+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Here's what Apple thinks about the black market for $1 million iPhone hacks

Jul 4, 2016, 20:00 IST

AP

The U.S. government paid a steep price to hackers to help it break into an iPhone used by a terrorist earlier this year.

Advertisement

The most recent credible report pegs the price the government paid at "under $1 million," but comments by FBI director James Comey peg the price as being at least $1.3 million.

And now, we know what a top Apple security engineer thinks about the black market for iPhone hacks.

Ivan Krstic, head of security engineering and architecture for Apple, addressed the secondary market for iPhone "vulnerabilities" (or, "zero-days," as security insiders call them) in a talk given at Apple's annual conference last week about how Apple sees security as a design philosophy.

It's difficult to measure security performance with objective statistics, Krstic explains, so he uses "indirect metrics" to evaluate how well Apple's security team is doing.

Advertisement

One of those metrics is the black market prices for iPhone hacks.

It turns out, Apple likes the fact that the prices for iPhone hacks are high - because it means they're rare and difficult to pull off.

"As probably most of you know, there is a black market for software vulnerabilities, and once in a while some of the prices on the black market become known," Krstic said. "Usually these prices are tens of thousands of dollars, sometimes $100,000."

Those are prices for software like Microsoft Windows or Google's Android - but the prices for iPhone hacks are much, much higher.

Krstic cites two reports: In 2013, the New York Times reported that an iPhone hack sold for $500,000.

Advertisement

More recently, Forbes reported that the going rate for an iOS hack was $1 million.

"Take that with a grain of salt, but it's a fascinating number to think about," Krstic said. "What you're seeing now is the result of a decade of our best work in protecting our users."

During Krstic's talk, he emphasized how many hacks require malicious actors to string together 5 to 10 separate bugs, partially because Apple strives to "build security into every level," from its chips to its software.

In April, Apple said that it has "the most effective security organization in the world," and during Krstic's talk, he bragged that the iPhone hasn't had a virus or malware problem at scale over the past nine years.

One way to cut down on the black market for software vulnerabilities is to offer a "bug bounty" program. So when a hacker finds a vulnerability, they don't have to sell it to a malicious actor or the FBI - they can sell it back to the company.

Advertisement

Microsoft, Facebook, and Google all offer bug bounties. Apple doesn't.

One reason could be that Apple doesn't think it needs to. Given Apple's high profile, they get lots of solicited and unsolicited tips on potential bugs. When someone finds a bug, Apple publicly gives them credit. Apple declined to comment on bug bounties on the record for this article.

Plus, buying $1 million dollar hacks could get expensive quickly.

NOW WATCH: How to use Facebook's awesome new 360-degree photo feature

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article