FILE - This Feb. 17, 2016, file photos shows an iPhone in Washington. The government hack of an iPhone used by a San Bernardino killer serves as a reminder that phones and other electronic devices aren’t impenetrable vaults. While most people aren’t in danger of being hacked by the NSA, FBI or a foreign government, there are hackers out there looking to steal the financial and personal information of ordinary people. (AP Photo/Carolyn Kaster, File)

FILE – This Feb. 17, 2016, file photos shows an iPhone in Washington. The government hack of an iPhone used by a San Bernardino killer serves as a reminder that phones and other electronic devices aren’t impenetrable vaults. While most people aren’t in danger of being hacked by the NSA, FBI or a foreign government, there are hackers out there looking to steal the financial and personal information of ordinary people. (AP Photo/Carolyn Kaster, File)

 

By Ellen Nakashima
April 12, 2016 at 7:30 PM
Follow @nakashimae

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.

The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.

The U.S. government now has to weigh whether to disclose the flaws to Apple, a decision that probably will be made by a White House-led group.

The people who helped the U.S. government come from the sometimes shadowy world of hackers and security researchers who profit from finding flaws in companies’ software or systems.

Some hackers, known as “white hats,” disclose the vulnerabilities to the firms responsible for the software or to the public so they can be fixed and are generally regarded as ethical. Others, called “black hats,” use the information to hack networks and steal people’s personal information.

At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.

This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States. These researchers do not disclose the flaws to the companies responsible for the software, as the exploits’ value depends on the software remaining vulnerable.

In the case of the San Bernardino iPhone, the solution brought to the bureau has limited shelf life.

To read expanded article, click here.