Was the Federal Bureau of Investigation justified in paying over $1.3 million for a hacking tool that opened the iPhone 5c of the San Bernardino shooter? For some in the security community the answer is a resounding yes. For others, the answer is not so clear-cut.
FBI Director James Comey said on Thursday the agency paid an undisclosed third-party more than he will make in seven years at his job. That comes out to about $1.3 million. Revelations of the large payout are raising eyebrows in security circles at the same time ruffling feathers with policy makers as the topic re-sparks old zero-day debates.
“It’s a pretty expensive vulnerability,” said Karl Sigler, threat intelligence manager at Trustwave. “But the market is all about supply and demand. Demand for zero days is high and the supply of them is very low,” he said. Add in the US government, with a huge budget, and the price doesn’t surprise Sigler at all.
Zero-day exploits can sell for between $500 to $1 million, depending on the on the exploit and affected product. Zero-day broker Zerodium says it paid $1 million to for an iOS 9 zero day last year to an unknown seller. In that case, the exploit required the iPhone to be unlocked and the user to visit the exploit code with a web browser.
“In the San Bernardino case, the FBI paid just a bit more to defeat a locked iPhone, which was absolutely novel and makes the price seem even more justified,” said Don Jackson, senior threat researcher at the security firm Damballa. He said that iOS zero-day exploits fetch some of the highest prices in gray and black markets where brokers sell exploits to governments, intelligence agencies and criminals.
Ted Ross, CEO of Exodus Intelligence, which has its own vulnerability purchasing program, is in favor of the FBI’s reliance on zero-day community. He said it’s unrealistic to think that the US government alone can solve cyber security issues.
“A solution (in cases like this) will only work with good collaboration between government and industry,” Ross said.
“I would actually think this is much more cost efficient to purchase the capability rather than it would be to hire, train and retain the talent capable of such research,” said Logan Brown, president of Exodus Intelligence. “There is a very finite amount of people in the world that can do this research. Recruiting, paying, and retaining these elite few is no easy or cheap task.”
For those on the other side of the debate, critical of the FBI’s $1.3 million payout, they see the move as counter intuitive when it comes to security and government spending.
“I don’t think relying on a third party is a good model,” said Representative Diana DeGette, a Democrat from Colorado. She spoke during a House Energy and Commerce Committee hearing on the ongoing encryption debate on Tuesday and questioned if the reliance of a third-party created security risks. She argued, entrusting un-vetted hackers and with sensitive and valuable data sets a bad precedent.
DeGette blasted the FBI asking why the government couldn’t defeat commercial encryption on its own. Amy Hess, the FBI’s executive assistant director for science and technology, said the FBI needed hackers to keep pace with tech firms.
That’s not to say the FBI and DOJ don’t have significant technical expertise, said Kenneth White, security researcher and director of the Open Crypto Audit Project. “It’s fairly commonplace for law enforcement to rely on outside experts for many forensics resources, particularly in investigations involving mobile and app security,” White said.
Trustwave’s Sigler said the FBI has a talent deficiency when it comes to vulnerability-discovery because of its over reliance on court orders. “Having a team or even a single person with the skills of vulnerability discovery, reverse engineering and exploit development probably isn’t a need the FBI runs into on a regular basis, especially when it has typically been able to accomplish the same thing with nothing more than a court demand or warrant.”
For Andrew Crocker a staff attorney with the Electronic Frontier Foundation, the FBI’s $1.3 million payout raises questions regarding the practical limits on the government’s use of zero day flaws. “EFF believes that much more oversight of the government’s use of vulnerabilities is needed,” Crocker wrote earlier this month in an EFF staff note. “There should be a very strong bias in favor of informing Apple of the vulnerability. That would allow Apple to fix the flaw and protect the security of all its users,” he wrote in a separate post.
There are no easy answers in balancing national security intelligence techniques with the safety and security of the US and its allies, White said. “The argument for sharing vulnerability information is that what the FBI can purchase, so can anyone else,” White said. “One key dimension in this case is that whatever exploit has been developed or purchased requires physical access to a device, so in principle, the scope of damage is much more limited than a remotely exploitable bug,” he said.
A resolution to the zero-day debate is not in the cards for the foreseeable future, Logan said.
“There will never be a shortage of bad code, and there will never be a shortage of malicious people and groups… Zero-day research is the aftermath of bad coding practices, and until code is regulated, there will continue to be a high demand for zero-day research.”