FBI paid professional hackers one-time fee to crack San Bernardino iPhone

“The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter,” Ellen Nakashima reports for The Washington Post. “The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.”

“The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution,” Nakashima reports. “The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.”

“The people who helped the U.S. government come from the sometimes shadowy world of hackers and security researchers who profit from finding flaws in companies’ software or systems,” Nakashima reports. “Some hackers, known as ‘white hats,’ disclose the vulnerabilities to the firms responsible for the software or to the public so they can be fixed and are generally regarded as ethical. Others, called ‘black hats,’ use the information to hack networks and steal people’s personal information. At least one of the people who helped the FBI in the San Bernardino case falls into a third category [‘gray hats’], often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.”

Read more in the full article here.

MacDailyNews Take: Even without utilizing Cellebrite, with the FBI director confirming that the hack only works on older iPhones, it’s quite obvious that Apple’s Secure Enclave is the difference maker.

Apple devices with the Secure Enclave include any device with the Apple A7 chip or later:

• iPhone 5S
• iPhone 6
• iPhone 6 Plus
• iPhone 6s
• iPhone 6s Plus
• iPhone SE

• iPod touch (6th generation)

• iPad Air
• iPad Air 2
• iPad mini 2
• iPad mini 3
• iPad mini 4
• 9.7-inch iPad Pro
• 12.9-inch iPad Pro


  1. I doubt the veracity of this story. The fib probably used Cellebrite but does t want to tell Apple. There is something inherently evil with a government law enforcement agency using hackers, who constantly break the law, to hack a American company’s hardware and software.

    1. I’m thinking more “incompetent” than “evil.”

      Does the FBI realize how dopey this whole sordid affair makes them look? They wasted all that time/money in court when a simple one-time-fee to a hacker would have sufficed. I mean, don’t they have ANYONE on staff with these kind of skills in 2016?

    2. How is using a Criminal Grey or Black hat cracker going to be useful? Any data extracted from that iPhone 5C that might result in an arrest and trial of a suspect will be hopelessly compromised by the source of the hack. The cracker is not a qualified forensic laboratory the prosecutor can bring into court to testify with any hope of surviving cross-examination.

      “Sir, what is your certification as a Forensic IT examiner?”

      “None. I’m a hacker.”

      “What evidence of expertise do you bring to this court to demonstrate your ability?”

      “Well, I found the vulnerability and developed the exploit that infected 100 million Android phones that allowed PirateJoe to steal $2 billion from their owners bank accounts last year! I’m pretty proud of that. He paid me $100,000 for that vuln! And just last month, I created a really cool hack into Windows 10 that bypasses their anti-virus and looks for credit card and ID info on users, then connects to a remote server. That one I sold to a guy in Siberia. It should be good for a couple of weeks before the AV people detect it when it gets put on line and Microsoft patches it. That one I got $50K for.”

      “I see. So do you consider yourself a black hat or a white hat?”

      “Oh, I’m more of a gray hat. I found this sorta vuln in FLASH that could kinda turn into a exploit if you looked at it sideways while playing one of their games. Adobe paid me $2000 for that one. See I play both sides. . . and of course the FBI paid me to see what I could do with this iPhone thing. ”

      “Given your history, why didn’t the FBI arrest you?”

      “Oh, because, I could open the iPhone for them.”

    1. General Clapper (current Director of the NSA) is a liar. He’s dangerous in the sense that anything he says is NOT to be believed.

      FBI Director Comey, however, is a fumbler with a penchant for using emotional rhetoric to get his way. I consider him to be deceitful, rather than a blatant liar. He’s a snake, writhing around within the scene, hard to hold onto.

      Both men are untrustworthy. Why either of them are ‘serving’ in my government is beyond my comprehension. I want them both thrown out.

      1. A snake indeed…but if not for the snake would Eve have eaten the apple and would life be a garden of Eden?

        I’m with you on throwing them both out for sure, but the liat is long…

        1. That he could outright and directly lie to Congress, video recorded, for the world to see, and NOT at least be arrested and prosecuted for perjury (the lightest possible prosecution under the circumstances) SHOUTS the corruption in the current US government.

          I’ll stop there before I start making lists.

  2. Sure shows the level of power of the suggestive media: “The bureau in this case did not need the services of the Israeli firm Cellebrite, as some earlier reports had suggested, people familiar with the matter said.”

    How many jumped and humped on that bandwagon, distracted by the smoke and mirrors.

    Corruption and mass manipulation is one thing that needs no reporting. It would require too many facts, the antithesis of modern day journanalism.

      1. This wouldn’t have helped much.

        Changing the iCloud passcode without changing it on the iPhone doesn’t magically result in the iPhone backing up to iCloud, since it’s still got the old iCloud passcode.

        The login PIN in the iPhone still wasn’t known to them anyway.

  3. Based on what the article said. It would seem there’s a way to prevent a phone from invoking the erasure of the encryption key, after X failed entries of a pin.

    I may have read this wrong. It may have nothing to do with the secure enclave.

    This is a hardware attack, that the FBI explicitly asked for, from Apple.

    Does it not read that way? Help me, if I got it wrong.

    1. There is no secure enclave on the iPhone 5C. Rule that out in this case.

      You may be right about the ’10 tries, you’re out!’ situation. But there is nothing specific stated that this was related to the hack. There have been proposals of other methods of cracking into the 5C. But I had the sense, reading the article, that yet another method of cracking into the phone was being used: ‘…at least one previously unknown software flaw….’

  4. Murky.

    Hackers have important roles to play in technology. Outlawing hacking would have, ironically, meant the FBI could not have cracked into the San Bernardino iPhone.

    I bet that blows the little minds of our tech-ignorant elected officials and their minions.

  5. It is a painstaking job to hack to iPhone, he couldn’t have made away with the pass codes that easy. My hacker; Ben, took 12 hours to hijack my ex’s iPhone some months ago, despite being skillful and hardworking…you can contact him on geniushack08@gmail.com for services at it professional peak.

  6. Basically (bestethicalhackers@gmail.com) just helps you out with whatever hacking or spying activity
    Stay classified stay certified, call (302) 365-0294
    Thank me later..

  7. Basically (bestethicalhackers@gmail.com)he just helps you out with whatever hacking or spying activity
    Stay classified stay certified, call (302) 365-0294
    Thank me later..

  8. I am gladly referring and recommending ( your-safety@gmx.us ) for a all clean good job. I have used this Ethical Hacker & Pentester Pro for my company 2 Times. He is relisble and swift. You will come back to thank me later…

    N: B

    Please be watchful of who you contact here… so many fake people up here lol.. some self proclaimed hackers here don’t even spell check lol .. Choose Wisely!!


Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.