FBI Hints It Paid Hackers $1 Million to Get Into San Bernardino iPhone
April 22, 2016
Shah Sheikh (1294 articles)

FBI Hints It Paid Hackers $1 Million to Get Into San Bernardino iPhone

When the FBI dropped its case against Apple last month after announcing that it had purchased a hacking solution to get into the locked iPhone belonging to one of the alleged San Bernardino shooters, the bureau wouldn’t say where it had bought the mysterious solution.

But today during an interview at the Aspen Security Forum in London, FBI Director James Comey dropped a hint about the hefty price tag tax payers shelled out for that solution.

Asked how much the FBI paid for the zero-day vulnerability that allowed the FBI to crack the password on the iPhone, Comey replied: “A lot. More than I will make in the remainder of this job, which is seven years and four months for sure.”

Comey, according to public records, earned $183,000 last year, which would indicate that the feds paid more than $1.2 million for a solution to crack the San Bernardino phone, if Comey’s math is correct.

And that would be paying $1.2 million for nothing useful, since the FBI reportedly gathered nothing significant from the San Bernardino phone after cracking the password. That cost doesn’t include the other money the feds spent litigating the issue with Apple, before abruptly dropping the case.

The solution also works only on an Apple 5c, not on later versions of Apple’s iPhone such as the 6 and 6s, making the price even less practical.

Comey said the hefty price tag for the zero day was “worth it,” however. “Because it’s a tool that helps us with a 5c running iOS 9, which is a bit of a corner case … but I think it’s very, very important that we get into that device.” [See video of interview below beginning at 20:35.]

Andrew Crocker a staff attorney with the Electronic Frontier Foundation, says the San Bernardino case highlights the need for oversight of the government’s purchase and use of zero days.

“The fact that it was not useful is the biggest headline to me,” says Crocker told WIRED. “It’s a lot of money, but there’s nothing to compare it to. There’s no insight into how this fits into the [government] market for vulnerabilities. If the government is going to continue on a course of spending a lot of money on vulnerabilities that are perhaps not useful or short-lived, it’s the sort of thing that Congress should have some oversight on it.”

Put into context, the amount the FBI paid for this zero day is a small but significant fraction of the $25 million the NSA shelled out during the entire year of 2013 for zero-day vulnerabilities used to hack into the systems of adversaries.

It’s also very close to the $1 million price tag that the zero-day broker Zerodium says it paid an unknown seller for an iOS 9 zero day late last year. Zerodium’s bounty, however, went for a zero day that can be used to infect a phone when it’s tricked into visiting a malicious web site, whereas in the San Bernardino case, the FBI needed a zero day that would allow them to bypass the password and security features on an inactive iPhone.

Zero days can sell for anywhere between $500 to more than $1 million, depending on the nature of the vulnerability, the number of devices it affects, and other factors. Zero days are sold on a number of markets, including in the white market bug bounty programs offered by software makers, the black market that sells to criminal hackers, and the gray market, where brokers and others sell to governments and intelligence agencies.

The security community has criticized the US government for its policy of withholding information about zero days to use them for hacking, instead of disclosing them to vendors so that the holes can be patched. The government has insisted that it doesn’t stockpile zero days but only holds onto about 10 percent of the bugs it finds or buys, disclosing the rest to be patched.

The FBI has said that it is unable to disclose the zero day it used in the San Bernardino case, however, because the party that sold it to the feds did not give the feds permission to disclose it. This is likely because the seller plans to resell the zero day to other parties as well.

Comey said today during the interview that all the controversy and attention around the San Bernardino case had “stimulated a bit of a marketplace around the world, which didn’t exist before then, for people to try and figure out if they could break into an Apple 5c running iOS 9.” As a result of that attention, “somebody approached us from outside the government and said, ‘we think we’ve come up with a solution.’”

Asked if the FBI is now crowdsourcing a solution to get into the latest version of iPhones, the iPhone 6 and 6s, Comey said no. “[I]t just doesn’t seem to make a lot of sense to me that the way we’re going to resolve a conflict that implicates values and our hardest work is that the government is going to try and pay lots of money to get people to break into devices and find vulnerabilities—that seems like a backwards way to approach it.” he said.

With 18,000 law enforcement agencies in the US, all of whom face similar problems getting into phones, “us buying a tool for a 5c iOS 9 is not scalable, and nor could all of those departments afford to pay what we had to invest in this investigation,” Comey said. “So I’m hoping that we can somehow get to a place where we have a sensible solution or set of solutions that doesn’t involve hacking, and doesn’t involve spending tons of money that isn’t scalable.”

Source | Wired