FBI Bought $1M iPhone 5C Hack, But Doesn't Know How It Works

An anonymous reader writes: The FBI has no idea how the hack used in unlocking the San Bernardino shooter's iPhone 5C works, but it paid a sum less than $1m for the mechanism, according to a report. Reuters, citing several U.S. government sources, note that the government intelligence agency didn't pay a value over $1.3m for purchasing the hack from professional hackers, as previously reported by many outlets. The technique can also be used as many times as needed without further payments, the report adds. The FBI director, James Comey, said last week that the agency paid more to get into the iPhone 5C than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost more than $1.3m, based on his annual salary.

Restored from iCloud

I know what it was, they didn't find anything, so the seller just wiped the phone and restored it from the iCloud backup that they already had the password to, making the FBI think that they actually unlocked it, when in reality they did nothing.

Re:Restored from iCloud

[Lab+Rat+Jason]

Sure you're being funny, but that actually is a serious concern here: On one hand, is it forensically legitimate if they can't explain how they got the evidence? (and for that matter does the FBI even CARE about keeping it legal anymore), and on the other hand, does the FBI even know if the wool is being pulled over their eyes if they don't know how it works???

Finally, I seriously doubt they took the phone outside of an FBI facility to perform the hack, which implies that someone was brought in to the FBI facility to perform the hack... do you really think they let that person walk out without explaining how they did it? You're telling me they didn't search the hackers laptop?

It all sounds a little too implausible for me.

Re:Restored from iCloud

[gtall]

"I seriously doubt they took the phone outside of an FBI facility to perform the hack, which implies that someone was brought in to the FBI facility to perform the hack"

So, you failed Logic 101, eh?

Re:Restored from iCloud

[Bartles]

The FBI claims it doesn't know how it works (or it deliberately avoided asking or learning how it works) so it can avoid all FOIA requests pertaining to that information. This is the age of Obama and Clinton. That's how it works now.

Re:Restored from iCloud

I suspect what actually happened was more along the lines of the following:

1) Due to the increased "cooperation" between the letter agencies, the FBI identified they had a phone they wanted to unlock.
2) The FBI or one of their traitorous affiliates already HAD a method to unlock the phone, it's been demonstrated how many times now that the government develops and employs 0-day exploits in their attacks? It's not even difficult for them to target commercial platforms as they're one of the few groups that can afford the source code licenses.
3) They wanted a legal precedent, not to unlock that one phone, but to use any method necessary to unlock _any_ phone, for any reason that they could justify to a judge (or "secret" court).
4) When Apple didn't bend over and take it like the rest of the citizenry, they simply shrugged their shoulders and paid off an independent contractor like they always do. Problem solved.

Re:Restored from iCloud

[AK+Marc]

Did you forget that the Republicans ran an alzheimer's sufferer for president so "I do not recall" would be backed by medical evidence? Clinton and Obama didn't do anything that wasn't already done by Nixon and Reagan. That's why the Republicans are so mad. Using their own tactics against them isn't fair.

Re: Restored from iCloud

[Bartles]

No they didn't. He wasn't diagnosed until 1994. And as far as I know, he never testified under oath.

Re:Restored from iCloud

Maybe they're under an NDA. Law enforcement agencies who use Stingray cellphone site simulators are generally under NDA's not to reveal anything about the technology of the devices as it could violate the trade secrets of the manufacturer. It's possible that the EULA for software doesn't allow the FBI to reverse engineer it to figure out how it works.

Re: Restored from iCloud

No they didn't. He wasn't diagnosed until 1994. And as far as I know, he never testified under oath.

You didn't take the time to look? Oath

Re:Restored from iCloud

[mrchaotica]

NDAs do not and cannot be allowed to trump FOIA requests!

Re: Restored from iCloud

[AK+Marc]

Yeah, and I was never diagnosed with dyslexia, I just had a qualified person tell me that I should never get tested, because I have all the symptoms and if I were diagnosed with it, I'd end up in special ed with the people who can't dress or feed themselves (hey, it was before the enlightened times).

And plenty of people claim the symptoms were obvious, despite the cover-up of it while he was serving as president.

