A new Washington Post story claims a group of independent hackers sold the FBI information that helped crack the San Bernardino shooter’s iPhone, contradicting earlier reports that Israeli tech firm Cellebrite was the company behind the hack. People familiar with the matter said a group of researchers who specialize in hunting for vulnerabilities in software sold knowledge of a previously unknown iOS flaw to the FBI for a one-time flat fee. The information was used to create a new piece of hardware that allowed the FBI repeatedly guess the iPhone’s four-digit PIN without triggering the security feature that erases all the data on the phone.
Cellebrite had declined to comment on whether it was involved in the San Bernardino case, but has since publicly offered its services to try to gain access to a locked iPhone 6, further fueling speculation that the firm was in some way involved with the iPhone operation. While the FBI issued a payment to Cellebrite around the same time the San Bernardino iPhone was hacked, the sources said the bureau did not enlist Cellebrite to aid in the iPhone exploit.
While FBI Director James Comey has said the method has a limited shelf life since it only works on iPhone 5c devices running iOS 9, he is still reluctant to share that information with Apple because “they’re going to fix it and then we’re back where we started from.” But USA Today reports Comey has softened his public tone against Apple, expressing relief that the court fight around the terrorist’s iPhone is done and admitting that the policy issues it raised shouldn’t be settled in the courts. Despite the fact that the government is still fighting court battles with Apple over iPhone encryption, Comey said, “Apple is not a demon. I hope people don’t perceive the FBI as a demon.”
Officials have said it could still be weeks before a White House process for reviewing security vulnerabilities issues a decision on whether to share the iPhone hack with Apple or not. The policy calls for consideration of security flaws that are “newly discovered and not publicly known.” White House cybersecurity coordinator Michael Daniel said, “When we discover these vulnerabilities, there’s a very strong bias towards disclosure,” but he was quick to admit that the government still has “an intelligence and national security mission that we have to carry out. That is a factor that we weigh in making our decisions.”