Roughly two weeks after the FBI announced that it had cracked the San Bernardino shooter’s iPhone, the Washington Post reports that the agency didn’t engage Israeli security firm Cellebrite to assist in the case, as was widely believed. Instead, it collaborated with professional hackers.
According to the Washington Post’s sources, the hackers discovered at least one previously unknown iOS flaw, which they exploited by with the help of a custom piece of hardware that they built. It allowed the FBI to decode the iPhone’s four-digit PIN without triggering the OS’ data wiping feature.
This revelation gives the impression that like the FBI now has a master key to unlock just about any iPhone on the planet. In addition to cracking the San Bernardino handset, the agency agreed earlier this month to assist in breaking into another device identified in connection with a murder in Arkansas.
Something’s fishy about what the FBI says it can and can’t do. Last week, director James Comey said that the method would only work on iPhone 5Cs running iOS 9, which would account for only a small percentage of iPhones in the US. The device model in the Arkansas case has not been disclosed.
Relying on hackers who aren’t affiliated with the agency sounds like a risky move for the FBI, but it’s possible that it had no choice. Cellebrite, which was previously reported to be working on the San Bernardino case, said it was only capable of breaking into iPhones running iOS 8 as well as older versions of the platform.
If Apple wants to find the flaw that led to the undoing of the iPhone in the FBI’s possession, it’ll likely to have to engage in extensive testing internally, or find its own hackers to work with. Last week, Comey said that if the government discloses its method to the company, “they’re going to fix it and then we’re back where we started from.”
Another thing Apple can do is wait. On Monday, Comey noted that the government is discussing whether it should share details of the vulnerability with the company.
For its part, Apple isn’t going to sit around twiddling its thumbs. A fortnight ago, the company said in a statement, “we will continue to increase the security of our products as the threats and attacks on our data become more frequent and more sophisticated.”