FBI paid top dollar to hack San Bernardino shooter's iPhone

The FBI has given a clue as to how much it paid an undisclosed hacker to break into the San Bernardino, Calif., shooter's iPhone after Apple refused to help. 

|
Matthias Schrader/AP/File
People wait in front of an Apple store in Munich, Germany before the worldwide launch of the iPhone 6s in September 2015. The FBI has given a clue as to how much it paid an undisclosed hacker to break into an iPhone of an attacker in the San Bernadino, Calif., mass shooting.

Searching for the holes that allow a hacker to break into software code has gone from being a quirky activity to a legitimate and lucrative business. 

Asked how much the FBI paid for the hacking job into the iPhone 5c used by an attacker in the mass shooting in San Bernardino, Calif., FBI Director James B. Comey Jr. first said, "A lot." 

More specifically, he said the FBI paid "more than I will make in the remainder of this job, which is seven years and four months, for sure." His annual salary is around $185,100, which suggests the bounty is at least $1.35 million, Eric Lichtblau and Katie Benner reported for The New York Times.

The revelation follows weeks of controversy after the Justice Department tried to force Apple to design a security override, as the tech company's resistance launched a debate over cybersecurity.

Some have suggested $1.35 million is a low estimate, but either way, the FBI paid a high price in a field that is growing larger and more expensive as security vulnerabilities become more valuable to criminals and law enforcement alike.

US firm Zerodium offered bounties of $1 million each for any "working exploit" providing a yet-undiscovered pathway into Apple's latest mobile operating system, The Christian Science Monitor reported.

A high price tag for hacking jobs such as this is not uncommon. Scrupulous hackers who tell companies where their security vulnerabilities are so they can fix them are becoming established in the field of cybersecurity, Paul Roberts wrote for the Monitor:

In the past decade, a growing, global marketplace for software vulnerabilities has transformed a talent for sniffing out security holes in software from a resume bullet point to something akin to Stephen Curry's jump shot or Novak Djokovic's serve: a rare skill that commands a high price. But with everything from software publishers to spy agencies and shadowy cyberarms dealers competing for prized vulnerabilities, experts warn that there are both risks and rewards for both society and the economy in what is quickly becoming a Gold Rush for the Digital Age.

The market is becoming more complex as the monetary opportunities increase, with companies such as HackerOne and Bug Bounty HQ providing a platform to connect talented hackers with companies wanting to test their security.

"It's like finding a gold nugget," Mark Litchfield, a security researcher who once netted $63,000 from the legitimate bug-finding program of a single company, told the Monitor. "Sometimes it's like finding my own gold mine."

The prices are high because talented hackers have so many options for buyers. Some talented bug finders are compelled by conscience to report security breaches only to the companies that can fix them, but others must be motivated by a lucrative bounty. Companies that ask hackers to report their findings tend to pay less than criminals or intelligence officials (Microsoft's fee of $100,000, for example, is considered high).

This means the FBI's undisclosed payout may have been the most expensive publicized hack in history, Reuters reported. It is easy to see why asking Apple to simply override its own security, had the tech company been willing, would have been much cheaper. 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to FBI paid top dollar to hack San Bernardino shooter's iPhone
Read this article in
https://www.csmonitor.com/USA/USA-Update/2016/0422/FBI-paid-top-dollar-to-hack-San-Bernardino-shooter-s-iPhone
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe