A few weeks ago, the Federal Bureau of Investigation purchased a hacking tool for $1.3m to break into the iPhone from the San Bernardino shooting case. However, the agency wasn’t sure what exactly it paid for. Soon after the successful hack, the FBI claimed it wouldn’t tell Apple about the security flaw that made it possible. The agency explained that it didn’t buy the rights to the technical details of the hacking tool.
The government dropped the court case and announced it had purchased a special hacking tool and therefore no longer needed Apple’s help right before the court hearing on the issue. The FBI has since disclosed some details about the hacking tool – for example, that it originated from outside the government and cost “more than FBI director will be paid during the rest of his tenure” (which is about $1.3m). It was also made clear that it only works on an iPhone 5C and older models.
It is a common practice for the US three-letter agencies to buy security flaws in consumer software. The major condition is to keep the flaws secret and then use them to hack into suspects’ or intelligence targets’ devices. However, this practice is widely criticized because it requires hiding the security flaws from the developers, thus leaving all consumers vulnerable to hackers who could also discover the same flaw.
Back in 2014, the White House announced a review board to look at the severity of such flaws that the government investigators wanted to remain not fixed, and weigh the importance of the investigation against the public security interest in patching the vulnerability. So, the computer security advocates urged the agency to submit its hacking tool to this review board, but the agency claimed it wouldn’t do this because it couldn’t.