A report this week claims that the FBI purchased a “zero day exploit” from professional security researchers in its effort to break into the iPhone 5c used by one of the San Bernadino terrorists.
The Washington Post, citing sources ‘familiar with the matter’ reports that an unnamed group of hackers was given a one-off fee to share a previously unknown iPhone exploit, which was then used to access the device linked to terror suspect Syed Rizwan Farook. The nature of the exploit is unknown, as are the financials involved, but sources say the agency used a software flaw to create a hardware solution that could bypass the iOS passcode counter.
The report this week contradicts claims that pointed to Israeli firm Cellebrite. Earlier this month, CNN and Bloomberg claimed the Justice Department contacted the security subsidiary of Japanese firm Sun Corporation a day before federal prosecutors were to meet Apple in court over the issue.
Neither the Department of Justice or Cellebrite have commented on the matter, but Sun Corp’s stock rose dramatically on the rumours.
As far as the shadowy security group is concerned, the Post’s report has few details, but said at least one of the individuals involved is considered a “grey hat” researcher who sells discovered flaws to companies and governments.
Researchers are normally classified as either “white hat” who find and share vulnerabilities publicly, and “black hat” researchers who use the exploits for their own gain. The third “gray hat” group are perhaps in ethically murky waters because the information they provide can be used to create surveillance and forensics tools.
The FBI apparently does not intend to share information regarding the exploit with Apple as the firm would no doubt path the flaw and shut off law enforcement access to iPhone 5c and older devices. Apple said it will not sue the FBI to learn the vulnerability, saying the FBI’s method probably has a short shelf life.