The US Federal Bureau of Investigation doesn’t own the technique used to unlock the San Bernardino iPhone, so it can’t reveal the method to Apple even if it wanted to, Reuters reported, citing unnamed White House sources.
The Washington Post reported yesterday, citing unnamed sources, that the FBI had paid a hacker a one-time fee to use a piece of hardware that allowed it to access the iPhone 5c belonging to one of the San Bernardino, California assailants. The vendor that supplied the hack is a non-US company, according to Reuters. But according to the Post report, it is not the Israeli firm Cellebrite, which had previously been named. In an email to Quartz, the FBI did not confirm or deny the Post’s report about a hacker breaking into the phone, referring us instead to public statements and Congressional testimony.
The FBI would require the vendor’s cooperation in order to submit the technique it used to Vulnerabilities Equities Process, a mechanism that allows the government to consider whether it should disclose security flaws to manufacturers. It’s a move that mirrors Apple’s own efforts to create security systems on its phones that even it wouldn’t be able to crack, meaning it can’t comply with a government order to hand over user data even if it wanted to.
It’s unclear whether the FBI has acquired exclusive use of the hack. If the Reuters report is accurate, it would appear that the FBI doesn’t have sole use of the security bypass technique. When contacted, the FBI would not comment on the vendor it used.
James Comey, the FBI director, has said that he is “confident” the technique will be “closely protected” and used lawfully. “The people we bought this from I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it, and their motivations align with ours,” according to a statement the FBI provided us, citing remarks Comey made at Kenyon College last week (Apr. 6).
The black market for hacks, or so-called “zero days,” to Apple’s mobile devices is a high-priced one. A 2015 leak of emails belonging to the security vendor Hacking Team revealed that the going rate for iOS zero-days was between $250,000 and $500,000. The leak revealed that government agencies were among the customers who could afford these expensive exploits.