Unnamed sources cited by the Washington Post contradict the widely-held belief that it was Israel-based mobile forensics company Cellebrite which helped the FBI hack into the locked San Bernardino iPhone. The report say that the agency was instead approached by a group of freelance hackers who revealed an iPhone passcode vulnerability to the FBI in return for a one-time fee.
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter […]
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution …
A $15,000 invoice from Cellebrite to the FBI at the time that the agency announced a third-party had enabled it to access the phone appeared to be the smoking gun corroborating an initial report from an Israeli news source, but the latest report suggests that the two are unrelated. The FBI is known to have been a long-term client of Cellebrite, further corroborating initial reports.
The WaPo report explains that while ‘white hat’ hackers report the vulnerabilities to the companies concerned so that they can be patched, and ‘black hat’ hackers exploit the vulnerabilities to create malware, the group here falls into a third category.
Often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States.
USA Today separately reports that FBI director James Comey recently told law students at the Columbus School of Law that he didn’t view Apple as ‘a demon’ for standing up for user privacy, saying that trying to balance the conflicting demands of privacy and security was ‘the hardest problem I’ve encountered in my entire government career.’ This echoed an earlier comment he made during the Congressional hearing.
“I’m glad the litigation is gone,” Comey told students at Catholic University’s Columbus School of Law, adding that the “emotion around that issue was not productive.”
“Apple is not a demon; I hope people don’t perceive the FBI as a demon.”
The government’s withdraw from San Bernardino case, the director said, has allowed both sides to “take the temperature down” while allowing a broader public debate to continue.
Comey said that he now supports Apple’s view that it should be the legislature, not the courts, who decide the issue.
FTC: We use income earning auto affiliate links. More.
The temperature was only raised in the first place because the FBI went to court to try and force Apple to do something that Apple believed was inappropriate, unconstitutional and dangerous. Apple had already co-operated with the FBI and shared the contents of Farook’s iCloud backups, but the FBI decided to use that case to set a precedent and that escalation was what blew the whole thing up into a heated confrontation.
Apple has been consistent throughout. The FBI has changed their story and attitudes multiple times. The FBI needs to take a long hard look at itself because they have not done themselves any favours with the way that they handled this case and it will have a negative impact on future cases where the potential to have accessed data held within iPhones would have been much more significant. The FBI say that they hope that they aren’t perceived as a demon, but they have done a great deal to tarnish their reputation and their ineptitude has made things much worse for future investigations because the publicity generated has shone a massive spotlight on how people can best secure data.
Excellent post – I Salute you!
I don’t believe they actually got access to any backups on iCloud. What i read was that Apple told them to bring the 5C to the shooter’s home to see if it would automatically connect to WiFi and perform a backup, but someone at the FBI had already changed the iCloud password, and that would prevent the 5C from backing up to the Cloud if it was even set up to do that in the first place. So from it sounded, they couldn’t see anything from iCloud. I believe that’s what promoted the FBI to ask Apple to hack the password, and Apple didn’t have any method for doing that, and that the FBI requested that Apple develop an OS replacement so it would get rid of the “guard dog” which bricks that phone if they don’t type in the proper password within 10 attempts. The thing is the way these court orders are written. Apple has assisted the FBI in previous cases, but Apple has made the OS more secure over the years and from the sounds of it, will continue to make the OS more secure as time goes on as they get more information on any holes in the OS. Yes, from what Tim & Co. says, they don’t want to create a “backdoor” into future versions of the OS, because it essentially opens up for any hacker to hack into anyone’s phone. The problem is that I don’t think there will ever be a way for Apple to make the products secure while allowing a backdoor where only LE is allowed in. I just don’t see that scenario happening. I also think that at this point in time, they can only achieve a certain level of security and that yes, it’s possible to create some method to crack these phones, the thing is, that it’s VERY difficult. I’m sure once Apple finds out how someone is able to crake the password, that they’ll figure out how to plug up that hole.
What I don’t like is that a lot of these “Politicians” simply don’t understand technology or the nature of the beast they are dealing with. They only see THEIR Point of view and some of them are using it as a means to take advantage of the masses ignorance trying to make Apple look like the bad guy, when in fact a lot of these Politicians are using this as a means to get public vote because they are trying to run for political office (Trump and Sanders), OR they are trying to craft legislation in order to FORCE Apple to give them a backdoor access or figure out a way to fine them since they have so much money.
The FBI is shooting from the hip because they didn’t divulge everything from the beginning and as time went on, we got a better picture of what REALLY happened, which is they they kept changing their stance.
