The Federal Bureau of Investigation reportedly paid more than $1.3 million for the hack it used to access the San Bernardino iPhone–and that’s probably about right.
Yesterday, the FBI director James Comey let slip how much the agency had paid an unidentified “outside party” to help it bypass security mechanisms on an iPhone 5c belonging to an assailant in the San Bernardino, California, shootings. Comey said on-stage at a conference in London that the hack cost “a lot,” and that it was more than he would make in the remainder of his posting at the agency, which he specified was seven years and four months.
The post of FBI director comes with a salary of $185,100 a year, according to the Office of Personnel Management (pdf, p. 6). Directors of the bureau are appointed by the US president to a single term of not more than 10 years. The remainder of Comey’s term would therefore pay him just over $1.3 million.
The market for previously unknown security vulnerabilities, called “zero days,” like the one the FBI paid for, is murky. But an email leak from an Italian zero-day vendor called Hacking Team in 2015 contained some revealing information about the going rate of these hacks. Researcher Vlad Tsyrklevich analyzed the emails and showed that iOS hacks were in short supply and high demand. One email exchange revealed that an iOS hack exclusively for the use of one customer cost between $1 and $2 million in 2014. Non-exclusive iOS hacks were cheaper.
The Hacking Team email cache also suggested that expensive iOS hacks were being purchased by government agencies. One exchange suggested that developer VUPEN was working on an iOS vulnerability “reserved” for a customer, which Hacking Team speculated was the US National Security Agency.
The FBI admitted it bought zero-day hacks, or “exploits,” for the first time in December 2015. The NSA spent more than $25 million buying “software vulnerabilities” from private vendors in 2014, the Washington Post reported. In February, the FBI requested an additional $38 million in next year’s budget for technology investments for its “Going Dark” initiative, to address encryption and anonymity.