I was kind of tired of the FBI vs. Apple story, but now it has a secret collective of morally ambiguous hackers, and I’m into it again.
According to a report from the Washington Post, the Federal Bureau of Investigation paid a group of hackers a one-time fee to pinpoint a zero-day security flaw, which was used to create hardware to assist in unlocking the iPhone of the San Bernardino shooter.
The Washington Post did not identify the group, but referred to the individuals in it as “researchers” in the report:
The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
To add another wrinkle, the Post is reporting that at least one of these researchers is a “gray hat” hacker, the kind open to helping governments spy on people:
Some hackers, known as “white hats,” disclose the vulnerabilities to the firms responsible for the software or to the public so they can be fixed and are generally regarded as ethical. Others, called “black hats,” use the information to hack networks and steal people’s personal information.
At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
If this is accurate, it means that Israeli forensics firm Cellebrite was not the third-party that helped the FBI, contradicting reports from Israeli media. We also still don’t know exactly how the data was extracted.
I’ve asked the FBI for confirmation, and I’ve also asked Apple if it is now aware of the security flaw in question. I’ll update if I hear back, but for now—how about that!
Apple masterfully positioned itself as a champion of personal privacy in the PR war it waged against the government, but this could be a strong narrative choice by the FBI. “Government forced to turn to shady hackers after Apple bails out of alliance” is a compelling storyline in this ongoing battle. Yes, the government still looks incompetent. But it also makes Apple look weak—for all its talk about security, it still left flaws discoverable for shadowy freelance hackers.
If more information comes out about this third party’s “grey hat” past, the FBI could also use it as an argument to push tech companies to comply with demands for assistance. After all, look at the alternative—creating lucrative incentives for random hackers auctioning off security flaws to the highest-bidding governments.
Updated 4/13 3:06pm: The FBI responded to Gizmodo via email, though it did not answer our questions about the third party:
We are referring to what we’ve already said publicly through speeches, congressional testimony, etc. and nothing further. However, at Kenyon College, the Director said: “Someone outside the government….came up with a solution. One that I am confident will be closely protected, and used lawfully and appropriately….The people we bought this from I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it, and their motivations align with ours.”