A report on Thursday claims the U.S. Federal Bureau of investigation spent less than $1 million on an exploit used to access an iPhone tied to last year's San Bernardino terror attack, far below a previously estimated sum of more than $1.3 million.
Citing government sources familiar with the matter, Reuters reports the one-time payment came in exchange for a zero-day vulnerability capable of bypassing the passcode lock on a target iPhone 5c running iOS 9. The device was used by San Bernardino terror suspect Syed Rizwan Farook, and sat centerstage in a contentious court battle between the FBI and Apple.
Previous estimates put the purchase at more than $1.3 million based on a quote from FBI Director James Comey. Last week, Comey said his agency paid an outside group "more than I will make in the remainder of this job" for access to the exploit, prompting media outlets to calculate the director's remaining tenure and current salary.
Officials have not identified the contractor, and media reports read like speculation. Depending on the source, the party is either established security firm Cellebrite or a clandestine cadre of gray-hat hackers.
Sources told Reuters that even Comey doesn't know who his agency contracted for the job.
The third party's identity, and its workaround, will likely remain secret. The FBI this week said it will not submit the vulnerability for review under the Vulnerabilities Equities Process, a system designed to determine whether or not discovered digital vulnerabilities should be disclosed to private manufacturers. The agency claims it cannot provide technical details on the matter because legal rights to those techniques are still owned by the contractor.
For its part, Apple said it has no intention of filing suit against the government to force the hack's disclosure as the exploit likely has a short shelf life.