FBI 'purchased zero-day from grey hats' to crack iPhone

News by Tom Reeve

UPDATED: The FBI apparently purchased a zero-day exploit from grey hat hackers to crack the San Bernardino shooter's iPhone, raising questions about ethics and implications for privacy.


Updated: this article has been updated to include comments and concerns of IT professionals regarding the FBI's use of a zero-day exploit to hack an iPhone.  

According to a report in the Washington Post, the FBI purchased a zero-day exploit to crack the San Bernardino shooter's iPhone.

Citing sources “familiar with the matter”, the paper said FBI did not need the services of Cellebrite, an Israeli cyber-security company, after all.

The FBI reportedly purchased the zero-day exploit from professional hackers who some have categorised as “grey hats”.

The flaw was used to extract information from the phone which was then used to create hardware that the FBI used to crack the security code on the phone without triggering any of the security features.

FBI director James Comey has stated that the exploit only works on iPhone 5Cs running iOS 9. There is a debate within the US government about revealing the exploit to Apple to enable the company to patch it.

Meanwhile, an Italian father, who wants to unlock his dead son's iPhone 6, has given the phone to Cellebrite engineers who say they have extracted the data from the phone onto their servers and are now working on breaking the encryption.

Kevin Down, chairman of the CNS Group, said it was inevitable that the FBI would find a way to crack the iPhone but the use of a zero-day exploit was unexpected. “I wouldn't necessarily have guessed at a zero day,” he said, “but it isn't that surprising.”

Don Green, mobile security manager at WhiteHat Security, agrees. “No real surprises here. The FBI will use whatever means is necessary to gather any information that could be useful to them.”

Even before John McAfee publicly offered to hack the iPhone on behalf of the FBI free of charge, everyone has suspected that there was a way into Apple's “walled garden”.

Grayson Milbourne, security intelligence director at Webroot, said this has proven what had been suspected. But he has concerns: “Hiring grey-hats to exploit such zero-day exploits only contributes to the development of such tools and improvement of techniques around these vulnerabilities, which does not make the world a safer place.”

However, Christos Dimitriadis, international president of ISACA and group director of information security at INTRALOT, sees this as ethical hacking. “Many companies – technology and more traditional firms – have found ethical hacking to be an effective and efficient way to test for security vulnerabilities and close any gaps before they become a big – and public – problem. These types of partnerships can be proven very useful in ensuring vulnerabilities are addressed quickly towards preventing exploitation.”

Meanwhile, Kevin Down is worried about the way this was handled by the FBI. “The publicity around it has purely been to put pressure on and embarrass Apple and also to ask the question whether we want to live in a society where certain data and communications are inaccessible, even to large government law enforcement agencies. Most people in IT security would automatically answer yes to that question, but the debate is only going to get more difficult and more nuanced,” he said.

Whereas the IT community, who are of course more informed than the average person about this topic, are warning of far-reaching implications for privacy, Down is disappointed about the lack of public outcry from the general public. “The reaction of iPhone users to the apparent ease of accessing the phone: deafening indifference. Why? Well, maybe people are starting to realise that breach of their personal data often doesn't have a huge impact. Whether they will still feel this when more frequent data breaches threaten to bring the whole digital castle tumbling down is another matter entirely.”

Meanwhile, Don Green is warning about the indifference of another group of people: the grey hats. “The grey hats will take the side of a security issue that benefits them the most. In this case, they are siding against personal privacy. There really is no middle ground for privacy. It's very black and white. Either we have privacy, or we don't. All of us. Including the grey hats."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews