Black market for US$1 million iPhone hacks 'fascinating' says Apple

The U.S. government paid a steep price to hackers to help it break into an iPhone used by a terrorist earlier this year.

The most recent credible report pegs the price the government paid at "under US$1 million," but comments by FBI director James Comey peg the price as being at least US$1.3 million.

And now, we know what a top Apple security engineer thinks about the black market for iPhone hacks.

Ivan Krstić, head of security engineering and architecture for Apple, addressed the secondary market for iPhone "vulnerabilities" (or, "zero-days," as security insiders call them) in a talk given at Apple's annual conference last week about how Apple sees security as a design philosophy.

It's difficult to measure security performance with objective statistics, Krstić explains, so he uses "indirect metrics" to evaluate how well Apple's security team is doing. 

One of those metrics is the black market prices for iPhone hacks. 

It turns out, Apple likes the fact that the prices for iPhone hacks are high — because it means they're rare and difficult to pull off. 

"As probably most of you know, there is a black market for software vulnerabilities, and once in a while some of the prices on the black market become known," Krstić said. "Usually these prices are tens of thousands of dollars, sometimes US$100,000."

Those are prices for software like Microsoft Windows or Google's Android — but the prices for iPhone hacks are much, much higher.

Krstić cites two reports: In 2013, the New York Times reported that an iPhone hack sold for US$500,000.  

More recently, Forbes reported that the going rate for an iOS hack was US$1 million. 

"Take that with a grain of salt, but it's a fascinating number to think about," Krstić said. "What you're seeing now is the result of a decade of our best work in protecting our users."

During Krstić's talk, he emphasized how many hacks require malicious actors to string together five to 10 separate bugs, partially because Apple strives to "build security into every level," from its chips to its software.

In April, Apple said that it has "the most effective security organisation in the world," and during Krstić's talk, he bragged that the iPhone hasn't had a virus or malware problem at scale over the past nine years. 

One way to cut down on the black market for software vulnerabilities is to offer a "bug bounty" program. So when a hacker finds a vulnerability, they don't have to sell it to a malicious actor or the FBI — they can sell it back to the company. 

Microsoft, Facebook, and Google all offer bug bounties. Apple doesn't.

One reason could be that Apple doesn't think it needs to. Given Apple's high profile, they get lots of solicited and unsolicited tips on potential bugs. When someone finds a bug, Apple publicly gives them credit. Apple declined to comment on bug bounties on the record for this article.  

Plus, buying US$1 million dollar hacks could get expensive quickly. 

See Also:
4 things you didn't know your iPhone could do
Watch Steve Jobs lose his cool during a famous iPhone demo
The original iPhone turns 9 — here's what Apple's first prototypes looked like