They did get access to iCloud backups from October. The change of the password prevented them from potentially getting a more recent backup done.
As iSRS said, they’re talking about the *previous* backups from iCloud before the attack, when he was still alive & kicking and living a sick sad scummy disgruntled existence.
The ONLY reason he now supports legislative action is the courts were NOT siding with the FBI and Public Opinion was not in lock step when he yelled “Terrorism, just give us what we want so you can stay safe!”
Right now these people are probably receiving a “one time fee” from other hackers, including terrorists, other criminals and other governments.
The FBI should be arresting these people not funding them! What they are doing is dangerous!
The only right thing to do if you find a security flaw is to privately notify the company that makes the software or hardware and give them time to fix it. Later, you can inform the wider security community of the flaw that is now fixed, so everyone can learn. This is how the security community operates. Selling security flaws should be illegal!
Why should the FBI arrest them? They are not operating in the US. Plus, if the FBI arrests them, where are they going to get techniques to crack iOS?
You’re right that this company should report these flaws to companies but they wouldn’t be in business if they did. They are not part of the security community – just people who are taking advantage.
The government has been known for actually taking white-hat security research companies that ARE operating in the US to court under the Computer Fraud & Abuse Act (source: https://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers)
How can they possibly do this while they buy exploits from researchers in other countries!?
That’s the ULTIMATE “do as I say, not as I do”
We need massive reform, politically, when it comes to these issues…
White-hat security researchers should not be charged with “hacking” or fraud and abuse.
Also remember Aaron Schwartz? Yeah, that should NOT be allowed to ever happen again.
We need to make it illegal, across the board, to sell, OR TO BUY security flaws.
We should encourage private disclosure, and also public disclosure as well, but only after a grace period (i.e. time for the company to actually fix their stuff).
Should make a technology pact with other nations around the world to have the same values & laws.
Doubt any of this will ever happen, but I can dream of a technologically moral & savvy congress…
Where do you suppose this “demon” viewpoint started? Certainly not with the American Public.
In response to my letter to my Senator, this is the response I got from one of them. Read it and see if you notice the problems I did with it. Where did my senator get this information? Likely from agencies like the FBI, or worse, mainstream media. So forgive us for having a hard time you just want a broader public debate…
The response in its entirety.
“Thank you for contacting my office about encryption technology and data security. I appreciate hearing from you on these important issues.
As you know, in a recent case associated with the San Bernardino terror attack, a cell phone manufacturer refused to assist federal law enforcement authorities in accessing data stored on the attackers’ confiscated phones. The Justice Department initiated legal action to obtain the company’s compliance, but prior to the court’s decision, the Federal Bureau of Investigation indicated it had accessed the required data without the manufacturer’s help and dropped the case.
I understand your concerns regarding the privacy of personal data, and I have consistently supported measures to ensure the government intelligence programs are appropriately limited to better protect our civil liberties. For example, I supported the USA Freedom Act, which ended the NSA’s bulk data collection program and added additional transparency to the Foreign Intelligence Surveillance Court proceedings.
Please be assured I will carefully monitor legislative proposals related to this issue. Thank you again for sharing your thoughts with me, and please do not hesitate to contact my office with any future concerns.”
Interesting if true.
If it is true: we now have the ridiculous situation where ….
Apple refuses to assist law enforcement – even on court order – allegedly to protect us from hackers. Because any access they created to a locked phone would ‘spread like cancer’ and totally destroy the entire US IT sector …
… Now we find the hackers already know how to get into the phone. It hasn’t ‘spread like cancer’ No one will tell Apple how the hack is done because Apple can’t be trusted. If there is a security risk to normal, honest customers then Apple can’t fix it.
How long before Apple understands why responsible IT corporations, doctors, banks etc etc provide an official, secure, way of disclosing client information on receipt of a warrant and keep it confidential the rest of the time.
Once again John Smith you are an ass hole and I will keep telling you this every time you post bull shit like this!!!!!
yes, trust your gubbermint…..they can do no wrong…….IDIOT!!!!
You’re saying we should trust the government, right?
They illegally hacked into almost every big internet company’s clouds.
We live in a society with rules and laws. If the people who are writing the laws are the same ones breaking them, how is that trustworthy in any way?
They brought this upon themselves.
LOL. The FBI were notified way in advance of the litigation that there was an exploit available to unlock the phone.
Anyone who believes otherwise is a moron. They tried to play a PR game and they lost.