Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

FBI reportedly paid 'gray-hat' hackers, not Cellebrite, for zero day exploit in San Bernardino iPhone case

Last updated

In the latest development of what appears to be a never-ending guessing game, a report on Tuesday claims FBI officials purchased a zero day exploit from a group of professional security researchers as part of its successful effort in breaking into an iPhone 5c linked to last year's San Bernardino terror attack.

Citing sources familiar with the matter, The Washington Post reports an unnamed group of hackers was paid a one-time fee in return for a previously unknown iPhone exploit, which was subsequently used to access a device tied to terror suspect Syed Rizwan Farook. The exact nature of the vulnerability remains unclear, as do financial specifics, but sources say the agency leveraged a software flaw to create a hardware solution that effectively bypasses Apple's iOS passcode counter.

Today's report runs counter to previous claims pointing to the involvement of Israeli firm Cellebrite. Earlier this month, for example, both Bloomberg and CNN cited sources as saying the Justice Department contracted the security subsidiary of Japan's Sun Corporation just one day before federal prosecutors were scheduled to meet Apple in court over a motion compelling the company's assistance in accessing Farook's device.

Neither Cellebrite nor the Department of Justice has commented on the matter, but Sun Corp.'s stock jumped on the rumors.

As for the identities of the shadowy security group, today's report is light on details, but said at least one individual can be considered a so-called "gray hat," or a researcher who sells discovered software flaws to governments or companies.

Researchers are usually classified into two groups: "white hats" who find and disclose vulnerabilities publicly in an ongoing effort toward to secure consumer devices; and "black hats" who use these exploits for their own gain. Actions of the third group, "gray hats," are ethically questionable as the information they provide can be used to create the surveillance and data forensics tools that sit at the heart of a contentious debate over national security and privacy.

As for the FBI, the agency currently has no plans to share information regarding the exploit with Apple as the company would undoubtedly patch the flaw, shutting off law enforcement access to iPhone 5c devices and older. Apple last week said it will not sue to learn of the vulnerability, saying the FBI's workaround likely has a short shelf life.