Report: The FBI Paid Some Dodgy Hackers for a Zero-Day to Unlock the San Bernardino iPhone
Kate Knibbs
Tuesday 10:42pm
Filed to: FBI
143.5K
40419
EditInvite manuallyPromoteDismissUndismissHideShare to KinjaGo to permalink
 Image: GettyI was kind of tired of the FBI vs. Apple story, but now it has a secret collective of morally ambiguous hackers, and I’m into it again.
According to a report from the Washington Post, the Federal Bureau of Investigation paid a group of hackers a one-time fee to pinpoint a zero-day security flaw, which was used to create hardware to assist in unlocking the iPhone of the San Bernardino shooter.
The Washington Post did not identify the group, but referred to the individuals in it as “researchers” in the report:
Advertisement
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
To add another wrinkle, the Post is reporting that at least one of these researchers is a “gray hat” hacker, the kind open to helping governments spy on people:
Some hackers, known as “white hats,” disclose the vulnerabilities to the firms responsible for the software or to the public so they can be fixed and are generally regarded as ethical. Others, called “black hats,” use the information to hack networks and steal people’s personal information.
At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
If this is accurate, it means that Israeli forensics firm Cellebrite was not the third-party that helped the FBI, contradicting reports from Israeli media. We also still don’t know exactly how the data was extracted.
Sponsored
http://gizmodo.com/4-theories-abo...
4 Theories About How the FBI Is Cracking the San Bernardino Shooter's iPhone 4 Theories About How the FBI Is Cracking the San Bernardino Shooter's iPhone 4 Theories About How the FBI Is Cracking the San B An anticipated courtroom showdown between Apple and the FBI was scheduled for today—but that’s not… Read more Read more
I’ve asked the FBI for confirmation, and I’ve also asked Apple if it is now aware of the security flaw in question. I’ll update if I hear back, but for now—how about that!
Apple masterfully positioned itself as a champion of personal privacy in the PR war it waged against the government, but this could be a strong narrative choice by the FBI. “Government forced to turn to shady hackers after Apple bails out of alliance” is a compelling storyline in this ongoing battle. Yes, the government still looks incompetent. But it also makes Apple look weak—for all its talk about security, it still left flaws discoverable for shadowy freelance hackers.
If more information comes out about this third party’s “grey hat” past, the FBI could also use it as an argument to push tech companies to comply with demands for assistance. After all, look at the alternative—creating lucrative incentives for random hackers auctioning off security flaws to the highest-bidding governments.
Advertisement
Meanwhile, the Pentagon is also actively seeking security help from shadowy hackers—but it won’t pay the ones with criminal records.
Updated 4/13 3:06pm: The FBI responded to Gizmodo via email, though it did not answer our questions about the third party:
We are referring to what we’ve already said publicly through speeches, congressional testimony, etc. and nothing further. However, at Kenyon College, the Director said: “Someone outside the government….came up with a solution. One that I am confident will be closely protected, and used lawfully and appropriately….The people we bought this from I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it, and their motivations align with ours.”
[ Washington Post]
Kate Knibbs@kateknibbs
Senior writer at Gizmodo.
PGP Key
Reply404 replies
Leave a reply
Kate Knibbs’s Discussions
All replies
The following replies are approved. To see additional replies that are pending approval, click Show Pending. Warning: These may contain graphic material.
Show pending
Warning: Replies that are pending approval may contain graphic material. Please proceed with caution.
Hide pending
 KevinKate Knibbs
4/12/16 10:52pm
Now the question is: will Apple sue the FBI and demand that they turn over information about the security exploit? It could happen.
105
Reply
Flagged
 matt975321Kevin
4/12/16 11:02pm
Not sure Apple has any ability to do so. I think their only hope of finding out the exploit is either it leeks out or when it is used in an active case they have to release information on it to show the information on the phone is valid as evidence.
9
Reply
Flagged
 torchbearer2Kevin
4/12/16 11:04pm
They could, but odds are it would be faster/cheaper to just go to the same group and buy the info from them.
43
Reply
Flagged
 beantown01Kevin
4/12/16 11:20pm
Sue? I think they should report the crime of apple hacking to the FBI’s cyber crime division. Let’s see them spin that one.
75
Reply
Flagged
 slawKevin
4/12/16 11:32pm
Apple says it won’t sue FBI to find out how San Bernardino iPhone 5c was hacked
Friday, April 08, 2016, 12:23 pm PT
25
Reply
Flagged
Show more repliesShow more replies in this threadCollapse replies
 iElvis, Hair FührerKate Knibbs
4/12/16 11:03pm
“Gray hay hackers”?
WTF, exactly, are we spending ~$50 billion a year on the NSA for, if a few vaping hipsters operating out of their garage can do something they can’t manage?
98
Reply
Flagged
torchbearer2iElvis, Hair Führer
4/12/16 11:05pm
Because the guys that can get hired by the feds aren't as skilled as the guys that can't or are disinterested in working for the same org.
63
Reply
Flagged
 DoodoobuttsupremeiElvis, Hair Führer
4/12/16 11:08pm
Cus they cant afford to hire kids who smoke weed for some reason or another. And on top of that what did any of this accomplish? They got the data and no update about terrorist activity or the missing 18 minutes out of these peoples day. It’s maddening to say the least, the govt. Made a huge stink for literally no reason...
