Contrary to earlier reports that Israeli mobile forensics firm Cellebrite had been the ones paid by the FBI to crack the iPhone left behind in the San Bernardino terrorism case, the successful hacking into the phone was actually done by a paid, independent hacker or team of hackers, as the Washington Post now reports. These professionals known as "gray hats" in the hacking community because they're neither the mischievous "black hats" who try to undermine corporate systems in the shadows or "white hats" who discover flaws and openly share them with software companies so they can be fixed, but a third group who seek to profit by selling their knowledge to governments identified the previously unknown flaw in the iPhone's iOS 9 software that led to the successful hack, and the feds paid them a one-time fee for their services.
According to an anonymous source familiar with the case who spoke to the Post: "The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data."
As discussed previously, the issue plaguing investigators is a safeguard built into Apple's software that not only erases all the data on a phone after too many incorrect password attempts, but also increases the amount of time necessary between attempts as more unsuccessful attempts are made.
While authorities have said that the flaw affects only a "narrow slice" of iPhones iPhone 5C models running iOS 9 they have yet to decide if they are going to share what they learned with Apple so that the flaw can be fixed, citing potential future use of the flaw, apparently, as reason for keeping it secret.
But if they would need an entirely new solution for any other type of phone or software, this doesn't make a whole lot of sense. It would make sense, however, if they believed the flaw might carry over into newer versions of the iOS software.
Previously, in 2014, White House cybersecurity coordinator Michael Daniel said that "When we discover these vulnerabilities, there’s a very strong bias towards disclosure," citing that the economy and the government of the United States was uniquely dependent, compared to the rest of the world, on the security of its digital infrastructure.
Apple cited a deep commitment to privacy and the security of its customers in refusing a government order to assist in the hack, and now the government has so far seemed less than willing to be magnanimous and disclose the flaw discovered by these paid hackers to Apple.
As Quartz notes, the government's use of these "zero-day exploits" i.e. exposing vulnerabilities which software companies essentially have zero days to fix is something they've only admitted to in the last six months.
In that same 2014 interview, Daniel said, "A decision to withhold a vulnerability is not a forever decision," suggesting that the government may want to keep things secret for a time, and eventually disclose the flaw after they've gotten enough use out of it.
It remains to be seen what, if any, useful information could be found on the iPhone of San Bernardino terrorist Syed Farook. All along the FBI has been seeking answers about whether Farook and his wife acted independently, or perhaps with some direction from ISIS.