FBI paid 'gray hat' hackers to defeat iPhone security in San Bernardino terrorism case

Tashfeen Malik, left, and Syed Farook died on Dec. 2, 2015, in a gun battle with authorities several hours after their assault on a gathering of Farook’s colleagues in San Bernardino, Calif., that left 14 people dead.

The FBI accessed the contents of a San Bernardino terrorist’s phone after receiving help from professional hackers who “discovered and brought to the bureau at least one previously unknown software flaw,” the Washington Post was first to report today.

The Israeli firm Cellebrite didn't have anything to do with it, Ellen Nakashima reported in the paper.

Cracking the older iPhone's 4-digit PIN wasn't the FBI's problem--they needed help overriding a feature on that generation of the device that wipes stored data after 10 failed passcode guesses.

The government doesn't appear to be very enthusiastic about sharing the security vulnerability with Apple, despite the fact that it places the security of an untold number of Americans at risk. A group led by the White House will likely decide whether to keep the taxpayer-funded hack secret, or whether it should be shared at least with Apple, if not with the American public. In a widely reported court battle, the Department of Justice sought to compel Apple to essentially write a government-mandated backdoor into its own product.

NYPD officer across the street from Apple's 5th Ave. store, NYC, March 11, 2016. REUTERS

NYPD officer across the street from Apple's 5th Ave. store, NYC, March 11, 2016. REUTERS

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.

Apple recently said it does not plan to sue the government to force it to share the solution the FBI bought from the so-called 'gray hat' hackers, whose identities have not been disclosed. The Washington Post cites only anonymous sources. At the time of this blog post, no other news organizations have verified the identity of the hackers for hire whom the Post characterizes as "ethically murky."

"FBI paid professional hackers one-time fee to crack San Bernardino iPhone" [washington post]

And below, what does Snowden know about this that we don't? Hmmm... perhaps it means we're likely to find out what happened at one of the two big U.S. hacker cons, DEF CON or Black Hat.