I was kind of tired of the FBI vs. Apple story, but now it has a secret collective of morally ambiguous hackers, and I’m into it again.
According to a report from the Washington Post, the Federal Bureau of Investigation paid a group of hackers a one-time fee to pinpoint a zero-day security flaw, which was used to create hardware to assist in unlocking the iPhone of the San Bernardino shooter.
The Washington Post did not identify the group, but referred to the individuals in it as “researchers” in the report:
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
To add another wrinkle, the Post is reporting that at least one of these researchers is a “gray hat” hacker, the kind open to helping governments spy on people:
Some hackers, known as “white hats,” disclose the vulnerabilities to the firms responsible for the software or to the public so they can be fixed and are generally regarded as ethical. Others, called “black hats,” use the information to hack networks and steal people’s personal information.
At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
If this is accurate, it means that Israeli forensics firm Cellebrite was not the third-party that helped the FBI, contradicting reports from Israeli media. We also still don’t know exactly how the data was extracted.