An did you need another link to him being sworn in? Or can we consider that issue covered?

Re:Restored from iCloud

[Obfuscant]

On one hand, is it forensically legitimate if they can't explain how they got the evidence?

"Your honor, you see, there's these spinning platters covered with magnetic material. Floating about 2 microns above the surface of these platters are some very very tiny magnetic sensors attached to a moving arm. The arm is controlled by a servo ... NRZ ... bit stuffing ... FFT ... JPEG ... CPU ... RAM ... USB ... PostScript ... photosensitive transfer belt ... toner ... fuser ... [three hours later] ... and that's how we recovered the digital photo of the defendant holding the severed head of his victim aloft like a trophy."

Defense attorney: "I move the evidence be excluded, it was clearly printed on a printer that uses PCL and not PostScript! The witness's description is technically wrong."

Sure.

I suspect that if this gets to court, everything from the phone that is actually entered as evidence will have corroboration from other sources.

Re:Restored from iCloud

Well they couldn't get in in the first place (and I had a few ideas that are very possible that would completely bypass the operating system and just get at the data (and one pass will get everything), and even though the data would be encrypted, you could brute-force attack the encryption scheme with acres of processors and get all the data in a deterministic and reasonable amount of time (the judge would be happy). And I have no doubts that there are *other government agencies*(tm) who would also have no problems opening that iphone up like a can opener and suck all the data out without batting an eye. And I don't think the FBI is all that terribly bright when it comes to those computer thingies. I think they focus on: suit,tie,gun,shoot. Maybe not in that order, but I think they don't have a lot of deep-thinking analysts over there. Its like finding a theoretical physicist that plays football. Its possible, but you would need a few dozen, not one in a million. So they paid someone. The someone showed them. There was a video, there was a paper. There was a demo and the data was retrieved. You have to pay attention, understand and think. And if things got too: "I think I understand that part", "Ok, I think I understand that part". "Ok, Jim thinks he understands that part". "I don't understand how those parts work together. " Then you have a solution that no one but the person who came up with it (and their friends) who can "do it", and a bunch of flat foots (flat feet?) who are going "just call that guy again." Its like this.

Re: Restored from iCloud

[Plus1Entropy]

He wasn't diagnosed until 1994.

That doesn't mean he didn't have it before that.

Re: Restored from iCloud

[Bartles]

OK, I'll add the qualifier. He never testified under oath as POTUS.

Re: Restored from iCloud

[Bartles]

Sure. There's nothing that says he wasn't a space alien as well.

Re: Restored from iCloud

[Plus1Entropy]

Nice strawman. Alzheimer's often goes undiagnosed until it enters the later stages and becomes more obvious. That's even true today, with much more awareness, research, and technology to help, let alone 20+ years ago.

Re: Restored from iCloud

[Obfuscant]

There's nothing that says he wasn't a space alien as well.

Nice strawman.

This entire sub-thread is a straw man and irrelevant to start with. Reagan has nothing to do with the iPhone hack or the FBI.

Alzheimer's often goes undiagnosed

And space aliens have yet to be identified despite decades of living amongst us. At least that's what the space aliens would claim. And we have a lot more awareness and technology to help us detect them today, let alone 20+ years ago. So, there's nothing to say he wasn't a space alien, either. It's just mud-slinging to make such accusations so long after the fact and without any medical evidence to back it up.

Re:Restored from iCloud

[rtb61]

The FBI are trapped, either they were stupid in their investment in failing to pay for open access to the method to ensure legal requirements when evidence is presented as being gained by this method or they are lying. The reason for the lie, they would be criminally negligent for failing to inform citizens seeking to ensure security and generate revenue by that provision of security, of the methods by which that security is broken. This also extends to individuals citizens should their phone be illegally hacked by this method. I doubt they are that stupid, so the lie, which is hugely legally problematic for them and will remain so, is the only logical conclusion. It also does not matter if they know it or not, they know someone does and they are failing to ensure the security of citizens device by obtaining that known secret and are still being criminally negligent.

Re: Restored from iCloud

No they didn't. He wasn't diagnosed until 1994.

