The US Federal Bureau of Investigation paid hackers to gain access to the iPhone belonging to one of the San Bernardino, California assailants, the Washington Post reported today (Apr. 13), citing unnamed sources.
The hackers created a piece of hardware that allowed investigators to crack the iPhone’s four-digit passcode while bypassing a security measure that would automatically erase the phone’s data, according to the Post. The hackers were reportedly paid a one-time fee for their services.
The hackers knew of a previously undisclosed security flaw in the iPhone, also called a “zero-day exploit,” and approached the FBI with this information, according to the Post. The FBI director has said that the tool only works on a “narrow slice” of iPhones and won’t work on newer models like the iPhone 6s and iPhone 5s.
We have asked the FBI for comment on the Washington Post story.
The Post also claims that Israeli security firm Cellebrite, which was widely reported as the “outside party” that aided the FBI, had nothing to do with the case. Cellebrite had earlier been named as the firm helping the FBI by the Israeli newspaper Yedioth Ahronoth, citing unnamed sources. Neither Cellebrite nor the FBI confirmed the firm’s involvement, when asked at the time.
Apple and the FBI were on course for a legal showdown over whether the iPhone-maker had to obey a court order compelling it to create new software that bypassed is own security measures to allow FBI access. The hearing was called off at the last minute by the FBI, after the agency said an “outside party” could help it gain access to the phone.
The FBI told the Washington Post last December that it uses zero-day exploits, the first time it has disclosed this publicly. The use of zero-days by law enforcement is a new and controversial practice because investigators are exploiting a security loophole without first disclosing it to the manufacturer. Government participation in the market for zero-days is also thought to be growing the market for these vulnerabilities.