In the week since the Federal Bureau of Investigation surprised Apple by saying that it might have found its own way into the San Bernardino gunman’s smartphone, investigators have disclosed nothing about how they did it.

But that has not stopped the security industry from guessing how the iPhone’s security was defeated and who helped the FBI to uncover it.

The speculation is driven by both high-minded concern for the digital security of the public and hackers’ constant desire for bragging rights about who has managed to outsmart the rest.

Staff at Cellebrite, an Israeli mobile forensics company known to have worked for the FBI, have claimed credit in private forums for breaking into Syed Rizwan Farook’s phone, according to two people familiar with the matter. Shares in the company’s Japan-listed parent, Sun Corp, have leapt more than 60 per cent in the past week.

Cellebrite, which has declined to comment on the matter, is one of several forensic security companies specialising in extracting data from mobile devices. Law enforcement agencies look to such businesses for help when extracting data, critical to solving a case. They often pay a high price — in some cases, hundreds of thousands of dollars — for tools that can simplify cracking a smartphone. “The cops basically want push-button forensics,” says Jonathan Zdziarski, an iPhone security expert.

As well as researching vulnerabilities themselves, these groups often scour the “grey” hacker market to buy so-called “exploits” they can package up and sell to investigators or companies for security testing.

Marc Goodman, who has worked on cyber security for Interpol and the US government, says law enforcement agencies had long been in an “arms race” with device and software manufacturers to break their security. “This is where law enforcement and criminals have something in common,” he adds.

Security experts agree that if the FBI can hack into Farook’s iPhone 5c model, which was running a version of the iOS 9 software released last September, it could gain access to any other device with the same specifications — and most previous models. Some fear the repercussions of the FBI’s disclosure that a previously unknown flaw exists.

“The fact that there is a confirmed exploit there for a device is certainly going to get a lot of people to look for it,” Mr Zdziarski says. “Damage control is the real question here . . . The FBI’s biggest mistake has been assuming they can contain this.”

It is imperative for Apple to find out what the vulnerability is. Experts are divided on whether the FBI’s technique would have worked on newer iPhones released since 2013, when Apple introduced hardware protection known as a “secure enclave”.

Mr Goodman says the FBI’s method could probably not be replicated on a mass scale by cyber criminals, because it is likely to require possession of the device. Much simpler methods of tricking people into giving away the contents of their smartphones are widely available, such as persuading them to click on links containing so-called malware.

Until technology is developed to enable the hacking to be done remotely, the tactic would probably be used only by state-sponsored entities, such as the US or Chinese governments, searching for “super high-value targets” such as terrorists, he says. “It could be used if you are an American travelling in China and the Chinese want access to your phone.”

Mike Janke, chairman of Silent Circle, which makes an encrypted smartphone called the Blackphone, says he is not surprised the FBI has been able to access the phone with its “tens of millions of dollars of experts”.

He believes they copied the phone’s memory to automatically try different passcodes on the fake version without triggering the 10-passcode limit, in what is called a brute force attack. This method — sometimes known as “Nand mirroring” after the type of memory used in smartphones — might work on newer iPhones, some experts believe.

“It is not as hard as people think,” says Mr Janke. “There isn’t a phone in the world that cannot have its hard drive opened like this, all are susceptible.”

But Adam Ghetti, chief technology officer at Ionic Security, says the FBI is likely to have used a simpler method to get into the iPhone 5c, one that could not be used on newer models. In this scenario, a hacker would have to locate the part of the chip responsible for setting the 10-passcode limit and physically solder on a new connection to a program that could reset it after nine attempts.

Apple is already laying the groundwork to discover the FBI’s method in other court cases involving locked iPhones. On Friday, it wrote to the judge in a New York drugs case asking to delay proceedings in light of the Department of Justice’s sudden discovery.