FBI Reportedly Paid a Security Research Team for Vulnerability ⇥ washingtonpost.com

Ellen Nakashima, Washington Post:

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said. […]

The U.S. government now has to weigh whether to disclose the flaws to Apple, a decision that probably will be made by a White House-led group.

The correct thing to do would be for either the FBI or this security research team to disclose this vulnerability to Apple so that it can be fixed, though recent reports suggest that the flaw doesn’t exist in iPhones with a secure enclave. That would ensure better security for everyone using an older iPhone.

The likely outcome of this is that this particular flaw and anything else that allows the FBI to bypass security measures on any device will be kept very close to the vest, and perhaps used as a bargaining chip for when the “Compliance with Court Orders Act of 2016” gets introduced. We’ll turn over our records of your security vulnerabilities if you add a backdoor seems very much like the intelligence community party line these days.