ManageEngine OpManager, a powerful NMS for monitoring your network, physical & virtual (VMware/ HyperV) servers & other IT devices. Deploy and start monitoring in less than an hour. Trusted by over a million admins world-wide. Try it for free.
The FBI paid hackers to break onto the iPhone of the San Bernardino, California, shooter, according to a news report published Tuesday in The Washington Post.
The bureau obtained the services of gray hats, the Post said, citing unnamed sources. It apparently did not get help from Cellebrite, as earlier reports had suggested.
Gray hats are hackers who sell flaws to governments or companies that make surveillance tools.
The FBI would not confirm that it had turned to gray hats, but its National Press Office directed the E-Commerce Times to a speech FBI Director James Comey made at Kenyon College last week, calling attention to his statement that someone outside the government came up with a solution that "will be closely protected, and used lawfully and appropriately."
Comey knows about the people the FBI bought the solution from, he said, and he expressed "a high degree of confidence that they are very good at protecting it, and their motivations align with ours."
"The use of bad guys by the United States government, and in fact all governments, has been going on since the beginning of time," remarked Philip Lieberman, CEO of Lieberman Software.
"I would rather live in the U.S., where safety and sanity trumps a repressive government that implements an idealistic set of privacy laws that end up putting my life at risk," he told the E-Commerce Times.
U.S. policy holds that the government's need to protect citizens trumps privacy rights, while the UK and the EU take the opposite tack, "which has resulted in unintended consequences of death and destruction due to laws that protect criminals and psychopaths and criminalize breaches of privacy to the degree that potentially saving the lives of others is a criminal act," Lieberman said.
The gray hat is a contractor, and "I'm more interested in how closely the FBI will be watching its new contractor to see if they try to make more money with the technique that was used on the terrorist's iPhone," he told the E-Commerce Times.
"From a macro perspective, it's incredibly stupid" to work with the gray hats, argued Rob Enderle principal analyst at the Enderle Group.
"It's in line with negotiating with terrorists or kidnappers," he told the E-Commerce Times. "The larger outcome is generally worse than the specific problem the effort's attempting to address."
If true, the action "comes uncomfortably close to blackmail," Enderle suggested. "The implicit threat is that, if you don't do what we ask, we will open your platform to attackers harming your customers and putting your business at risk."
The problem is, the ethics have "an extremely fuzzy boundary," Craig Kensek, security expert at Lastline, pointed out.
"There are people who will say once you've gone black or gray, you'll always go back," he told the E-Commerce Times.
If the FBI pays researchers to discover vulnerabilities and then reports them to the vendors, it's participating in beneficial vulnerability research, suggested Tim Erlin, director of IT security and risk strategy for Tripwire.
However, "choosing to not disclose discovered vulnerabilities to the vendors simply ensures that risk remains in the market," he told the E-Commerce Times.
The FBI has not decided whether to disclose the vulnerability to Apple. In the meantime, it reportedly has written to local police departments offering its help to crack iPhones of suspects.