FBI Paid $900K for San Bernardino iPhone Hack

Cellebrite's servers hit with data breach

The FBI refused to ever share how much it paid for the hack into San Bernardino shooter Syed Farook’s iPhone, but thanks to Senator Diane Feinstein (D-CA) we now know the price was US$900,000. The Senator accidentally spilled the beans during a Judiciary Committee meeting on accessing encrypted data on smartphones and personal computers.

Cellebrite's servers hit with data breach
FBI’s San Bernardino iPhone hack cost $900,000

The $900,000 price tag, as well as the name of the company the FBI paid, was classified information—at least until Senator Feinstein shared the number while questioning FBI Director James Comey. She said,

I was so struck when San Bernardino happened and you made overtures to allow that device to be opened, and then the FBI had to spend $900,000 to hack it open. And as I subsequently learned of some of the reason for it, there were good reasons to get into that device.

The FBI Versus iPhone Encryption

The phone she referred to had been issued to Farook by his employer, San Bernardino County. Farook and his wife, Tashfeen Malik, opened fire on their coworkers during a holiday party in December 2015. They killed 14 people and injured 22 others.

The two were killed later that day in a shootout with police. Law enforcement recovered the county-issued iPhone, but found Farook and Malik had destroyed their personal phones and computers.

No one knew the passcode for the iPhone 5c in Farook’s possession, so the FBI turned to Apple for help. Apple was able to recover data from the iCloud account linked to the iPhone, but didn’t have any way to bypass the on-device encryption.

When Apple hit the device passcode roadblock, the FBI obtained a court order compelling the company to make a version of iOS without the security measures that keep hackers out. The FBI said the hackable iOS version would be used only on Farook’s iPhone.

Apple refused, kicking off a very public battle between the company and FBI over our security and our privacy rights. That fight ended abruptly only hours before a court hearing over whether or not Apple had to comply when the FBI said it found a way into the iPhone.

FBI Director Comey said the agency paid an unnamed company for the hack, so Apple’s sell secure operating system wasn’t necessary for the case. He said the hack cost less than a million dollars, but wouldn’t elaborate on the actual cost or who the seller was. The evidence points strongly to Cellebrite as the seller, although the actual company name is still classified.

The Cost for Hacking iPhones

Now it seems we know just how much the FBI paid for its iPhone hack. Considering there wasn’t any useful information on the phone, just as law enforcement suspected, that dollar figure is about the only thing of value that’s come from the phone so far.

Feinstein’s classified information slip up came as she was pushing to revive her bill requiring companies to create ways for law enforcement to access encrypted data on our personal devices. Director Comey is supporting her efforts saying it’s necessary to track down criminals and terrorists.

He claims the FBI isn’t asking for a back door into our data, although it sounds like that’s exactly what he wants. Intentionally creating a way to bypass the encryption on our electronic devices is the very definition of a back door.

The Senator’s bill fizzled out last year when it failed to gain real support. Hopefully that’s exactly what will happen again this year, too.

[Thanks to CNBC for the heads up]

5 thoughts on “FBI Paid $900K for San Bernardino iPhone Hack

  • Osama bin Laden pulled off a great victory by causing us to spend trillions of dollars on security stuff

    An effective tactic, the Soviet Union broke up in part because we bankrupted them during the Cold War arms race. In the end we got Osama bin Laden, though that certainly didn’t stop terrorism and now Russia is once again a concern.

  • Yeah, they would want to unlock the phone for every traffic stop. Any smart terrorist cell is going to be compartmentalized and tough to trace, lone wolves are a problem.

  • Lee: I hear you. But I don’t buy the oft-repeated “going dark” mantra with regard to phones. Police and the FBI have lots of ways of gathering information – many more than previously – and it is by no means clear to me that the “unlock any phone” requirement is wise or justified. Actually I believe that it is not.

    There is a balance between protection and access, as you say, and doing weak encryption or “golden keys” has been shown to be an easy path to serious compromise for all sorts of online activity. Banking and e-commerce don’t do well in a weak-security environment. Our collective task is to find the balance. Law enforcement keeps peddling the “sack of fear” for terrorism but the larger threat is to the business and commerce sector.

    Osama bin Laden pulled off a great victory by causing us to spend trillions of dollars on security stuff – at the cost of a million or so. Great ROI. Let’s not let their successors run the same scam.

  • “The Senator accidentally spilled the beans …”
    Do we know whether it was an accident or not?

    “The $900,000 price tag, as well as the name of the company the FBI paid, was classified information …”
    How do we know that it was “classified” ?? It was indeed private and unreleased but how do we know it was classified? These are not the same – not at all.

  • There needs to be a balance here somewhere. I don’t want the backdoor because the thieves will also use it, but I also want the phone examined when involved in criminal acts. I don’t know the answer, I am just saying there needs to be a balance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.