Oh please. I don't recall if it was during his first term or his second, but I specifically remember my father, watching him speaking on the news and his surprised remark that: "the US President has Alzheimers!" He was very obviously suffering from it through most of his presidency. The decent thing to do would have been to resign as he was medically incapable of performing his duties.

Re: Restored from iCloud

No, but people of lesser color have been executed on less evidence than that.

We all know it is just a matter of getting away on a technicality.

Seriously manishs?

[110010001000]

This is the second dupe in a few hours. Seriously? Do you get paid twice every Friday?

Re:Seriously manishs?

I don't recall seeing this story before...

Re: Seriously manishs?

[Namarrgon]

This story wasn't cheap, but it can be used as many times as needed without further payments.

Re:Seriously manishs?

This is the second dupe in a few hours. Seriously? Do you get paid twice every Friday?

Yes, part of this story was posted here before. Part of the story is new.

How does it work?

[Laser_iCE]

"I do not recall."

What did yo expect?

[Lead+Butthead]

"Your tax dollars at work."

US needs to fund its own hackers.

[BoRegardless]

Given the nature of the millennial shift to electronic everything everywere, IOT, the US had better figure out how to set up its own mega sized hacking teams which aren't limited by USGovt pay grades.

Re:US needs to fund its own hackers.

They could, but they refuse to hire people who commit crimes like hacking.

Re:US needs to fund its own hackers.

they did and apple found out and it forced someone to suicide vs getting a life long black list.

Re:US needs to fund its own hackers.

AFAIK those guys work at the NSA already fund his own hackers and of them (Snowden) whistleblow most of his projects to the public.

Re:US needs to fund its own hackers.

[citation needed]

Re:US needs to fund its own hackers.

They could, but they refuse to hire people who commit crimes like hacking.

That is why these hacks are so costly, that is if you believe the article. I would have charged them 3 million even or no deal! They screwed up and acted desperate!

I love it when someone quotes someone with math in the title and numbers in the summary that when compared don't add up.

I smell bullshit.

Re:US needs to fund its own hackers.

[Imrik]

If they did that, they'd be required to inform companies of the details of the holes in their security.

Re: US needs to fund its own hackers.

One of my bosses made a sweet squirrel meme, "Oh, you're desperate. The price just doubled".

Fucking contractor quotes 7 days, gets contract, changes to 15 days.

A sucker

is born every minute

    -- Bill Gates

Re:A sucker

[QuantumLeaper]

Bill never said that, nor did PT Barnum, but it was said about Barnum's customers.

Re: A sucker

Never?
So you have heard every word that has ever been spoken by Bill Gates?
Puh-leeez, his own wife and kids can't make that claim.
That's a very common phrase that tons of people have said.

Re: A sucker

[LiENUS]

I've read aloud the Gettysburg Address. If you were quoting it would you attribute it to me? or Abraham Lincoln?

Re: A sucker

[Imrik]

Depends on my objective in quoting it.

Re: A sucker

Fuck off.

Seriously, I don't need anybody of your kind

1 - wealthy is a curse, your family is cursed - take me for example: there's a rich girl who take pills because it's a suicidal psycho because is a penis collector, she got somehow in love with my dick (probrably another girl - the only one who ever saw my dick online - told her)
2 - you made me unable to date every chick I got close, and that's is worse than raping babies before wating them bc the meat gets more chewye
3 - you can get the same tap on your back and together with a "good luck" charm when you use heroin.

The best part of FBI is that they have hire developers who their hobby includes programming, instead of having a snake. (WOW DUDE! I got the analogy now!) :D

Re:Seriously, I don't need anybody of your kind

I am impressed with your gift for incoherence.

Re: Seriously, I don't need anybody of your kind

This is beautiful.

Don't know what the software does

Sounds like the FBI just bought a malware.

as many times as needed without further payments

It's like an all you can eat iPhone buffet

Whipslash knows a good story

Whipslash seems to have figured it how to push Slashdot's users buttons...

But posting the same fucking article 3 times a day is just fucking retarded.

