When the FBI paid someone to crack the San Bernardino shooter's iPhone, it didn't just deftly bypass Apple's objections. It also made the public aware of the business side of hacking - a business that is apparently as lucrative as it is discreet. "The recent argument between Apple and the FBI over unlocking an iPhone has likely revealed to the public for the first time that companies who specialise in cracking mobile devices even exist," says Bill Anderson, chief product officer at OptioLabs, a mobile-security developer.
Everything we learn about the FBI's hackers makes the situation more intriguing. Initial reports indicated the feds were using the services of Israeli mobile forensics firm Cellebrite to crack open Syed Rizwan Farook's iPhone. Since then, a Washington Post report has claimed the FBI hired independent professional hackers, who used a zero-day exploit (a vulnerability unknown to Apple). Another April report showed that the FBI is now willing to help local law enforcement agencies around the country crack iPhones they have in evidence.
Though the FBI has remained mum on any specifics, a recent remark by FBI director James Comey suggested the fee for the hack was well over a million US dollars. Most recently, the FBI declined to divulge details to another government program (the Vulnerabilities Equities Process), claiming ignorance of how the hack actually worked.
Cellebrite, or whoever it may be, is just one company that can attempt to unlock a phone in law enforcement's possession, but now we - and profit-minded hackers - also know how profitable this business can be, points out Shane McGee, chief privacy officer at cyber-security firm FireEye. "That publicity is like a beacon to vulnerability researchers and security experts that would otherwise show little interest in hacking iOS," he says.
Beyond one phone
Farook was using an iPhone 5c, so there could be other vulnerabilities in this phone and others that have yet to be found - and possibly monetised. "While most researchers that discover vulnerabilities practise responsible disclosure and communicate those vulnerabilities to Apple so they can be patched," McGee adds, "I'm sure we'll also see some trying to sell their exploits to the highest bidder, including the Department of Justice."
Forensic scientist and iOS security expert Jonathan Zdziarski says he believes it will be business as usual for mobile forensics startups, but the veil has been lifted somewhat.
"I believe the only thing this case has done is it's made the public more aware of what goes on daily," says Lewis Daniels from Secure Any Mobile, on the business of breaking encryption. "This of course will make the hacking community more attractive," he says, "as working with the authorities to do what they have the passion for doing is a great opportunity and legal."
Sign up for MIS Asia eNewsletters.