Updated x3: The Apple iPhone 5c held as evidence on San Bernadino terror suspects is in the news yet again. But now we're told that the FBI paid hackers for help unlocking it -- are you serious?
[Developing story. Updated 10:34 am, 2:07 pm, and 3:20 pm PT with more comment and opinion]
Deep-throated sources talked to the Daily Bezos about a shady gray-hat hacker gang. They said the Federal Bureau of Investigation made it rain, in return for the hackers providing an iOS 9 zero-day vulnerability (maybe several). These bug(s) were then exploited by the FBI to hack into a San Bernadino County iPhone 5c assigned to the dead suspect, Syed Farook.
In IT Blogwatch, bloggers foresee panic on the streets of Cupertino. Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: That Led Zeppelin knock-off allegation is old news…
What’s the craic? Ellen Nakashima and Adam Goldman allege an allegation—FBI paid professional hackers:
Professional hackers...discovered and brought to the bureau [a] previously unknown [0day], according to people familiar with the matter. ... The researchers, who typically keep a low profile...were paid a one-time flat fee.
[It is] often considered ethically murky. ... Dubbed “gray hats,”...they might be helping governments spy on their own citizens [or] be used to track terrorists or hack an adversary.
The U.S...now has to weigh whether to disclose the flaws to Apple [so] the firm can patch it. ... Apple said last week that it would not sue the government.
Lest we forget. Charlie Osborne's got our back—San Bernardino iPhone cracking case:
The FBI [wanted] to access a San Bernardino shooter's iPhone. ... A terrorist incident...took place in December 2015. ... Syed Farook and his wife Tashfeen Malik [allegedly] murdered 14 people at a Christmas party. [So] the FBI wanted access to Farook's...iPhone 5C.
People familiar with the matter said that "professional hackers" [brought] the agency "at least one" zero-day vulnerability. [This] was then used to develop hardware...capable of cracking the...PIN code. ... Contrary to previous reports...Cellebrite was not involved.
Earlier this week...FBI Director James Comey...called [it] the "hardest problem" in his career. [He said] the legislative issues...cannot be solved purely through the court[s].
Does anyone know a snappy way to tell the story in one headline? Kate Knibbs knows—FBI Paid Some Dodgy Hackers a One-Time Fee for a Zero-Day to Unlock the San Bernardino Phone:
I was kind of tired of the FBI...story. But now...I’m into it again.
[Nakashima] did not identify the group, but referred to the individuals in it as “researchers”. ... This could be a strong [PR] narrative choice by the FBI.
“Government forced to turn to shady hackers”...is a compelling storyline. [It] makes Apple look weak.
I wonder what Apple's view is. Here's paradox00:
Apple can fix security flaws [but not] precedent. ... Apple specifically stated...the FBI had [not] exhausted all their efforts.
This is proof Apple was right. ... Apple wanted the case to move forward...but this is hardly the worst case scenario.
Good point. But MaulRx thinks it's a prescription for a fight: [You're fired -Ed.]
Apple said they didn't want to help because of the risk of [it] getting out into the wild. They could have just helped, kept it quiet and we may never have known. Instead, they practically dared the creation of a method that they now have no control over.
Update 1: Cool story, bro. This Anonymous Coward says it proves a point:
If these guys can do it, and the FBI can now do it, then anyone can do it. The Chinese, North Korea, data thieves... And the American government wants to force companies to put **** like this in their software?
But what's the DoJ's PR strategy? The clock is ticking, according to Varenthos:
Wait for it. ... They'll come out and say that they found all kinds of terrorism-related material. ... Then they'll start telling us that this is why we shouldn't be able to have encryption or privacy and...get laws passed banning it, because terrorism and for the children.
Does any of this really paint the FBI in a good light? "Did they call The Hackers R Us Store?" wonders Bob_Who:
The more they say the more idiotic they sound. The FBI sounds as inefficient as the TSA and Congress. A bunch of blowhards with authority that can't get the job done properly because nobody trusts or likes how they operate. ... Never getting the job done is the only job security that exists anymore.
Update 2: Some analysts are really pissed. Jeff Gamet for example—FBI Still Manipulating Public:
FBI Director James Comey said he's glad [the] court battle is over. [But then] he added fuel to that fire by equating the encryption fight to the...gun control debate. ... The FBI chose to...paint Apple as a cold and heartless corporation.
Despite the fact that the FBI chose to make this a public fight...Mr. Comey said there was an "unintended benefit":..a public conversation about balancing security and privacy. ... The public debate was very much intended.
The FBI said, "Just this phone, just this once." ... That statement was totally disingenuous.
When weaknesses and backdoors are intentionally added...they're available to everyone...legit government agency, hacker, or criminal. [It] creates weaknesses anyone can exploit.
Update 3: What's so special about the 5c? Lucian Constantin explains this and other details—FBI bought exploit:
FBI director James Comey said [it] works only [on] the 5c and older. ... Probably because newer models [use] the secure enclave.
The existence of a shadowy...market for exploits...is no secret. ... In November, a...firm called Zerodium paid US $1 million for an...exploit that could...compromise iOS 9 devices. ... Its customers...include "government organizations"...according to the company's website. ... The files leaked last year from...Hacking Team included a [list of] exploits offered for sale by...Vulnerabilities Brokerage. ... Hacking Team sells its...software to law enforcement...with exploits that can be used to silently deploy.
Some software vendors...pay hackers for privately reporting vulnerabilities. ... However, the rewards...cannot compete with the amounts...governments can...pay for the same flaws.
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or email@example.com.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.