The FBI paid hackers to break onto the iPhone of the San Bernardino, California, shooter, according to a news report published Tuesday in The Washington Post.
The bureau obtained the services of gray hats, the Post said, citing unnamed sources. It apparently did not get help fromCellebrite, as earlier reports had suggested.
Gray hats are hackers who sell flaws to governments or companies that make surveillance tools.
The FBI would not confirm that it had turned to gray hats, but its National Press Office directed the E-Commerce Times to a speech FBI Director James Comey made at Kenyon College last week, calling attention to his statement that someone outside the government came up with a solution that “will be closely protected, and used lawfully and appropriately.”
Comey knows about the people the FBI bought the solution from, he said, and he expressed “a high degree of confidence that they are very good at protecting it, and their motivations align with ours.”
Support for the FBI’s Actions
“The use of bad guys by the United States government, and in fact all governments, has been going on since the beginning of time,” remarked Philip Lieberman, CEO ofLieberman Software.
“I would rather live in the U.S., where safety and sanity trumps a repressive government that implements an idealistic set of privacy laws that end up putting my life at risk,” he told the E-Commerce Times.
U.S. policy holds that the government’s need to protect citizens trumps privacy rights, while the UK and the EU take the opposite tack, “which has resulted in unintended consequences of death and destruction due to laws that protect criminals and psychopaths and criminalize breaches of privacy to the degree that potentially saving the lives of others is a criminal act,” Lieberman said.
“When it comes to justice, the FBI should be able to use whatever resources necessary in its pursuit of information,” argued Brad Bussie, director of product management atStealthbits Technologies.
The gray hat is a contractor, and “I’m more interested in how closely the FBI will be watching its new contractor to see if they try to make more money with the technique that was used on the terrorist’s iPhone,” he told the E-Commerce Times.
The Other Side of the Argument
“From a macro perspective, it’s incredibly stupid” to work with the gray hats, argued Rob Enderle principal analyst at the Enderle Group.
“It’s in line with negotiating with terrorists or kidnappers,” he told the E-Commerce Times. “The larger outcome is generally worse than the specific problem the effort’s attempting to address.”
If true, the action “comes uncomfortably close to blackmail,” Enderle suggested. “The implicit threat is that, if you don’t do what we ask, we will open your platform to attackers harming your customers and putting your business at risk.”
The problem is, the ethics have “an extremely fuzzy boundary,” Craig Kensek, security expert atLastline, pointed out.
“There are people who will say once you’ve gone black or gray, you’ll always go back,” he told the E-Commerce Times.
If the FBI pays researchers to discover vulnerabilities and then reports them to the vendors, it’s participating in beneficial vulnerability research, suggested Tim Erlin, director of IT security and risk strategy forTripwire.
However, “choosing to not disclose discovered vulnerabilities to the vendors simply ensures that risk remains in the market,” he told the E-Commerce Times.
The FBI has not decided whether to disclose the vulnerability to Apple. In the meantime, it reportedly has written to local police departments offering its help to crack iPhones of suspects.