WASHINGTON
— The director of the F.B.I. suggested Thursday that his agency paid at
least $1.3 million to an undisclosed group to help hack into the
encrypted iPhone used by an attacker in the mass shooting in San
Bernardino, Calif.
At
a technology conference in London, a moderator asked James B. Comey
Jr., the F.B.I. chief, how much bureau officials had to pay the
undisclosed outside group to demonstrate how to bypass the phone’s
encryption.
“A lot,” Mr. Comey said, as audience members at the Aspen Institute event laughed.
He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.”
The
F.B.I. had been unwilling to say anything at all until Thursday about
how much it paid for what has become one of the world’s most publicized
hacking jobs, so Mr. Comey’s cryptic comments about his own wages and
the bounty quickly sent listeners scurrying in search of their
calculators.
The
F.B.I. director makes about $185,100 a year — so Mr. Comey stands to
earn at least $1.35 million at that base rate of pay for the remainder
of his 10-year term.
The
F.B.I. declined to confirm or deny Thursday whether the bureau had in
fact paid at least $1.3 million for the hacking, and it declined to
elaborate on Mr. Comey’s suggestive remarks.
But that price tag, if confirmed, appears in line with what other companies have offered for identifying iOS vulnerabilities.
Zerodium,
a security firm in Washington that collects and then sells such bugs,
said last fall that it would pay $1 million for weaknesses in Apple’s
iOS 9 operating system. Hackers eventually claimed that bounty. The
iPhone used by the San Bernardino gunman ran iOS 9.
“A
number of factors go into pricing these bounties,” said Alex Rice, the
co-founder of the security start-up HackerOne CTO, who also started
Facebook’s bug bounty program. Mr. Rice said that the highest premiums
were paid when the buyer didn’t intend to disclose the flaw to a party
that could fix it.
“The
cost of keeping a flaw secret is high,” Mr. Rice said. He added that
buyers like Zerodium’s customers and the government might not work to
fix problems.
When
companies run bug bounty programs, they may pay about $100,000 to
hackers that show them system vulnerabilities that must be fixed. “When
you sell at a high price, you have to be O.K. with the possibility that
the person you sold the flaw to could do something bad with it,” Mr.
Rice said.
While
Mr. Comey’s remarks appeared to address the lingering mystery of how
much the F.B.I. paid to get into the San Bernardino phone, he said
nothing that would indicate the actual identity of the outside group
behind the hacking. Some media reports have named an Israeli software
company that might have helped the F.B.I., but numerous law enforcement
officials have said that company was not involved.
After
an intense courtroom fight in Southern California, the F.B.I. disclosed
three weeks ago that it had managed to get access to the data inside an
iPhone 5c used by Syed Farook, one of the attackers in the San
Bernardino rampage, which killed 14 people, by paying the outside group.
The
Justice Department had gone to court to try to force Apple to develop a
new operating system to allow access into the encrypted phone, setting
off an intense national debate about privacy versus national security.
But it withdrew its case after the outside party came to the F.B.I. and
demonstrated a way around the phone’s internal defenses, which would
have destroyed the data inside after 10 failed password attempts and
would have meant longer and longer intervals in between guesses.
With
those mechanisms disabled, the F.B.I. was able to use what is called a
brute force attack — using computers to guess vast numbers of password
combinations at once — in order to get inside the phone.
But
the Justice Department is still trying to force Apple in court to help
unlock encrypted phones in Brooklyn, Boston and elsewhere