The Federal Bureau of Investigation (FBI) announced last month that it managed to break into the iPhone belonging to a San Bernardino shooter, with the help of a third party. Up until now, all the signs pointed to an Israel-based mobile forensics firm Cellebrite being the chosen private party who helped the FBI in hacking the iPhone. Now, new report reveals that it was actually freelance hackers who came forward to aid the agency in solving the problem without Apple's help.
A report by the Washington Post, citing unnamed sources, contradicts the popular belief that Cellebrite was the private party helping the agency hacking into the locked iPhone. These sources say that the agency was actually approached by grey-hat freelance hackers who revealed a previously unknown vulnerability in return for a "one-time flat fee."
The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.
[…] The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.
While the FBI is known to have been a long-term client of Cellebrite, the current solution wasn't brought forward by the Israeli firm. However, it doesn't mean that the company is incapable of unlocking iPhone, as a recent CNN report claimed that Cellebrite offered to help a man access the contents of his son's iPhone 6. Remember, iPhone 6 is harder to crack open than the iPhone 5c belonging to the San Bernardino shooter.
Coming back to who helped the FBI into breaking open the locked iPhone, the report explains that while the white hat hackers report the vulnerabilities to the companies to help them patch them, black hat hackers exploit these to create malware. The group of freelance hackers that approached the FBI, falls into a third, murkier category:
At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.
This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States.
There are several companies and hacker groups falling into this group including the infamous Hacking Team and Zerodium. SecurityWeek reports that Kevin Mitnick, a famous hacker, has been "running an exclusive brokerage service through which interested parties can buy and sell premium zero-days."
The US government is yet to disclose the vulnerability data to Apple so that the tech company can patch it.