The U.S. government paid a steep price to hackers earlier this year to help it break into an iPhone used by on of the San Bernardino shooters.
The most recent credible report pegs the price the government paid at “under $1 million,” but comments by FBI director James Comey peg the price as being at least $1.3 million.
It was the latest sign that there is, in fact, a black market for software vulnerabilities – and the price for an iPhone vulnerability can be quite steep.
And now, we know what a top Apple security engineer thinks about the black market for iPhone hacks.
Ivan Krstić, head of security engineering and architecture for Apple, addressed the secondary market for iPhone “vulnerabilities” (or, “zero-days,” as security insiders call them) in a talk given at Apple’s annual conference last month about how Apple sees security as a design philosophy.
It’s difficult to measure security performance with objective statistics, Krstić explains, so he uses “indirect metrics” to evaluate how well Apple’s security team is doing.
One of those metrics is the black market prices for iPhone hacks.
It turns out, Apple likes the fact that the prices for iPhone hacks are high – because it means they’re rare and difficult to pull off.
“As probably most of you know, there is a black market for software vulnerabilities, and once in a while some of the prices on the black market become known,” Krstić said. “Usually these prices are tens of thousands of dollars, sometimes $100,000.”
Those are prices for software like Microsoft Windows or Google’s Android – but the prices for iPhone hacks are much, much higher.
Krstić cites two reports: In 2013, the New York Times reported that an iPhone hack sold for $500,000.
More recently, Forbes reported that the going rate for an iOS hack was $1 million.
“Take that with a grain of salt, but it’s a fascinating number to think about,” Krstić said. “What you’re seeing now is the result of a decade of our best work in protecting our users.”
During Krstić’s talk, he emphasized how many hacks require malicious actors to string together 5 to 10 separate bugs, partially because Apple strives to “build security into every level,” from its chips to its software.
In April, Apple said that it has “the most effective security organization in the world,” and during Krstić’s talk, he bragged that the iPhone hasn’t had a virus or malware problem at scale over the past nine years.
One way to cut down on the black market for software vulnerabilities is to offer a “bug bounty” program. So when a hacker finds a vulnerability, they don’t have to sell it to a malicious actor or the FBI – they can sell it back to the company.
Microsoft, Facebook, and Google all offer bug bounties. Apple doesn’t.
One reason could be that Apple doesn’t think it needs to. Given Apple’s high profile, they get lots of solicited and unsolicited tips on potential bugs. When someone finds a bug, Apple publicly gives them credit. Apple declined to comment on bug bounties for this article.
Plus, buying $1 million dollar hacks could get expensive quickly.