on the ground and wipe that lot out. Little things like what is on a phone, tweet, email or other electronic transmission is part of the puzzle that will lead to the defeat of a threat.

I am all for doing whatever it takes to keep us safe. Lincoln and FDR thought the same thing when they faced the greatest threats to this country.
TerryB
100%
0%
TerryB,
User Rank: Ninja
4/14/2016 | 3:47:55 PM
Re: Mixed feelings
@tjgkg, always enjoy your thoughts, you are a very bright guy. But as someone born in Oklahoma City, with my family from there, I've felt the effect of terrorism far longer than 9/11. But we didn't rush to toss all our values and freedom away after that event.

If you are saying the TSA makes you feel safer, good for you. All I can tell you is my neighbor, who is great guy and great mechanic, also works part time for the TSA. If you think he is going to prevent terrorism with the minimal training he got (or ever could get), good luck with that.

We already have a CIA, NSA, etc to watch for threats. I'm not calling to abolish that. But it has to be done correctly. The solution is not to consider everyone a terrorist and then let them prove they are not. You can't wiretap everyone, abolish encryption, etc in the name of "preserving our freedom".

This solution to radical Muslims is a political, global solution. This is not America's battle to fight alone. But people are lumping these lone wolf attacks in that fight. I can't imagine how locked down a society would have to be to stop that. It's not a society I want to be part of, that's for sure.
tjgkg
100%
0%
tjgkg,
User Rank: Ninja
4/14/2016 | 4:19:21 PM
Re: Mixed feelings
@TerryB: Thanks for your thoughts. I always appreciate your posts and our discussions! I'm not a big fan of the TSA. I fly a lot and as a middle aged guy travelling alone on business with a laptop, I am ALWAYS singled out for close inspection and have been for years. Only when i am with my girlfriend do i get a break! I don't think the TSA as it currently is deployed is the best way of doing things. The Brits do it better and the Israeli's do it the best. Unfortunately it has to be done. I think the TSA should look at how these other countries do it and modify it for the US.

I completely agree with you about doing things the right way. Since 9-11 I think the government winged it and has started to craft a better considered solution with all these intelligence agencies. Aside from threats that were never considered by intelligence planners, new technology has emerged which has stayed a step ahead of not only the law but the agencies. You hit it right on the head when you mentioned that someone is considered guilty until proven innocent. But unfortunately because of the fast changing developments, that was the only way things could be controlled. I personally hate it when i am flying to be singled out because i am a tall male and brought into a different area to be searched. It is embarrassing because i look like the squarest business guy you can imagine! One time in London, after going through the Fast Track line and having a Trusted Traveler Number and special passport, and travelling in First Class (I have a lot of frequent flyer miles), I was pulled out on the jet way trying to board the plane! I really lost it at that point because i felt it was harassment. Thankfully they apologized to me and i had a drink but I get it. I don't like it but i get it. I'm hoping that in the future all the security agencies can work together and tailor their programs to the countries and events that are taking place.

I also agree with you about resolving the radical Muslim issue. I don't know how many more events have to take place before the West gets serious and cooperates to eliminate the threat. I was supposed to be in Paris this past November when that event took place. And i have been in Brussels more times than i care to recall.
Broadway0474
50%
50%
Broadway0474,
User Rank: Ninja
4/16/2016 | 9:45:40 PM
Re: Mixed feelings
Terry, you make an incredible point about the security needed to stop all terrorist attacks, particularly lone wolf assaults. You need need an authoritarian state, if not a totalitarian one, where neighbors spy on neighbors and a lot of innocent people suffering out of paranoiac punishments from security forces. Not where we want to live.
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
4/14/2016 | 2:09:04 PM
Re: Mixed feelings
I'm sorry but you make it sound like the FBI was the Staasi or KGB. It was not. It operated within the law. And yes there were subversives in this country who tried to sell us out to the communists. You cannot operate a major country without an intelligence service and law enforcement service. And in times of national crises, the Constitution can take a beating. Not sure if you are familiar with what took place during the Civil War and WWII.

With regard to what list you checked off regarding our so called abuses under the Patriot Act, those actions took place against stateless enemy combatants operating out of uniform. When you have stateless enemies operating outside the rules of warfare and law, all bets are off. 
Banacek
50%
50%
Banacek,
User Rank: Ninja
4/14/2016 | 2:37:45 PM
Re: Mixed feelings
Yes, there were subversives (and still are) trying to overthrow the government. But the FBI kept tabs on far more people than just communists. John Lennon, for example, had a nice big file. What was he doing that was subversive? Oh, right, he called for peace.

And you claim they are against 'stateless' enemies. Who decides they are stateless? Are you sure they all are? And, truth be told, they all weren't enemies. There are many people in Gitmo, for example, who turned out NOT to be enemies of the US or had anything to do with terrorism. And many of them are still there, because the US can't unload them back, and some of them now might be so teed off at the US for treating them this way they now might become terrorists.

I used to say "This isn't what the US is about. We're supposed to be better than this!". But then I realized we've never been better than this. We SHOULD be better than this, but we're just a bunch of frightened bunnies quivering in the corner.
tjgkg
100%
0%
tjgkg,
User Rank: Ninja
4/14/2016 | 3:25:52 PM
Re: Mixed feelings
John Lennon WAS a subversive. You apparently were not around when he was at his radical best in the early 70's. Look it up. He did not just call for peace. Even Lennon repudiated much of that period at the end of his life. Your Lennon example is pretty poor. He would have had a file on him in ANY country of the world if he pulled those stunts.

If you cannot answer the question about what "statelessness" then you cannot understand what is going on. Your argument about Gitmo is facile and naive. The world does not operate where you can just do what you want to do, have complete immunity and privacy from your actions and go on your merry way. It has never been like that anywhere.
impactnow
50%
50%
impactnow,
User Rank: Author
4/20/2016 | 12:15:23 PM
Privacy
What I like everyone else is concerned about our privacy we all know that in times when national security is involved privacy becomes an issue . I understand the concern that Apple had however since we were discussing the technology of the known terrorist I feel that there unwillingness to help is not understandable . When lives are at stake we need to act quickly . If every raid an investigation in Europe underwent this type of scrutiny and masterminds of the Paris attacks in Brussels attacks may still be walking the streets . These are unusual times and we need to treat them as such .
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
Commentary
AI Ethics Guidelines Every CIO Should Read
Guest Commentary, Guest Commentary,  8/7/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll