April 26, 2016
On April 12, the Washington Post reported that the FBI paid researchers a one-time fee to use secretly developed hardware to help them access information on one of the San Bernardino, California assailants’ iPhone. I’m calling them “researchers” not “hackers” to make it clear that individuals who provide this information, or these services, aren’t the stereotypical criminals in hoodies, sitting in a basement. Finding and selling vulnerabilities is actually a lucrative business opportunity for both individuals and for specialized companies. From multiple lawsuits and leaked documents, it’s clear that U.S. law enforcement (and intelligence) agencies buy hacking tools all the time. The difference here is that the government publicly acknowledged that they needed access to these skills, and that they could only get them from the private sector.
Companies, ranging from Microsoft to Uber, also have formalized programs that they use to attract researchers who find flaws in their soft- and hardware, and then pay out cash bonuses to incentivize disclosure of those vulnerabilities. Called “Vulnerability Rewards Programs,” or the more catchy “Bug Bounty Programs,” some of these schemes pay out hundreds of thousands of dollars to experts outside of the formal information security market. Companies are in a constant battle to secure their products, and bounties are seen as one way to attract the best and the brightest eyes and to find a greater number of bugs before they can be exploited. It is worth noting that Apple doesn’t have a formal rewards program, making it an outlier among similar large technology companies.
Just like in the corporate world, the U.S. government pays out big bucks for information about vulnerabilities in soft- and hardware, as well as for tools to exploit those vulnerabilities. Certain Snowden docs, and the data breaches of companies like Hacking Team, whose customers include the DEA, the FBI and Department of Defense, detail the government’s stockpiled stash of vulns. But, after the FBI withdrew requests for Apple to provide access to the infamous iPhone, and they had publicly requested assistance in accessing the content on the phone, it was clear that they had successfully purchased a specific vulnerability on the open market.
This has never happened before. In no case (that we are aware of) has the government publicly announced they are seeking someone from outside their establishment to crack a consumer product. Is this a new trend where, like private vulns rewards programs, open calls are issued to the communities it usually shies away from? Or is it a unique case because of the profile of the specific investigation and the fact that the FBI had already backed itself into a corner by issuing their earlier court order? Regardless, a line has been crossed - the government has abandoned secrecy in its search for vulnerabilities.
But, unlike bounty programs or private vulnerabilities firms that sell their products to companies for patching, every iPhone user in the United States (some 94 million, as of March 2015) knows that the U.S. government is willing, and able, to buy its way into our phones for investigative purposes. We already knew that the government sought these vulnerabilities in secret from private research firms, but now we know of at least one case where law enforcement was willing to make its intentions public in order to access a specific mobile device.
The trend is shifting, both within the private sector and government agencies, towards engaging researchers and non-traditional organizations to harness their unique skill at discovering vulnerabilities. But, in the case of corporate bug bounty programs, the goal has been to make software more secure for everyone - which is definitely not what the government is attempting to do. In fact, when asked to turn over their information about the weakness in Apple software so that the vulnerability can be patched, they said that they can’t - the company that supplied the technology didn’t provide them with information as to how it works. It remains to be seen how the government will reconcile the tension between fulfilling an accepted best practice of disclosing this vulnerability to Apple and keeping its options open in order to access future phones this way. Whatever the government’s next step, the vulnerabilities research community will be watching.