William Gibson was prescient

[mileshigh]

Reminds me of scenes from Gibson's Neuromancer-era books where people could illicitly buy "ice" to penetrate a particular type of target. Ice for hard targets was pricey but very user-friendly: just a particular shape they dropped onto the target in their VR headset and then watched it eat its way in, all without knowing its workings.

Re:William Gibson was prescient

[Tablizer]

How is that different from many patents? The hard part is often experimenting and testing, NOT the construction itself.

For example, Thomas Edison tested thousands of materials before he settled on the best one for his new light bulbs. The actual manufacturing of the filament was relatively mundane.

And as maintenance coders, sometimes we find the solution to a bug is one line of code. Newbie managers then balk at paying so much for changing one line. You then tell them the hard part is finding and knowing which line to change, not changing the line itself.

Re:William Gibson was prescient

For example, Thomas Edison's many assistants tested thousands of materials before he settled on the best one for his new light bulbs.

FTFY

Old news yet again

Old news yet again

He "earned" it

[Tablizer]

director, James Comey, said last week that the agency paid more to get into the iPhone 5C than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost more than $1.3m, based on his annual salary.

Good, he's shown he's not smart enough to deserve more.

Got a bad feeling after the FBI paid that much

If big Guv'ment is going to foolishly pay that much for a crack that could be obsolete tomorrow, you can bet they're going to try and legislate it to make it illegal for Apple and other companies to "correct" their flaws.

Stop the criminal (DMCA) cover-up

The FBI bought a physical mechanism used to unlock the phone, but does not know the details of the hack that makes it work. The identity of the hackers who made it is also such a closely guarded secret within the US law enforcement agency that its director does not know who it is.

The device in question is definitely a circumvention device under DMCA so it is illegal, per federal law, for someone to create this thing or traffic in it. DMCA provides an exemption to law enforcement and those who are contracted by law enforcement, but there is just cause to believe that the device would have been created prior to the contract. Indeed, the FBI probably would not have been able to approach anyone for the device, unless they had reason to believe that some criminal already had it.

All of the FBI knows that a crime was committed, and somebody in he FBI knows who. The crime needs to be prosecuted, or at least investigated, since I think WE ALL AGREE (heh) that DMCA is a very serious law and must be enforced.

Anyone at the FBI who continues to cover up the identity of the criminal, is possibly obstructing justice and an accomplice. So now there's a second crime to investigate.

(Also, how do we know that a second device wasn't created (seems like a profitable business even if less than $1.3M), or that the seller isn't making others for use not-under-contract with law enforcement? None of these concerns are even slightly far-fetched, are they?)

Re:Stop the criminal (DMCA) cover-up

Also, how do we know that a second device wasn't created

First rule of government spending: Why buy one when you can buy TWO at TWICE the price?

    -- Carl Sagan

Re:Stop the criminal (DMCA) cover-up

[pr0fessor]

There are over 3000 counties in the US even at $10k each they could make a lot of money off of sheriff departments and state police then rinse and repeat a year from now when an apple update makes it not work anymore.

the Guardian is shit

They write:

he FBI doesn’t know how the hack used to unlock the San Bernardino shooter’s iPhone 5C works, and yet it paid in the region of $1m for the mechanism, which can used again to unlock any other iPhone 5C running iOS 9, according to reports.

Then they write:

Several US government sources told Reuters that the amount paid for the hack, bought from professional hackers, was substantially less than previous reports indicating a value over $1.3m.

Hmm. According to the Guardian $1million is substantially less that $1.3million? That doesn't seem right.

Here's what Reuters actually wrote:
http://www.reuters.com/article/us-apple-encryption-idUSKCN0XQ032

FBI Director James Comey last week said the agency paid more to get into the iPhone than he will make in the remaining seven years and four months he has in his job, suggesting the hack cost over $1.3 billion, based on his annual salary.

Well, now that makes more sense. Under $1million is substantially less than $1.3billion.

Next time submitter, just cite the original source for the story, i.e. Reuters.

Re: the Guardian is shit

Guardian is shit, reports weren't conflicting, Comey's annual salary is over $177 million. Got it.

