FBI Director Comey Cool with Paying $1M for iPhone Hack

| News

How much is a hack worth that gets you into an iPhone without any useful data on it? If you're the FBI, that'll be at least US$1.3 million. And according to FBI Director James Comey, it was money well spent.

Director Comey said that's how much the government paid for the exploit that got agents into the San Bernardino shooter's iPhone 5c. He said the cost was worth it because the FBI will be able to use the technique to get into more iPhones running iOS 9.

FBI paid over $1 million for San Bernardino iPhone hackFBI paid over $1 million for San Bernardino iPhone hack

Director Comey didn't say exactly how much the FBI paid for the hack, but when asked at the Aspen Security Forum in London on Thursday he said, "A lot. More than I will make in the remainder of this job, which is seven years and four months for sure."

According to Reuters, his current salary is $183,300 a year. Doing the math, that means the FBI paid at least $1.314 million for the hack.

The iPhone was recovered from Syed Farook and his wife, Tashfeen Malik, after they were killed in a shootout with police. The two opened fire on their San Bernardino county coworkers last December, killing 14 and injuring 22.

Law enforcement wanted Apple to help unlock the iPhone, which had been issued to Mr. Farook as part of his job with the county. Apple said it didn't have any way to access the encrypted data on the device, so the FBI obtained a court order telling Apple to create a version of iOS that didn't include the safeguards preventing brute force attacks on passcodes.

Apple said complying with the order would be inappropriate because the government doesn't have the authority to force companies to create tools to bypass their own security features and encryption. Apple also said complying would set a dangerous precedent where other companies could be forced to do the same, or create backdoors into their own encryption.

The FBI eventually dropped its legal fight after obtaining a hacking tool from an unidentified third party—a tool we now know cost over a million dollars. The agency confirmed this week there wasn't any useful data on the iPhone, which isn't surprising because that's something we already suspected and was leaked to news outlets last week.

That's a lot to pay to get into a device law enforcement already assumed didn't hold any useful information, and that should've been enrolled in the county's mobile device management system—which would've given law enforcement direct access to the iPhone's encrypted content without needing any outside help.

The FBI originally said they only wanted to get into this one iPhone, and that it was a one-off deal. That argument fell apart as similar FBI cases surfaced and other law enforcement agencies said they wanted access to encrypted iPhone data, too. The FBI already made it clear it plans to continue using the exploit it bought, and currently doesn't have any plans to share it with Apple, leaving thousands of phones at risk of attack should anyone else discover how the hack works.

Was the money the FBI shelled out for the hack worth it, even knowing Apple will likely find a way to patch the exploit soon? According to Director Comey, it was.

"It was, in my view, worth it," he said.

Popular TMO Stories



Wasn’t coming out of his pocket.


“Director Comey ... at the Aspen Security Forum in London ...


What did he do there, I sure wonder, in view of what’s apparently happening in Parliament:

UK surveillance bill will force tech companies to disclose new products before they launch (Under this Draft [url=https://privacyinternational.org/node/829#_ftn2]UK Investigatory Powers Bill…) the government will force companies operating in the UK to declare ‘products and services in advance of their launch’ to ensure police can still intercept data.  - (By Zack Whittaker, ZDNet/Zero Day | April 19, 2016):

”Internet, phone, and tech companies will have to inform the UK government of new products, services, and features ahead of their launch to ensure that they can be subject to surveillance…The policy will compel companies to inform the government of any major changes to products that may hinder or prevent police and intelligence agencies from intercepting communications or accessing stored retained data.”

“[Companies] subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the [company] to provide a technical capability on the new service,” the policy document reads… It’s seen as an effort to ensure that no product or service can include unbreakable or end-to-end encryption, which can make state surveillance difficult.”

“US tech companies are also far from happy with the bill, arguing that it would among other things undermine strong encryption… Any company with operations in the UK—including Apple, Facebook, Google, Microsoft, and Twitter, which have submitted written evidence calling on the British lawmakers to revise the bill—would have to comply with the rules.”

“The tech companies will have little say and the Government say explicitly they have the power to bring legal action against them if they do not comply,” said Millie Graham Wood, a legal officer at Privacy International… companies who face demands under the bill by the government would have no recourse or judicial oversight.”

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account