9
Reply
Flagged
 Sean HodginsiElvis, Hair Führer
4/12/16 11:09pm
Passion vs. Work. The “hackers” probably would do the damn thing for fun/free since they probably just love working with the stuff. Since its for the gov. they might as well make money at it(which I’m sure is their primary income source). The NSA workers are a bunch of people doing their job, no passion, not the best at what they do. Its just what they do for a living.
19
Reply
Flagged
 brownplayboy310iElvis, Hair Führer
4/12/16 11:28pm
The hackers couldn’t get hired due to background checks and drug tests. But are undoubtedly the best at the job... a good reason to get rid of those background checks and drug tests for these kinds of positions.
16
Reply
Flagged
Show more repliesShow more replies in this threadCollapse replies
istariKate Knibbs
4/12/16 10:56pm
“Government forced to turn to shady hackers after Apple bails out of alliance“
More like “Government has no qualms about turning to shady hackers to severely limit citizen privacy.”
73
Reply
Flagged
 Spr0cketsistari
4/12/16 11:54pm
There were no privacy issues AT ALL, in this case.
The FBI had consent from the owner of the phone in addition to having a full warrant to get any and all information they needed from it by any means necessary.
Privacy doesn’t even begin to enter into this conversation.
50
Reply
Flagged
Chas Histari
4/13/16 12:03am
The phone in question was the property of the state of California, which isn’t a citizen-private or otherwise. Plus the g’ment had a warrant, which -according to the 4th amendment-is all the g’ment needs to ignore your right to privacy.
10
Reply
Flagged
 JoLinn1istari
4/13/16 12:16am
Apple resists government’s attempt to erroneously enslave its employees thus government instead pays chump change for a commodity service.
5
Reply
Flagged
Les Mikesellistari
4/13/16 12:40am
There’s no concept of privacy once it is a matter regarding evidence in a criminal case. You can’t be forced to incriminate yourself but that’s not what was happening here.
29
Reply
Flagged
Show more repliesShow more replies in this threadCollapse replies
 KataiKate Knibbs
4/12/16 11:30pm
So the FBI paid someone to violate the DMCA? So breaking the law is legal as long as the government pays for it?
63
Reply
Flagged
 dermeisterKatai
4/12/16 11:55pm
The government had a judge’s order to hack it and can offer anyone immunity from prosecution for federal crimes.
13
Reply
Flagged
 DarthClem3Katai
4/13/16 12:11am
No, this is more like the police having a warrant to search a suspect’s workplace locker that’s locked up with a padlock, and having to use bolt cutters because the suspect’s employer doesn’t have a key and the lock manufacturer decided to make some bullshit point by refusing to provide one.
84
Reply
Flagged
 X? In my Y?DarthClem3
4/13/16 12:58am
A delightfully reductive analysis. But don’t forget to add that the employer told police how to pick the lock, who then proceeded to glue a toothpick into the keyhole.
15
Reply
Flagged
 KudouKouDarthClem3
4/13/16 1:09am
“-and the lock manufacturer decided to make some bullshit point by refusing to provide one.”
“-and the lock manufacturer was reasonably competent and didn’t make a master key for all locks because masterlocks/backdoors are a security problem for everybody.”
There, fixed that for you.
After all, those master locks for airport locks work SO WELL and are SO SECURE we should make our tech with peoples private documents have backdoors that would so totally never fall into the -wrong- hands. /s
http://www.techtimes.com/articles/84039...
24
Reply
Flagged
Show more repliesShow more replies in this threadCollapse replies
 mrjoeyyayaKate Knibbs
4/13/16 2:15am
A situation like this is just hard to choose sides. Breaking into a terrorist phone to obtain more info for security reasons seems acceptable, but I know damn well that if the FBI breaks into one phone, they start doing it domestically to everyone’s phones. I don’t have anything to hide but I would like to have my privacy respected. The fact that they paid hackers to do the job is quite shady. You know what, why the hell do they need the info off their phone if we have a president who is willing to let terrorist come into the country, pretending they are refugees? This country is ass backwards.
2
Reply
Flagged
 Flying Squidmrjoeyyaya
4/13/16 7:18am
Not to ruin your little Obama hate party, but it’s very easy to choose sides. This was the guy’s state-issued work phone. There’s no way he had any actionable information on it.
4
Reply
Flagged
Stinger554Flying Squid
4/13/16 7:22am
This so much and if it did have any useful information on it they would have gotten it off of the carrier info that they pulled which is who he called or messaged and what was messaged.
1
Reply
Flagged
 GreenN_GoldFlying Squid
4/13/16 12:16pm
Probably true, but I’d still check it out. A lot of people put some really dumb and/or incriminating stuff on their work devices. A friend of mine is a habitual offender (caught with porn on his take-home work laptop) and when I ask him what he’s thinking, he never had a good answer.
1
Reply
Flagged
xXTomcatXxFlying Squid
4/13/16 3:49pm
“There’s no way he had any actionable information on it.”
There’s literally no way for you (or anyone else for that matter) to know that. Just because a suspect doesn’t use a phone explicitly for planning or communicating with terrorists, doesn’t mean the phone doesn’t have information that could assist in the investigation.
A good example are location logs. There’s countless apps, some that his employer may have loaded, that record location information periodically. A non-work related location that shows up in those logs weekly could very well generate a lead. |