Maybe the terrorist told the grup the password

[future+assassin]

and then they both cashed in on it. I bet it was DirkaDirka

I bought a burger and it was less than $1m.

[fishscene]

It was delicious. ...sorry, I'm feeling super sarcastic today.

Why should we believe him?

[Gravis+Zero]

Seriously, the FBI and Comey in particular have flat out lied so many times in the past year that I honestly can't think of a reason why anyone should believe the things they say.

Re:Why should we believe him?

In this case, both lying and being unable to do basic arithmetic.

Re:Why should we believe him?

I'd actually go a little bit further and ask why anybody in the media should quote anything he says? He's not credible, so why quote him in any story?

No.

The US, and the security industry in general, needs to stop hiding that they don't know shit and are nothing but a bunch of s'kiddies at best.

One of the ways this leaks out is that the FBI ended up paying an indecent amount of money for digital dowsing rods, just like the military did for supposedly real ones, "needing no power" yet "running advanced software". Red flags right there, nobody bats an eye.

Yes, "hack" in general usage now means "cyber dowsing rod" just like "hacker" in general usage now means "cyber bogeyman". You can try and buy more rods or try and hire more of bogeymen, but that still doesn't work. It won't work. It never does. We ought to know this by now. Don't be stupid, man.

$1M paid by taxpayers not FBI

[schwit1]

The FBI should have to get congressional approval(power of the purse) to spend this kind of money when there is no specific line item in the FBI's budget.

Re:$1M paid by taxpayers not FBI

[chill]

If you think something like "cyber forensic tools" isn't a specific line item in the FBI's budget, you're crazy.

Their total budget for 2015 was just over $8.3 Billion. I'm sure they could find room under their Cyber, Criminal or Intelligence categories to pull $1.3 million from for a tool to hack the phone in a case like this one.

Feds bad at computers

[RightwingNutjob]

News at 11. Duh.

Vetting

So did they vet the source of the 0day to make sure they weren't forking over a significant amount of money to an organized crime syndicate?

NDA and FOIA

Actually, material under NDA is specifically exempted from FOIA. Otherwise nobody would ever send proprietary information (like a proposal responding to a Request for Proposals) to the government.

they didn't hack it

They just straight up didn't hack it - they may believe they did if one of their own scammed them for easy money though.

Aiding and abetting the enemy is a Federal Crime

[Sir+Holo]

FTA:

FBI Guy says, "The FBI confirmed that it would not tell Apple about the security flaw exploited in the hack, partly because the law enforcement agency does not know how it works." [And they won't tell either, so whatever they do with it is their own business. Wah.]

Thanks for keeping us all safe by violating Federal Law!

Fuck you, AC

Fuck you, you AC piece of shit. I knew Ed. It's assholes like you that should have a bullet through their heads.

possiblility?

heres a what if, what if Apple provided a device to unlock it, but to avoid public outcry the FBI "found" a contractor who nobody knows, who provided a device for an absurd cost - this scenario saves Apple's public image while still allowing the FBI access to the data.

Sounds plausible to me

Wait, he makes how much?!

Isn't the real story here how little the Director of the FBI makes? This guy runs an agency with an $8 Billion budget and he makes $200k/year (1.3 million / 7.3 years). By way of comparison, the annual budget for the LA Unified School District is ~$7 Billion. The superintendent makes $400k+.

Wait, what?!

[wwalker]

Something doesn't quite add up in this story. So, the FBI has this black box that they don't know what it does and how it works. All they know is that you put an iPhone into it, and it produces supposedly decrypted data from the said iPhone? How can they verify that it actually does a complete and accurate job? That it doesn't introduce some random files, or hides some information? Either FBI is lying again, or they bought something that's completely useless, as I don't see how any judge would accept the results of what this black box produced as legitimate. Especially considering the box was made in a foreign country (Israel?).

Accuracy In Reporting

What's with saying they paid one million in the headline, then saying they paid less than one million in the summary, and then continuing on to say they paid less than 1.3 million later on, meaning they almost certainly paid over one million?

This is a great example of capitalism being regressive.

Lol

[peanutbar2323]

They know how it works.. They're doing it to mine now